canjoena - stock.adobe.com

UPDATE: The 10 Biggest Healthcare Data Breaches of 2020

Much like in 2019, the biggest healthcare data breach of 2020 was caused by a third-party vendor, while ransomware and other risks dominated the threat landscape.

Cybersecurity proved to be a massive challenge for many in the healthcare sector in 2020 as providers worked to combat the COVID-19 crisis, while simultaneously being pummeled with targeted cyberattacks. These led to some of the biggest healthcare data breaches seen in recent years.

While the first half of the year saw a reduction in the number of reported incidents, active threats continued to plague the sector, from ransomware to insiders, which came to a head in September with a steady onslaught of ransomware attacks.

As previously noted to HealthITSecurity.com, the fewer number of reported incidents in the sector during the first half of the year did not, in any sense, mean hackers were forgoing targeted attacks.

Instead, threat actors worked to take advantage of the national crisis and expanded remote work, developing a host of COVID-19 fraud schemes, phishing attacks, and related cyber threats designed to prey on natural fears. 

And although nation-state actors received much attention in multiple federal alerts, many of the cyberattacks on the sector relied on tried and true attack methods: schemes aimed at taking advantage of human nature.

The threat landscape is changing with such speed that at least five of the largest data breaches reported to the Department of Health and Human Services during the first half of 2020 did not make it to the final breach tally for the year.

Importantly, multiple providers faced attempted extortion after data exfiltration, some of which have not yet been reported to HHS and as such, are not included. The list also does not account for some massive data leaks, such as those caused by vulnerabilities in PACS.

However, these leading breaches do highlight the continued work providers must take, even as the pandemic stretches on into the new year. As hackers have fully demonstrated in 2020, there’s no honor among thieves even during a global crisis.

1. Blackbaud: Dozens of Healthcare Entities, Millions of Patients

Much like in 2019, the largest healthcare data breach was caused by a third-party vendor. The Blackbaud ransomware attack mirrored the AMCA breach, as it’s still unclear just how much data and how many providers were affected.

It’s estimated that more than two dozen providers and well over 10 million patients have been included in the final breach tally.

The reports stem from a ransomware attack on the cloud computing vendor, which provides services for a long list of nonprofits, foundations, corporations, education institutions, healthcare entities, and change agents.

On May 14, Blackbaud’s self-hosted environment was infected with malware. While the cybersecurity team was able to stop the attackers from encrypting the entire network, the hackers did manage to steal a subset of data prior to deploying the ransomware payload.

Further, the attack began more than three months earlier in February, before the intrusion was detected.

At the time of the initial reports, Blackbaud stressed that the compromised data was limited to items, such as names, contact details, donor information, some health details, and the like. However, a later Securities and Exchange Commission filing reported that some Social Security numbers were part of the accessed data.

At least two dozen lawsuits have been filed by breach victims, with the latest filing seeking class-action status. 

A list of victims, by no means exhaustive, demonstrates the extent of the breach, which Blackbaud estimates has already caused well over $6 million in damages. The vendor believes its insurance policy will offset some of these costs. Blackbaud is currently being audited by HHS and state and federal regulators.

  • Inova Health System (1,000,000)
  • Northern Light Health Foundation (657,392)
  • SCL Health Colorado, Montana, and Kansas (440,980)
  • Saint Luke’s Foundation (360,212)
  • Mercy Health and Trinity Health (332,726)
  • AdventHealth Foundation Shawnee Mission (315,811)
  • Nuvance Health (314,829)
  • MultiCare Foundation (300,000 total individuals, of which 179,189 are patients)
  • Allegheny Health Network (299,507)
  • AMITA Health (261,054)
  • Virginia Mason Medical Center (244,761)
  • Stony Brook University Hospital (175,803)
  • Roswell Park Comprehensive Cancer Center (141,669)
  • Sisters of Charity Health System (118,874)
  • Greenwich Hospital (95,000)
  • OSF HealthCare System (94,171)
  • Geisinger (86,412)
  • Main Line Health (60,595)
  • Northwestern Memorial HealthCare (55,983)
  • Spectrum Health Foundation (52,711)
  • Methodist Hospital of Southern California Foundation (39,881)
  • University Health Systems of Eastern Carolina, d/b/a Vidant Health

2. DCA Alliance: 1,000,000 Patients

Reported in early December, a near-monthlong system hack on third-party vendor Dental Care Alliance potentially breached the protected health information and payment card numbers of 1 million patients. DCA is a practice support vendor for more than 320 affiliated practices across 20 states.

Suspicious activity was detected within the DCA network on October 11, spurring an investigation. The initial review determined hackers first gained access to the network on September 18, which lasted until October 13.

Although the review is ongoing, officials have determined the affected data could include patient names, contact details, dental diagnoses, treatment information, patient account numbers, billing details, dentists’ names, bank account numbers, and health insurance data. About 10 percent of the patients saw their bank account numbers breached.

3. Luxottica: 829,454 Patients

Eyecare conglomerate Luxottica of America faced at least two security incidents this fall, one directly involving the breach of patient data.

In August, a threat actor gained access to the web-based appointment scheduling application managed by Luxottica and used by its eyecare providers to help patients make appointments. The hack went on for four days before it was detected.

An investigation later determined the hacker was able to access a trove of patient data, including full appointment notes related to treatment, health insurance policy numbers, health conditions, prescriptions, appointment dates and times, and other sensitive information.

The attacker may have also accessed and acquired third-party information from the app, while some patients also saw their SSNs and credit card information breached.

The breach highlights the multiple ways hackers can target healthcare provider organizations, particularly as Luxottica-owned EyeMed also faced its own security incident in July.

4. Health Share of Oregon: 654,000 PATIENTS

The theft of a laptop owned by Health Share of Oregon’s transportation vendor, demonstrated that physical security controls and vendor management need equal attention as cybersecurity priorities.  

Oregon’s largest Medicaid coordinated care organization notified 654,000 patients due to the device theft from its vendor GridWorks. It’s unclear whether the laptop was encrypted.

The stolen device contained patient names, contact details, dates of birth, and Medicaid ID numbers. Health histories were not stored on the laptop.

In response, Health Share updated its annual audit processes with its contractors and improved workforce training. 

5. FLORIDA ORTHOPAEDIC INSTITUTE: 640,000 PATIENTS

A ransomware attack on the Florida Orthopaedic Institute (FOI) potentially breached the data of about 640,000 patients, as reported to HHS on July 1.

The attack was first discovered on or about April 9, with the malware encrypting data stored on FOI servers. Administrators quickly secured the system, but the investigation revealed patient data was potentially exfiltrated or accessed during the attack.

The impacted data varied by patient, but could include a host of sensitive data such as Social Security numbers, dates of birth, claims addresses, insurance plan identification numbers, FOI claims histories, diagnosis codes, contact details, and physician locations, among other sensitive information.

6. ELITE EMERGENCY PHYSICIANS (FORMERLY KNOWN AS ELKHART EMERGENCY PHYSICIANS): 550,000 PATIENTS 

The provider now known as Elite Emergency Physicians was included in a massive security incident involving the improper disposal of patient records, including records from its Elkhart Emergency Physicians. 

In June, it was reported that third-party vendor Central Files, which was tasked with secure record storage and disposal for a number of healthcare covered entities, had improperly disposed of some patient files. The impacted providers also included St. Joseph Health System in Indiana. 

Central Files was hired by multiple providers to destroy certain records and securely store some patient files until they were subsequently transferred to another records company, including sensitive and legally protected information. 

However, reports in April warned certain providers that their documents were discovered at a dump site in “poor condition, showing signs of moisture damage, mold and rodent infestation, and damage from being mixed with trash and other debris.” 

“Trained safety personnel determined that further inspection of most of these records to identify individuals whose information was included in the documents would be extremely hazardous and instead recommended secure destruction as soon as possible,” officials explained. 

For Elite, the records included information of patients who visited Elkhart Emergency Physicians from 2002 to 2010. 

7. Magellan Health: 365,000 Patients

Over eight Magellan Health affiliates and some of its clients have reported breach incidents to HHS, after a sophisticated ransomware attack hit the health plan’s servers in April. Nearly 365,000 patients and employees have been impacted. 

Hackers gained access by leveraging a social engineering phishing scheme that impersonated a Magellan Health client, five days before the ransomware was deployed. During that time, hackers first exfiltrated sensitive data from the impacted server. 

The potentially stolen data included employee credentials, passwords, and W-2 forms, in addition to patient data, including health insurance account information and treatment details. 

The recent breach marks the second time Magellan Health has faced a massive security incident in the last year. A month-long phishing incident in 2019 breached the data from some of the third-party vendor’s clients, such as Florida Blue, McLaren Health, and Presbyterian Health, among others. 

8. Baton Rouge Clinic: 308,169 Patients

A cyberattack on The Baton Rouge Clinic’s electronic database potentially breached the data of 308,169 patients in July.

Hackers breached the clinic’s main email system and some related patient records, which was discovered by the clinic on July 8. A subsequent investigation found that the attackers stole a subset of patient data during the attack.

The notice did not provide insights into the threat used during the incident, but “the attacker confirmed that none of the files were used or disclosed to anyone and any files taken were destroyed.”

However, recent reports show hackers can forge evidence demonstrating the destruction of stolen data.

9. AspenPointe: 295,617 Patients

Behavioral and mental health provider AspenPointe recently notified 295,617 patients that their data was compromised during a cyberattack on its technological infrastructure.

Discovered in late-September, the severity of the incident forced the provider to close the majority of its operations for a number of days.

The investigation later determined that hackers exfiltrated patient data from the network during the attack, including SSNs, contact details, dates of birth, driver’s licenses and bank account information.

10. BJC Health System: 287,876 Patients

A successful phishing attack on Missouri-based BJC Healthcare in May, prompted breach notifications for 287,876 patients from 19 of its affiliated hospitals.

Three BJC Health employees fell victim to a phishing scam on March 6, which the security team detected on the same day. The investigation found the threat actor had access to the impacted email accounts for just one day, but officials were unable to determine if any patient information, emails, or attachments were viewed during that time. 

All emails and attachments were reviewed by BJC to determine what patients were affected and found the accounts contained information that varied by patient, including treatments, medications, Social Security numbers, and health insurance data, among other sensitive information. 

The impacted BJC-affiliated providers included: Alton Memorial Hospital, Barnes-Jewish Hospital, Barnes-Jewish St. Peters Hospital, Barnes-Jewish West County Hospital, BJC Behavioral Health, BJC Corporate Health Services, BJC Home Care, BJC Medical Group, Boone Hospital Center, Christian Hospital, Memorial Hospital Belleville, Memorial Hospital East, Missouri Baptist Medical Center, Missouri Baptist Physician Services, Missouri Baptist Sullivan Hospital, Parkland Health Center Boone Terre, Parkland Health Center Farmington, Progress West Hospital, and St. Louis Children’s Hospital.

This story has been updated to include the DCA hack, which was reported after the original piece was published.

Next Steps

Dig Deeper on Healthcare data breaches