March has been the most eventful month for healthcare cyber security since the beginning of the year. With 27 individual breaches, the number of records compromised in March was more than triple the number of records compromised in January and February combined! Some of the most notable breaches include a former employee stealing records, a ransomware attack, and a phishing scam.
So far in 2017, there have been 410 total data breaches, and 99 of those have been healthcare related. There have been 6,862,337 total records compromised this year, with 22% of them being in the healthcare industry.
2017 Largest Data Breach
With almost 700,000 records compromised, a Kentucky healthcare facility had the largest healthcare data breach this year. The breach occurred when a former employee obtained, without authorization, patient information on an encrypted CD, and encrypted USB drive. The information on the drive included names, addresses, Social Security numbers, and insurance information. The investigation indicates that she “intended to use these records to assist in the development of a computer-based tool for an outside business interest which had never been disclosed to the hospital.”
A medical center in Austin notified nearly 300,000 of their patients of a data breach incident that took place at their facility. The breach was caused by a ransomware attack on the system, luckily the attack was detected early, so it did not cause too much harm to the system. However, the hackers still had the potential to access names, addresses, dates of birth, Social Security information and medical information. Many times these types of attacks are not intended to misuse the patient information, but to lock the hospital out and force them to pay a ransom to regain access. The medical center still decided to provide identity theft monitoring services as an extra caution for patients.
A number of employee email accounts were compromised at a hospital in Washington due to a phishing attack. Phishing emails are sent in attempt to trick users into revealing sensitive information. In this case, the hackers were able to gain access to over 80,000 patient’s information. The attack was not realized for more than seven weeks after it occurred giving the attackers lots of time to access or steal information. The hospital has notified the patients who were affected and is also taking steps to reeducate their employees on the dangers of phishing emails.