2020 saw record-breaking healthcare breaches with some of the largest recorded breaches in history. Several of these breaches occurred due to healthcare hacks and ransomware incidents, leading the FBI and HHS to issue a warning in October to healthcare organizations against the persistent threat. 10 of the largest 2020 healthcare breaches are discussed below.
2020 Healthcare Breaches and Cybersecurity Incidents
The majority of 2020 healthcare breaches occurred as a result of cybersecurity incidents. In fact, 8 out of 10 of the largest 2020 healthcare breaches were caused by phishing, hacking, and ransomware attacks.
Trinity Health Breach Affected 3,320,726 Patients
One of the most publicized breaches in 2020 was the Blackbaud incident. Blackbaud is a web-hosting vendor that was the victim of a large-scale cyberattack that affected hundreds of their clients including several healthcare organizations.
Trinity Health was one such victim. This breach affected 3,320,726 patients, potentially exposing their protected health information (PHI). The PHI exposed in the incident included names, addresses, contact information, hospital locations, and insurance information. Some patients also had their financial information compromised in the incident.
MEDNAX Services, Inc. Breach Affected 1,290,670 Patients
MEDNAX Services, Inc. is a healthcare billing company that suffered an email breach that allowed unauthorized access to several business email accounts. The breach resulted in the PHI of 1,290,670 patients being compromised. The PHI potentially exposed included patient names, guarantor name, addresses, email addresses, dates of birth, Social Security numbers, driver’s license numbers, state identification numbers, financial account information, health insurance information, medical and/or treatment information, and billing and claims information.
Inova Health Systems Breach Affected 1,045,270 Patients
The Inova Health Systems breach also stemmed from the Blackbaud breach. Information accessed in this incident included data on Inova’s patients as well as their donors. Compromised data included names, contact details, dates of birth, provider names, dates of service, departments visited, and donation information including dates and amounts of donations.
Magellan Health Breach Affected 1,013,956 Patients
The Magellan Health breach, originally thought to have affected 365,000 patients, ultimately affected 1,013,956 patients. The incident was the result of a successful phishing attack which allowed unauthorized access to their network server. The phishing attack affected both patients and employees of Magellan Health, exposing sensitive information such as health insurance account data, treatment information, Social Security numbers, W-2 information, and employee ID numbers.
Dental Care Alliance Breach Affected 1,004,304 Patients
Dental Care Alliance provides practice support for 320 dental practices across the country. The breach occurred as a result of a month-long network hack that allowed unauthorized access to the PHI of 1,004,304 patients. PHI exposed in the breach included patient names, contact details, dental diagnoses, treatment information, patient account numbers, billing details, dentists’ names, bank account numbers, and health insurance data. Some patients also had their credit card information exposed in the breach.
Luxottica Breach Affected 829,454 Patients
Luxottica, a business associate of large eye care providers such as Target Optical, EyeMed, and LensCrafters, had their appointment scheduling app hacked, resulting in a breach affecting 829,454 patients. PHI exposed included patient names, contact information, appointment dates and times, health insurance policy numbers, and doctor or appointment notes that may indicate information related to eye care treatment, such as prescriptions, health conditions or procedures. Some patient Social Security numbers and credit card numbers were also accessed.
Northern Light Health Breach Affected 657,392 Patients
Another victim of the Blackbaud breach, Northern Light Health, had the PHI of 657,392 of their patients exposed. Potentially exposed PHI included patient names, addresses, phone numbers, email addresses, and dates of birth.
Florida Orthopaedic Institute Breach Affected 640,000 Patients
Florida Orthopaedic Institute was the victim of a ransomware attack that affected 640,000 patients. PHI potentially exposed included names, dates of birth, Social Security numbers, and other medical information. Although the Florida Orthopaedic Institute has taken steps to prevent future incidents from occurring, they are currently facing a class action lawsuit alleging that they didn’t do enough to prevent the incident from occurring in the first place.
2020 Healthcare Breaches and PHI Theft
Although the majority of 2020 healthcare breaches stemmed from cybersecurity incidents, there were some other causes behind some of the largest breaches of the year. This included the Health Share of Oregon breach. This breach was the result of an unencrypted laptop being stolen from their medical transportation vendor. PHI contained on the laptop, and therefore potentially accessed by an unauthorized party, included names, addresses, phone numbers, dates of birth, Social Security numbers, and Health Share ID numbers.
2020 Healthcare Breaches and Improper PHI Disposal
Improper disposal of PHI occurs when files are not destroyed in accordance with HIPAA law. Many healthcare organizations contract a third-party vendor to properly dispose of medical records, however, it is the responsibility of the healthcare organization to ensure that the vendor does so. Elkhart Emergency Physicians found this out the hard way when it was discovered that the records of 550,000 of their patients were found dumped in an unsecure location.