It has been a tough year for cybersecurity professionals as hacking groups and ransomware criminals have exposed the records of more than 40 million Americans during an onslaught of 2021 healthcare breaches. As a result, some healthcare data networks were out of service for weeks at a time, potentially compromising quality of care for patients across the country.
As recently as September, the FBI and HHS issued a warning about another newly observed ransomware, and there is growing consensus among cybersecurity professionals that it’s only a matter of time before every company will face a cyberattack. With that in mind, we have assembled a list of the top 10 2021 healthcare breaches to date.
2021 Healthcare Breaches and Cybersecurity Incidents
There seems to be no end in sight to the increasing frequency of cyber attacks. Further underscoring this, all of the top 10 breaches this year were caused by phishing, hacking, and ransomware attacks.
Florida Healthy Kids Corporation Breach Affected 3,500,000 Patients
Florida Healthy Kids Corporation administers the Florida Healthy Kids program, which provides subsidized insurance for children living in families who have too much money to qualify for traditional Medicaid. The non-profit corporation also provides administrative services for the other three KidCare programs. Following a cyberattack announced in January 2021, a subsequent analysis found “significant vulnerabilities” on the children’s health insurance program website since 2013. As a result, protected health information (PHI) was potentially exposed, including Social Security numbers, dates of birth, names, addresses and financial information.
20/20 Eye Care Network, Inc. Breach Affected 3,253,822 Patients
20/20 Eye Care Inc. is a business associate who offers administrative services to health plans. After being notified of suspicious activity in their Amazon Web Services Environment, an investigation was launched and the FBI was notified. The investigation found that data may have been removed, including PHI for as many as 3,253,822 patients. A class-action lawsuit was filed against the company in July 2021.
Forefront Dermatology Breach Affected 2,413,553 Patients
After suffering what was termed an “intrusion” on its network server in June 2021, Forefront Dermatology announced that the PHI of some patients had been accessed. “While the investigation found evidence that only a small number of patients’ information was specifically involved, Forefront Dermatology could not rule out the possibility that files containing other patients’ information may have been subject to unauthorized access,” said the company in a press statement. As many as 2,413,553 patient records may have been exposed. The Wisconsin-based healthcare provider has locations in 21 states and the District of Columbia.
NEC Networks, LLC Breach Affected 1,656,569 Patients
NEC Networks, is a business associate doing business as CaptureRx. A February 2021 investigation determined that as many as 1,656,569 patient files containing PHI such as name, date of birth, and prescription information were accessed and acquired without authorization.
Eskenazi Health Breach Affected 1,515,918 Patients
Eskenazi Health, an Indiana-based health system was targeted by cyber criminals in a ransomware attack. After gaining access to the organization’s network, the criminals disabled security measures and stole data, some of which was later released on the dark web.
The Kroger Co. Breach Affected 1,474,284 Patients
Kroger Co., the retail grocery chain confirmed in February 2021 that it was impacted by a data security incident affecting Accellion, Inc. Accellion’s services were used by Kroger, as well as many other companies, for third-party secure file transfers. Accellion notified Kroger that an unauthorized person gained access to certain Kroger files by exploiting a vulnerability in Accellion’s file transfer service. As a result, up to 1,474,284 patient records from the company’s pharmacy and clinic services may have been compromised.
St. Joseph’s/Candler Health System, Inc. Breach Affected 1,400,000 Patients
A ransomware attack on the Savannah, Georgia-based health system may have exposed the PHI of up to 1.4 million patients, including their names in combination with their address, date of birth, Social Security number, driver’s license number, patient account number, billing account number, financial information, health insurance plan member ID, medical record number, dates of service, provider names, and medical and clinical treatment information regarding care received. The cyber attack was identified in June 2021, but the criminals had access to the network systems for the prior six months. In addition, the health system was unable to access their network for multiple days following the attack.
University Medical Center Southern Nevada Breach Affected 1,300,000 Patients
A one-day ransomware attack by a notorious group of Russia-based hackers resulted in the potential exposure of 1.3 million patient’s PHI. Following the attack, images of some victim’s driver’s licenses, passports and Social Security cards were posted on the hacker group’s website.
American Anesthesiology, Inc. Breach Affected 1,269,074 Patients
A phishing attack on Mednax, a business associate of American Anesthesiology, Inc. providing email services, allowed hackers to access some patient information. The information accessed included names, addresses, email, date of birth, Social Security Numbers, treatment information, and billing information. The email breach was believed to be part of an unsuccessful payroll fraud attempt, but 1,269,074 patient’s records may have been compromised.
Professional Business Systems, Inc. Breach Affected 1,210,688 Patients
The practice management company, which operates under the names of Practicefirst Medical Management Solutions and PBS Medcode Corp., reported that hackers had copied files from its system containing patient information while attempting to deploy ransomware.
