Biggest Data Breaches Over the Past Year in Healthcare

Over 40 million patient records were hacked last year, according to the US Federal Bureau of Investigation. The incidents are to be very severe, knocking out networks for weeks at a time and potentially causing medical disruptions across the US. Some hospitals face lawsuits after regaining access to their network.

Below we present several examples related to the leakage of confidential data of more than 1,000,000 people. These were cases of hacker attacks where outsiders gained access to networks with personal electronic data.

Accellion FTA Hack - at least 3.51 million records

The largest data breach in the healthcare system was a hacking incident involving firewall vendor Accellion. The breach had far-reaching implications for healthcare, including the risk of using outdated technology and failing to quickly fix known security gaps. Since December 2020, hackers exploited four vulnerabilities in FTA to infiltrate connected client networks and steal vast amounts of personal information. More than 100 medical companies, including at least 11 US medical institutions, were painfully affected by the actions of the attackers. The attack was carried out by the Clop ransomware group; the motives behind their attack were initially unclear. Throughout early 2021, numerous Accellion customers began receiving emails directly from the hackers threatening to leak data stolen from FTA and blackmailing.

Victims of the breach eventually responded with lawsuits against Accellion and many of the affected customers. The lawsuits make serious allegations, including failure to implement proper security practices, failure to identify the vulnerabilities behind the exploit, and responsibility for the integrity of clients’ data when aware of one’s own vulnerability. But in the details of the lawsuit, there is a clear message from the vendor that users are solely responsible for their own security.

“Accellion denies all allegations and any liability and maintains that the company had no legal duty of care to [the individuals] and acted reasonably” — a direct quote from company officials.

Despite such a remark, the company ultimately went to a settlement agreement that established a “non-refundable $8.1 million fund” to pay for any valid claims, notices, and administrative costs of affected individuals. Under the terms of the settlement, victims of the violations may receive two years of credit monitoring and insurance services, as well as payments for documented damages of up to $10,000 or a cash payment of $15 to $50. Accellion is also required to provide annual cybersecurity training for all employees, hire personnel with “formal cybersecurity responsibilities,” and periodically assess compliance with measures posted on its website.

Since the first breach, ongoing industry debate has centered around concerns that the vendor continued to sell its FTA despite known security flaws. In 2016, Accellion stopped licensing FTA to new customers but allowed previous customers to renew their existing licenses. Thus, the last security update for the vulnerable FTA was released as far back as February 2019.

Florida Healthy Kids Corporation - 3.5 million records

The organization that runs Florida Children’s Dental and Health Insurance program has shut down its online application platform after discovering that the company that hosted its website had failed to patch vulnerabilities for seven years. It led to the disclosure of personal information, data, and hacker intervention. Independent cybersecurity experts hired to investigate the incident discovered significant vulnerabilities in the hosted website platform and databases supporting Florida KidCare’s online application.

“Florida Healthy Kids learned that a web hosting provider failed to apply security patches to its software, thereby exposing the website to vulnerabilities that were ultimately exploited by hackers,” — the organization said in a statement.

The vulnerabilities covered a seven-year period from November 2013 to December 2020. Information that may have been disclosed includes individuals’ full names, dates of birth, email addresses, telephone numbers, physical addresses, Social Security numbers, and certain financial information. The company’s investigation found no evidence that this “personal information was altered, used, or accessed”, or “removed from the system”.

20/20 Eye Care Network, Inc - 3,253,822 records

Last January, 20/20 was alerted to suspicious activity within the Amazon Web Services (AWS) environment. In response, AWS credentials were reviewed and deactivated, and the FBI was notified. Subsequently, a comprehensive review was conducted to determine what specific data may be at risk and to whom this information relates. After completing the review and verification of the data, 20/20 notified the individuals and the relevant regulators as soon as possible.

Information that may have been accessed by unauthorized persons included name, address, Social Security number, member identification number, date of birth, and health insurance information. It seems that they have not been able to definitively and specifically identify exactly what data was hacked.

The incident is somewhat shrouded in confusion. What actually happened and what was the motivation behind the threat? The report coded the incident as an “insider crime”, but there was nothing in the notice to affected members to indicate that the organization was suspected of responsibility for wrongdoing by a particular employee.

NEC Networks, LLC, CaptureRx - at least 2.42 million records

The CaptureRx data breach was first discovered on February 19, 2021, according to the HIPAA Journal. An investigation later revealed that unauthorized third parties had accessed sensitive data on February 6, 2021. Affected customers were notified of the breach in late March and early April 2021. The data breach affected 1.9 million people at hospitals and pharmacies served by CaptureRx. Patient information such as names, dates of birth, prescription information, and medical records was compromised in the breach, prompting some patients to sue CaptureRx.

In May 2021, an anonymous plaintiff sued. According to the plaintiff, the company “betrayed” customers by not protecting confidential data. As a result of this failure, the plaintiff and other consumers allegedly face risks such as fraud and identity theft. CaptureRx admitted no wrongdoing but agreed to pay $4.75 million. According to Health IT Security, the company is considering bankruptcy if the settlement is not finally approved.

Forefront Dermatology, S.C. - 2,413,553 records

In June 2021, Forefront Dermatology acknowledged that a breach of its network may have exposed the personal information and medical records of up to 2.4 million patients. The organization’s personnel records were also at risk due to the compromise. The situation could have been even worse if the company had not shut down its network after detecting the intrusion. In a statement, Forefront Dermatology said the investigation revealed ‘unauthorized access to certain files in its IT systems containing patient and employee information”.

Among other sensitive data, this information could include patient names, addresses, dates of birth, health insurance plan member identification numbers, names of healthcare providers, and/or clinical treatment information. “There is no evidence that patients’ Social Security numbers, driver’s license numbers, or financial account/payment card information were involved in this incident,” — Forefront Dermatology said.

Forefront Dermatology notified patients who were advised to check their medical records. The healthcare provider has pledged to increase security controls to prevent a repeat of the devastating incident.

We’re not saying that these totals don’t account for the more than 600 incidents reported to the Department of Health and Human Services in 2021, as well as unreported incidents and other health care violations that may not be covered by Health Insurance Portability and Accountability Act.

Despite media coverage of other incidents, the Accellion File Transfer hack was the biggest healthcare data breach of 2021. The attackers hacked long-standing vulnerabilities in the FTA platform, which they used to infiltrate ISPs’ connected systems and deploy a web shell called DEWMODE. The access was used to steal large amounts of sensitive information, which was used by attackers to extort victims. The fact that attackers were able to carry out their dastardly acts so precisely and invisibly, should serve as a warning to all affected organizations and business partners to prioritize identity and access management, as well as visibility issues.

The cyber security company Critical Insights highlighted in a report last year that 2021 was the record year for the number of breaches for the entire time of research; the largest amount of protected information related to the health and personal data of patients was disclosed and “merged” into the Internet.

In 2021, about 45 million people were affected by hacker attacks on medical facilities, in 2020 this figure was more modest — 34 million. If we look at the situation since 2018 according to reports from health care organizations, the number of offenses has tripled.

“Whether the attack vector is software, credentials, or the devices themselves, the healthcare industry is a prime target for attackers charged with monetizing PHI or demanding ransom for the information. In 2022 and beyond, healthcare organizations must monitor not only their own cybersecurity but also the reliability of the providers who access the data. The sector has seen much more proactive approaches to cybersecurity, but there is still a long way to go,” John Delano, Critical Insight Strategist and Vice President, Christus Health.

Healthcare IT departments continue to struggle with crisis situations related to the COVID pandemic. This can cause normal security measures to fall by the wayside, breaches to go undetected for weeks, and attempts to verify security measures taken by third parties to be ineffective.

We feel the pain of all the players in this market and the complexity of the processes. Of course, we would be happy to hear from you about improving personal data protection in the healthcare sector. Below we have written some tips that should be implemented so that there are no unpleasant surprises such as painful hacker attacks. But we perfectly understand that each case is unique, so we will gladly answer the questions that bother you concerning software security audits.

1. Comply with HIPAA

According to government regulations, health data processors must conduct an annual security assessment of their systems. Given today’s increasingly sophisticated cyberattack strategies, it’s a good idea to constantly check your software and network for anomalous behavior.

2. Choose a good audit logging and reporting system for yourself

Auditing solutions provide real-time analysis of events generated by applications and network equipment. There are many data analytics solutions that are very effective in strengthening your network. With these solutions, you can fully understand how information flows through your healthcare environment. Some of these audit solutions can detect anomalies in data patterns.

3. Put employees in charge of data security

Advanced technology by itself is not enough to protect organizational boundaries. It is also necessary to attract employees. Teach colleagues not to share sensitive data through social engineering. What’s the point of having the best antivirus to protect your network if an employee unknowingly divulges sensitive data to a suspect over the phone or verbally?

4. Testing matters

Conduct penetration tests and vulnerability tests to determine the resilience of an organization’s network. You can use the help of a specialized firm to conduct end-to-end professional testing. Because hackers are always looking for holes they can open, you need to stay ahead of them with professional testing. This option is also available in the list of BeKey services.