- API Penetration Testing

Top 10 Cybersecurity Breaches in US Healthcare

Learn about the state of cybersecurity in American healthcare and the top 10 breaches that rocked the sector.
Hospitals contain an unbelievable amount of data, and cybercriminals know they can profit by selling patient records on criminal websites on the deep web. Moreover, data security at many healthcare organizations happens to be relatively lax. What's more, unprotected medical devices serve as easy entry points for hackers to clandestinely enter the healthcare system and then overwhelm the client infrastructure. Cash-rich American healthcare institutions are some of the most sought-after targets for cybercriminals. Here's looking at the top-10 US healthcare security breaches of all time.
#1 Anthem
Indiana-headquartered Anthem (Elevance Health Inc., since June 2022) is a health insurance provider with more than 46.8 million members. In late February 2015, Anthem announced it had suffered a hacker attack that might have compromised personal records of up to 80 million people, including existing and former customers as well as employees. The exfiltrated information included names, birth dates, social security numbers, email addresses, income data, and employment information. No medical data was hacked, according to the insurance giant. There has been speculation linking the hack, which started in February 2014, to a foreign state actor in Asia. In June 2017, Anthem agreed to pay $115 million to settle class-action lawsuits as well as provide impacted members an additional two years of credit monitoring and identity protection services.
#2 Excellus BlueCross BlueShield
Founded in 1936, Excellus BlueCross BlueShield sells health insurance plans in 39 New York counties. In August 2015, the health plan acknowledged that up to 10.5 million of its customers might have had their data breached in a hacking incident that began 18 months earlier. Outside of Excellus, the long-term breach might have affected some of its insurance partners in the BlueCross BlueShield network and 2.5 million members of Excellus' own non-BlueCross subsidiary. Protection information skimmed off by the threat actor included social security numbers, member identification numbers, financial account information, and claims data. In January 2021, Excellus agreed to pay Feds $5.1 million in penalties to settle potential HIPAA violations stemming from the breach.
#3 Premera BlueCross
Washington-based Premera BlueCross is the largest health insurer in America's Pacific Northwest. In mid-March 2015, Premera said hackers may have gained access to information on its applicants as well as members of other BlueCross BlueShield plans in Washington and Alaska. Hackers reportedly stole medical records, bank details, and social security numbers. In all, the hack exposed data on more than 10 million people for a year, starting May 2014. The breach came to Premera's attention in January 2015. State-backed hackers from Asia are believed to have orchestrated the hack. Based on IP address, tools and techniques, security experts assume the same group might have pulled off the Anthem hack as well. In July 2019, Premera agreed to pay $84 million, including $74 million in class action settlement.
#4 Tricare
Tricare, the US military's health coverage program, is responsible for delivering healthcare to serving and retired armed forces personnel and their families. In late September 2011, Tricare announced that two weeks earlier, SAIC, the health insurer's information security management agency, had reported a data breach. Backup tapes containing protected health information on an estimated 4.9 million active and retired military personnel and their families had been stolen from an SAIC employee's car. The pilfered data, relating to the period 1992 to 2011, included social security numbers, clinical notes, and laboratory tests. However, in May 2014, the majority of law suits filed against the two companies claiming $4.9 billion in class-action settlements were dismissed since only 2 out of the 33 plaintiffs could "plausibly assert" that their data had been accessed.
#5 University of California Los Angeles Health System
The University of California Los Angeles (UCLA) Health System comprises four hospitals, a medical school, and a primary care network. In October 2014, suspicious activity was noticed on the health system's network. UCLA Health System was able to confirm a cyberattack only by May 2015. HIPAA mandates that healthcare providers must notify patients of a possible data breach within 60 days of discovery of a breach. Hackers reportedly accessed and copied sensitive data (names, social security numbers) on 4.5 million patients and UCLA Health staff. In July 2015, the impacted patients brought a class-action suit against UCLA Health alleging HIPAA violations. In March 2019, it was reported that UCLA Health will spend $2 million in class action claims and $5.5 million to improve its cybersecurity.
#6 Community Health Systems
In 2014, Community Health Systems (CHS), a Fortune 500 company based in Tennessee, operated more than 200 affiliated hospitals. Between April and June 2014, cybercriminals compromised CHS' patient record systems and stole names, social security numbers, addresses, birthdays and telephone numbers. The breach put at risk the data of any person who had availed treatment from a CHS-run hospital during the previous five years. This worked out to nearly 6.1 million patients. An advanced persistent threat group operating out of China is believed to have remotely accessed the systems using compromised admin credentials. Previously, the same hackers had been noticed stealing data on medical devices. In October 2020, CHS and one of its business associates agreed to pay $7.3 million to resolve HIPAA violations and in settlement agreements with 28 states.
#7 Advocate Health Care
Advocate Health Care is the Chicago region's largest physician group. Four desktops were stolen from the group's administrative offices in an early morning burglary on July 15, 2013. The machines were password-protected, but not encrypted. In any case, password protection can be bypassed by taking out the hard drive and attaching it to another device. The building didn't have an alarm system either. The computers contained sensitive information, including names, addresses, and social security numbers, on more than 4 million patients. However, the breach did not include patients' medical or financial information. A class-action suit filed by patients charging Advocate with compromising their privacy was dismissed by an appellate court in 2015. Even so, in 2016, federal regulators slapped a $5.55 million fine on Advocate for HIPAA violations.
#8 Medical Informatics Engineering
Founded in 1995, Indiana-based Medical Informatics Engineering (MIE) is a provider of web-based healthcare platforms to hospitals and health systems. In late May 2015, MIE reported that a sophisticated cyberattack might have exposed protected health data of 3.5 million patients. The breach, which began two weeks earlier, had compromised servers at 11 providers and 44 radiology centers in the MIE network. The threat actor had hijacked user credentials to steal sensitive information, including social security numbers and clinical data. Soon, patients across 16 US states sued MIE and its subsidiary NoMoreClipboard. In 2018, the companies faced a lawsuit filed by 12 US states for failure to adopt basic industry-accepted data security measures. In mid-2019, MIE agreed to settle the multistate action for $900,000, apart from paying $100,000 in HIPAA fines.
#9 Banner Health
Banner Health, operating out of Arizona, is one of the top health systems in the US with a 50,000-strong workforce. In June 2016, the healthcare system reported a breach of the payment processing system at its food and beverages outlets. Black hats had apparently entered the system and worked their way deeper into the servers hosting patient data. Data on nearly 3.7 million patients, health plan members, physicians and other healthcare providers was reportedly at risk. The attack started June 23, 2016, but wasn't spotted until July 7, 2016. In April 2020, an Arizona court approved the health system's $8.9 million settlement with patients hit by the data breach. Additionally, Banner Health will extend two years' free credit monitoring cover to all breach victims.
#10 Newkirk Products
Newkirk is in the business of producing healthcare ID cards for health insurance plans in Kansas and North Carolina, besides New York where the company is headquartered. In the first week of August 2016, Newkirk announced that a month earlier the company had shut down a server containing members' health information after noticing unauthorized access. It appeared that the hacker had first set foot in the system in late May 2016. The breach occurred hardly five days after Newkirk was acquired by Broadridge Financial Solutions for $410 million. The cyber incursion might have impacted 3.3 million health plan subscribers and patients as well as 13 health insurers. Hackers pinched medical ID numbers and group IDs. In settlement, Newkirk offered two years of free identity theft monitoring to all affected persons.
There are hard lessons for healthcare institutions in all these data breaches in terms of monetary and reputational loss. Strengthening the cybersecurity perimeter is an ongoing affair, not a one-time quick fix, for every US healthcare provider. Besides, it takes years of hands-on experience to tackle resourceful cybercriminals and neutralize sophisticated cyberattacks. In case you need advice from professionals, the Cyberlands team will be more than happy to assist you! Team