Breach, Ransomware, Incident Response, Endpoint/Device Security

Most of the 10 largest healthcare data breaches in 2022 are tied to vendors

An emergency room physician uses an ultrasound
A Navy emergency room physician uses an ultrasound for a trauma evaluation during a training exercise. (Marine Corps)

Ninety percent of 10 largest healthcare data breaches reported this year were caused by third-party vendors, much like in 2021. The fallout for many of these cyberattacks resulted in impacts for multiple connected providers, with two of these vendor incidents affecting hundreds of providers.

These incidents should serve as a warning to revisit third-party vendor relationships, ensure the entity is at least annually performing a review of vendors, and consider consolidating vendors where possible.

There are two points of clarification needed given the attention-grabbing Pixel reports over the last six months and multiple, weeks-long outages brought on by ransomware that did not make this list.

In calculating this list, SC Media listed the pixel incidents as single events because the tools were not caused directly by the vendor. Indeed, the pixels operated as intended. The incidents were instead caused by the providers failing to consider possible privacy implications of using tracking tools on patient-facing sites and The Health Insurance Portability and Accountability Act compliance requirements.

Secondly, the list in no way includes some of the largest cyberattack-related fallouts experienced in the industry this year. Two of those incidents, Kronos and CommonSpirit Health, could rightly be considered among the largest health compromises reported this year.

In a strong example, despite its systems being down across dozens of its care sites for more than a month, the CommonSpirit ransomware attack only resulted in data theft at seven hospitals and for 623,774 patients. However, the patient care impacts are simply not as easy to calculate.

SC Media will delve into patient safety impacts from this year in the near-future, as the lessons learned from these outages warrant a separate look.

1. OneTouchPoint: 4.11 million patients

In one of the most expansive data breaches reported this year, more than 30 health plans and a total of 4.11 million individuals were affected by a ransomware attack on printing and mailing vendor OneTouchPoint that was first discovered on April 28.

With over 326,278 impacted patients, Aetna ACE was among the hardest hit by the third-party incident.

The OTP notice disclosed that a threat actor accessed several servers one day before deploying the ransomware payload. The vendor was unable to determine just what files were accessed during the dwell time and instead reported based on the data contained within the servers, like patient names, member IDs, and information gathered from health assessments.

Only one of the affected health plans saw SSNs compromised during the incident.

2. Eye Care Leaders: Roughly 3.6 million patients

In what is undoubtedly the most complex and headline-grabbing stories in healthcare this year, Eye Care Leaders’ reported ransomware attack and the drama that followed is the second-largest breach reported this year.

Patient notices began as far back as May, with one provider waiting until November to inform individuals of the impact to their health data.

As meticulously reported by SC Media, ECL first came under the microscope in April after several providers filed a lawsuit against the ophthalmology-specific EHR and practice management system vendor for “concealing” multiple ransomware attacks and related outages that began in March 2021.

Despite informing ECL of the “crippling effect” these outages had on their practices and billing, the vendor allegedly failed to respond to their concerns or misrepresented the situation. Even now, there is no ECL breach notice listed on the Department of Health and Human Services reporting tool and the vendor has vehemently denied these claims.

In a surprising twist, ECL began to report in May that it was, indeed, hit with a ransomware attack — except, the incident was not related to the outages reported in the lawsuit. Summit Eye Associates and EvergreenHealth were the first to report on the incident, caused by the deployment of ransomware on Dec. 4, 2021.

The attacker first gained access to the systems weeks before the cyberattack, using their access to databases to delete data and system configuration files. The evidence could not rule out access to provider data, which included patient names, Social Security numbers, dates of birth, medical record numbers, health insurance, and treatment information. Other provider notices showed greater or lesser data impacts. 

While the initial lawsuit against ECL has since been joined by patient-led lawsuits filed in the wake of the public reports, there is still a lot the public does not know about the 2021 incidents at ECL. What’s clear is that ECL failed to notify providers impacted by the December 2021 incident until at least 30 days after the HIPAA-required timeframe.

3. Advocate Aurora Health: 3 million patients

The second major U.S. health system to report unauthorized disclosure due to the use of Pixel was Advocate Aurora Health, which is actively defending itself against multiple class action lawsuits brought in the wake of the Pixel fallout.

Reported in late October, Advocate Aurora informed patients that their health information was shared with Google and Facebook as a result of its use of Pixel on its patient portals, websites, applications and scheduling tools. Pixel was used by Advocate Aurora to better understand how patients were interacting with these sites.

However, the tech also disclosed protected health information, as well as “certain details about interactions with our websites, particularly for users that are concurrently logged into their Google or Facebook accounts and have shared their identity and other surfing habits with these companies,” officials explained.

The pixels have since been removed or disabled, but not before the accidental disclosure of patients’ IP addresses, appointment dates, times, and/or locations, proximity to Advocate Aurora Health locations, provider details, procedure types, communications between the patient and others on the MyChart platform, insurance information, and proxy names.

Advocate Aurora is continuing to assess the impacts of its pixel use, while it works to reduce the risk of unauthorized disclosures. Providers concerned about possible data scraping by the use of similar tracking tools should refer to the recent HHS alert that warns the use of these types of tools without a business associate agreement violates HIPAA.

4. Connexin Software: 2.2 million patients

Earlier this month, a pediatric electronic medical records and practice management software vendor known as Connexin Software reported a network hack and data theft incident that impacted 119 provider offices and over 2.2 million patients.

Connexin first discovered a “data anomaly” back on Aug. 26. Two weeks later, they discovered an actor “accessed an offline set of patient data used for data conversion and troubleshooting” and removed it from the network.

The stolen data varied by individual and could involve names, contact details, SSNs, guarantor names, parent or guardian names, dates of birth, highly specific health insurance information, treatments, procedures, diagnoses, prescriptions, provider names, medical record numbers, and billing and/or claims data.

Connexin stressed that its live EMR system wasn’t hacked during the incident, nor were any systems, EMRs, or databases belonging to physician practice groups. But notably absent from its notice was the cause behind the lengthy delay in notifying patients and their families.

5. Shields Health Care Group: 2 million individuals

For just a few weeks this year, Shields Health Care Group held the dubious title of largest data breach reported in healthcare in 2022 with its early June patient notice describing a systems hack and data theft in March. Shields is a third-party vendor that provides MRI, PET/CT, and outpatient surgical services for the sector.

Two million patients tied to 60 healthcare providers were told their data was compromised and likely stolen during a two-week hack from March 7 to March 21, but was not discovered by Shields until March 28.

“Although Shields identified and investigated a security alert on or around March 18, data theft was not confirmed at that time,” according to the notice. The subsequent investigation confirmed the actors stole a range of data that included SSNs, medical record numbers, patient IDs, treatment information, insurance details, billing information, and diagnoses, among other data.

The incident forced Shields to rebuild the entirety of the affected systems. The notice did not explain why it issued its notices far outside the required 60-day HIPAA timeframe.

6. Professional Finance Company: 1.91 million individuals

The “sophisticated” ransomware attack on Professional Finance Company in February is a prime example of how a single incident can impact hundreds of entities in healthcare. The attack on the debt collections firm affected 657 healthcare and the access of patient data for nearly two million patients.

What’s more, the attack was found and stopped on the same day it occurred. Even with only a short amount of dwell time, the attack was able to access patient names, SSNs, contact details, accounts receivable balances, payment information, dates of birth, insurance information, and medical treatments.

The incident forced PFC to wipe and rebuild the entirety of the systems impacted by the incident. 

7. Baptist Medical Center/Resolute Health in Texas: 1.71 million patients

Baptist Medical Center and Resolute Health Hospital is the only provider on this list to report an incident not caused by a vendor. In June, the Texas health system notified patients that their health information was likely stolen during a systems’ hack in March. The intrusion was not discovered for several weeks after it began.

On April 20, the security detected malicious code installed on certain systems, which was later found to have provided attackers with the ability to remove patient data from the network. The stolen data varied by patient and may have included demographic details, SSNs, insurance data, diagnoses, treatments, reason for visit, claims data, and a host of other information.

8. Community Health Network: 1.5 million users

The fourth provider to report accidentally disclosing patient data to Meta and Google for marketing purposes was Community Health Network in Indiana.

The CHN notice confirmed some suspected hypotheses about the use of pixel tools: namely, many of the impacted organizations were unaware of the potential HIPAA violations that could arise from the use of the tracking tool. CHN installed Pixel as part of an effort to improve access to information about critical care services and manage the function of its patient-facing websites.

In fact, CHN only launched its investigation after learning about the alleged pixel data scraping. Their investigation soon confirmed the installed pixels had collected and disclosed user data to the tech giants. CHN has since removed or disabled the pixels from its impacted platforms.

The unauthorized disclosure varied by patient and depended on how the configuration of the users’ devices and activities on the CHN website. The more a user interacted with the site, “the greater the disclosure.” The data could include IP addresses, appointment details, provider names, portal communications, appointment or procedure types, and other sensitive data.

9. Novant Health: 1.36 million individuals

North Carolina-based Novant Health was the first healthcare covered entity to report that it may have inadvertently disclosed health information to Meta through the use of the Pixel tracking tool on its website and patient portal.

The breach notice was sent just weeks after the June investigative reports on the Meta Pixel tracking tool, “in an effort to be as transparent as possible.” It remains unclear whether the reports prompted the discovery of the data scraping, or if it was an internal investigation.

Calling it an incorrect misconfiguration, the use of Pixel led to Meta receiving patients’ demographic details, contact information, emergency contacts or advanced care planning, appointment types and date, provider names, button or menu selections, “and/or content typed into free text boxes.” The data varied by individual.

10. Broward Health: 1.35 million patients

Brought on by the hack of a connected third-party vendor, the Broward Health breach was one of the first healthcare incidents reported this year. The data of 1.35 million patients and employees was stolen after an attacker gained access to the Broward Health network through an access point connected to one of its service providers.

The threat actor remained on the network for four days and exfiltrated a wide range of patient and employee information from the network, including SSNs, financial or bank account information, medical histories, conditions, treatments, diagnoses, medical record numbers, and driver’s licenses, among other sensitive data.

Like several other providers this year, the notice fell outside the 60-day HIPAA requirement. But Broward Health informed individuals the delay was directly caused by a Department of Justice request to hold the breach notice to prevent compromising the ongoing law enforcement investigation.

Several lawsuits were filed against Broward Health in the wake of the patient notifications, some of which have been dismissed.

*Update: SC Media inadvertently referred to the initial data estimates for the OTP incident. This piece has been updated to reflect the final tally reported to HHS, which shifted the top 10 list.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.