In 2021, the 10 largest reported health care data breaches, so far, have compromised the protected health information of nearly 16 million patients. It’s a staggering statistic on its own, considering there have been a host of other security incidents impacting more than 100,000 individuals that did not make the ongoing list.
To put it in perspective, the total number of reported incidents during the first half of 2020 was just 3.5 million individuals: the same amount of victims seen in the top two incidents reported during the first half of 2021.
Perhaps even more concerning, 60% of the reported breaches in 2021 were caused by vendors. Thus, the mid-year breach update should serve as a wake-up call for the sector to review vendor contracts and assess their security processes.
Health care entities should review previous supply chain guidance from NIST and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency for insights into best practices and case studies that shed light on effective vendor management processes.
In February, CISA urged all private sector entities to be on alert, as threat actors had exploited several unpatched vulnerabilities in Accellion’s File Transfer Appliance (FTA) and stole a massive data set in an attempt to extort victims.
The threat actors first gained access through several known zero-day vulnerabilities in Accellion’s legacy FTA. They used the access to install a web shell called DEWMODE.
At first, the motives behind the attack were unclear. But in January, a number of organizations began to receive extortion emails from the attackers, who threatened to leak data stolen through the FTA exploit. The hack has since been attributed to the Clop ransomware group, notorious for actively targeting the health care sector despite it being overwhelmed by the pandemic.
In total, at least 100 companies from all sectors were affected by the extortion effort, with Clop’s dark web blog leaking data from a number of victims in the U.S., Canada, the Netherlands, and Singapore.
The health care sector was among the hardest hit by these hacking exploits:
Reported in February, Florida Healthy Kids Corporation (FHKC) notified 3.5 million online applicants and enrollees of a seven-year data breach caused by its vendor failing to patch multiple website vulnerabilities.
The vendor, Jelly Beans Communications Design, notified FHKC that thousands of applicant addresses had been accessed and tampered with through their hosted website. A review determined the website and subsequent databases held significant security flaws that enabled the successful exploit, beginning in November 2013.
The investigation could not rule out the exposure of data, including full names, dates of birth, Social Security numbers, financial information, family relationships, and secondary insurance data.
Covered entities must routinely review vendor relationships and security practices to ensure business associates are adhering to elements required by Health Insurance Portability and Accountability Act.
Under HIPAA, covered entities and relevant business associates are required to perform routine risk analyses of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the entity.
The Department of Health and Human Services recommends the use of NIST standards to ensure relevant entities are in compliance with the HIPAA rule.
A threat actor hacked into a Amazon Web Services cloud storage bucket belonging to the 20/20 Eye Care Network, also known as 20/20 Hearing Care Network, and accessed, downloaded, and possibly deleted the protected health information belonging to 3.3 million patients.
The provider was alerted to suspicious activity within its cloud storage environment in early January 2021, which prompted an investigation. The response team could not conclusively determine what data the hacker accessed or removed from the network, just that they downloaded certain information prior to completely destroying it.
The impacted information varied by patient but could include names, SSNs, dates of birth, member identification numbers, and or health insurance information.
A ransomware attack on HIPAA business associate CaptureRx in February compromised the data from a long list of health care providers. The notice did not outline when the cyber incident was first detected, just that its investigation concluded on Feb. 19.
The investigation found threat actors accessed and exfiltrated files connected to its health care clients. A review of the affected information ended on March 19, finding the stolen data included patient names, dates of birth, and prescription details.
CaptureRx reported the breach to HHS as impacting 1.7 million individuals from:
Netgain is a cloud IT hosting, service, and solutions provider with a number of health care clients. Throughout the first half of 2021, a wide range of its providers began notifying patients their data was compromised after a number of security incidents against the Netgain environment.
In September 2020, an attacker leveraged stolen credentials to gain access to Netgain’s system. During the hack, the actor was able to proliferate to client environments connected to the vendor’s system. The access enabled the theft of a significant amount of patient information.
The hack on Netgain and connected client environments persisted, undetected, for several months before the attackers deployed ransomware on the Netgain environment on Dec. 3, 2020. The ransomware attack prompted the investigation, which found the initial hacking and exfiltration.
The stolen data varied by client and by patient, but could include patient names, SSNs, dates of birth, contact details, driver’s licenses, and claims information that could be used to determine diagnoses and medical conditions.
The hackers demanded a ransom payment from Netgain, which it paid to return the stolen information. Officials said they “received assurances that the data was deleted and destroyed.”
It should be noted that Coveware has repeatedly found an increasing number of cybercriminals falsifying “proofs” they’ve destroyed stolen data, even when the victim pays the ransom demand. Several hacking groups have even publicly doxed victims after a ransom payment, with some even demanding a second extortion payment from victims who previously paid to have stolen data deleted to prevent a data leak.
The number of impacted entities and patients remains unclear. But many have been reported to the media and HHS, including:
The data of 753,107 Personal Touch Holding (PTH) patients was compromised during a ransomware attack on its cloud-hosting vendor, Crossroads Technologies, in December 2020.
PTH operates 16 subsidiaries in the US, such as Personal Home Care, Personal Home Aides, and Personal Touch Hospice with sites in Virginia, West Virginia, Massachusetts, Texas, Kentucky, Indiana, New York, and others. Crossroads hosts PTH’s electronic medical record.
The ransomware infected Crossroad’s data center hosted in Pennsylvania and impacted a server containing patient information, which included treatment information, SSNs, medical record numbers, insurance cards, health plan benefit numbers, and other sensitive data.
One of the first health care data breaches reported this year stemmed from a security incident at Texas-based Hendrick Health, one of the providers hit during the ransomware wave during the Fall in 2020.
Hendrick Medical Center and Hendrick Clinic were impacted by a cyberattack, during which clinicians were forced into electronic health record (EHR) downtime procedures. While the attack bore hallmarks to ransomware, officials did not confirm the cause of the incident.
The outage spurred an investigation, which found patient data was potentially accessed for a month between October 10 and November 9. The compromised data included SSNs, contact details, demographic information, and limited data related to care received at Hendrick Health.
The data of 527,378 patients was stolen ahead of a ransomware attack on Wolfe Eye Clinic in February. The security team detected the initial hack in February, but the investigation did not confirm a data breach until May due to the complexity and scope of the incident.
The investigation found patient data was accessed and likely stolen during the hack, including SSNs, contact information, dates of birth, and some medical and health information.
Bricker and Eckler is an Ohio-based law firm with multiple health care clients, which gives the firm access to personal and health information tied to client engagement and legal counsel functions.
An investigation into a January ransomware attack found hackers had previously accessed the firm’s internal systems on multiple occasions between January 14 and January 31, when the ransomware was deployed.
During the hack, the actors stole a host of data from certain systems, including the health information of 420,532 patients. The attackers also obtained SSNs, driver’s licenses, contact information, and other sensitive data.
The notice shows Bricker and Eckler were able to “retrieve the data involved from the unauthorized party and have taken steps to delete the data.” Again, once data is stolen, there is no guarantee that cybercriminals will honor claimed arrangements.
In a much delayed breach notice, Health Plan of San Joaquin notified 420,000 patients in May that their data was compromised late last year after several employee email accounts were hacked for several weeks between Sept. 26, 2020 and Oct. 12, 2020.
First discovered on Oct. 23, 2020, a threat actor logged into multiple email accounts and accessed the information they contained. The accounts contained troves of identification data, including member, medical, and claim ID numbers, as well as driver’s licenses, government-issued IDs, and SSNs.
Notable, ongoing data exposure via PACS
As first reported in 2018, a long list of health care providers are inadvertently exposing millions of medical images through unsecured Picture Archiving and Communication Systems (PACS).
The systems are used by many covered entities to archive medical images and share patient records and images with other providers. But inherent flaws in the tech, including the use of Digital Imaging and Communications (DICOM), are leaving large amounts of patient data exposed to hacking risks.
The current tally shows at least 130 U.S. health care providers are actively uploading patient data through these systems, which are readily exposed in real-time.
Since the first report from ProPublica, Dirk Schrader, global vice president at New Net Technologies (NNT) has steadily worked to inform the providers of the exposure and to inform the industry of this critical threat to health care data.
“Any system connected to the internet, based on current standards or not, will be scanned for by attackers,” Schrader recently told SC Media. “And when there’s no matter of protection for these systems, it opens the playing field.”
In light of the ongoing threat landscape, it’s an opportune time for health care providers to review their inventories and ensure the integrity of all connected devices and systems.
Editor's note: A previous version of this story included a photo that did not properly reflect the organization that was breached. That photo has since been removed. We regret the error.