Once reported, OCR posts healthcare data breach information on its breach portal, which is publicly available. Sometimes referred to as the HIPAA “wall of shame,” the portal provides information on the number of individuals impacted, the breach submission date, type of breach, and the location of the breached information.
The portal’s 2021 entries show the continuation of a troubling trend—as the pandemic continues to overwhelm providers and threat actors get savvier, healthcare data breaches are not slowing down. OCR named over 550 covered entities that have experienced a data breach in 2021, at the time of publication. Over 40 million individuals faced PHI exposure as a result of these breaches.
The 10 biggest reported healthcare data breaches of 2021 (by number of individuals affected) were all hacking/IT incidents, and all but one occurred on the organization’s network server. Ransomware continues to be a threat across the healthcare sector, and the trend is likely to continue in 2022.
Despite a growing number of cyber threats, many healthcare organizations have learned to adapt and prepare for cyberattacks and data breaches by implementing cyber incident response plans, conducting third-party risk assessments, and enacting technical safeguards.
Health plan Florida Healthy Kids Corporation started the year by reporting the biggest healthcare data breach of 2021 to date on January 29. The breach impacted 3.5 million individuals.
According to Health News Florida, the personal information of millions who applied for coverage or were enrolled in Florida KidCare between 2013 and 2020 was exposed after the health plan’s website was targeted in a cyberattack.
Florida KidCare is a nonprofit that includes Medicaid, MediKids, Florida Healthy Kids, and the Children’s Medical Services program.
Florida Healthy Kids Corporation said it was notified of the incident on December 9, 2020. Social Security numbers, birth dates, names, addresses, and financial information may have been accessed by threat actors during the cyberattack. Further investigation revealed that the health plan’s website, maintained by Jelly Bean Communications Design, had significant security vulnerabilities that were overlooked.
Florida-based 20/20 Eye Care Network reported a healthcare data breach to HHS on May 24. According to a notice from the Maine attorney general’s office, 20/20 discovered suspicious activity on its Amazon Web Services (AWS) environment on January 11, 2021.
20/20 notified the FBI immediately after it deactivated and reset access credentials. Some information was accessed and possibly deleted after a bad actor hacked into the provider’s AWS cloud storage environment to download and destroy data.
20/20 informed over 3.2 million individuals that their Social Security numbers, names, addresses, member identification numbers, birth dates, and health insurance information may have been exposed or deleted.
Forefront Dermatology, S.C., notified HHS on July 8 of a data breach that impacted over 2.4 million individuals, including patients and employees. The dermatology practice identified a network intrusion on June 4 and promptly took its network offline.
However, between May 38 and June 4, an unauthorized party had access to Forefront Dermatology’s IT network and accessed files containing names, birth dates, patient account numbers, addresses, dates of service, provider names, medical treatment information, and medical record numbers.
“While the investigation found evidence that only a small number of patients' information was specifically involved, Forefront Dermatology could not rule out the possibility that files containing other patients' information may have been subject to unauthorized access,” Forefront Dermatology stated in July.
“Patients whose information may have been involved in this incident are being notified by Forefront Dermatology and are advised to review the statements they receive from their health care providers and health insurance plan. If individuals see services they did not receive, they should contact the provider or health plan immediately. To help prevent something like this from happening again, Forefront Dermatology is enhancing its security protocols.”
NEC Networks, which does business under the name CaptureRx, faced a healthcare data breach in February that impacted over 1.6 million people and impacted more than 16 healthcare organizations. CaptureRx is an IT vendor that helps healthcare systems manage their 340B drug programs.
Further investigation and notices by other healthcare organizations brought the total number of patients impacted to approximately 2.4 million individuals.
Although initially reported to HHS on May 5, healthcare systems that were impacted by the business associate breach continued to announce their involvement throughout the summer of 2021. In July, MetroHealth System in Ohio announced that its patient files were accessed during the breach. In August, New York-based Catholic Health said that patient PHI was impacted as a result of the CaptureRx incident.
The breach impacted patient PHI across multiple healthcare organizations, exposing prescription data, names, and birth dates.
The breach also impacted Walmart, Jones Memorial Hospital, and Trinity Twin City Hospital, among others.
Indianapolis-based Eskenazi Health notified HHS of a data breach on October 1. The breach was discovered on August 4 and led to significant EHR downtime and ambulance diversions.
Initially, Eskenazi Health said it was unsure whether patient information was used maliciously. On October 1, the hospital announced that further investigation had revealed that bad actors stole and posted patient information on the dark web. Bad actors may have had access to the hospital’s network as early as May.
As of November, one patient was seeking class-action status in a lawsuit against Eskenazi Health, alleging the hospital’s ransomware attack resulted in fraudulent charges on her credit card along with wasted money and time.
The Kroger Co. reported a healthcare data breach to HHS on February 19. The grocery chain was one of over 100 victims of the Accellion data breach, which occurred in December 2020 and impacted a dozen healthcare organizations.
No more than 1 percent of Kroger Health and Money Services customers were impacted, along with some employees whose HR records were impacted. Accellion’s File Transfer Application (FTA) was compromised when bad actors from Clop ransomware exploited zero-day vulnerabilities.
“The incident was isolated to Accellion's services and did not affect the Kroger Family of Companies' IT systems or any grocery store systems or data. No credit or debit card information or customer account passwords were affected by this incident,” Kroger’s statement explained.
“After being informed of the incident's effect on January 23, 2021, Kroger discontinued the use of Accellion's services, reported the incident to federal law enforcement, and initiated its own forensic investigation to review the potential scope and impact of the incident.”
Beaumont Health announced in September that around 1,500 of its patients had also been impacted by the Accellion breach.
St. Joseph’s/Candler (SJ/C) Health System in Savannah, Georgia discovered a ransomware attack on June 17 that led to significant EHR downtime. Further investigation determined that the breach began on December 18, 2020. The hospital system’s computers and telecommunications systems were inaccessible, and clinicians had to document clinical notes on pen and paper.
SJ/C notified HHS and released an official press release on August 10. The release stated that “SJ/C cannot rule out the possibility that, as a result of this incident, files containing patient and co-worker information may have been subject to unauthorized access.”
As of September, patients had filed two class-action lawsuits against SJ/C, alleging that the Georgia health system was negligent in preventing the attack, which went undetected for six months.
“It wasn’t a simple software glitch or temporary power outage. It was, instead, a complete information technology (IT) meltdown,” one of the lawsuit filings stated.
“Everything, from electronic medical record[s] (EMR) used to document encounters to the lab, radiology and billing software, went down. Even the phones, which are formatted as voice over the internet protocol (VOIP) devices, stopped working. All of St. Joseph’s/Candler usual patient encounter protocols were immediately rendered ineffective. The hospital system was, in essence, flying blind.”
University Medical Center Southern Nevada fell victim to a REvil/Sodinokibi ransomware attack in June that compromised files containing the personal information of 1.3 million individuals. The hackers also posted photos of passports, Social Security cards, and driver’s licenses on the dark web for about a dozen individuals.
McAfee’s quarterly cyber threat report showed that REvil/Sodinokibi were responsible for 73 percent of ransomware detections in Q2 2021.
The Department of Justice (DOJ) announced in November that it charged two individuals in connection with REvil/Sodinokibi cyberattacks.
New York-based American Anesthesiology (owned by North American Partners in Anesthesia) client information was exposed when an unauthorized party gained access to the email system of the practice’s business associate, MEDNAX.
Bad actors orchestrated a phishing attack and successfully gained access to several email accounts for five days between June 17 and June 22 of 2021. The breach was submitted to HHS on January 8.
The hacker appeared to be primarily interested in payroll fraud, although their attempts were unsuccessful.
Patient contact information, health insurance information, treatment information, and billing information was impacted during the business associate breach.
In July, practice management vendor Professional Business Systems, doing business as Practicefirst, announced that a 2020 ransomware attack had potentially exposed the PHI of patients and employees.
A malicious hacker attempted to deploy ransomware and successfully copied files from Practicefirst’s system that contained birth dates, names, addresses, Social Security numbers, email addresses, tax identification numbers, diagnoses, lab results, medication information, and employee usernames and passwords. The information was later deleted.
“We immediately reported the Incident to appropriate law enforcement authorities and implemented measures to further improve the security of our systems and practices,” the vendor’s statement explained.
As 2021 comes to a close and holidays approach, bad actors are unlikely to stop targeting the healthcare sector with ransomware attacks and exploitation attempts.