News Feature | August 27, 2014

Hackers Cause Of Worst Healthcare Data Breaches

Christine Kern

By Christine Kern, contributing writer

Healthcare Hackers

The HHS Office for Civil Rights has registered at least 89 healthcare breaches, 12 of which affected more than 50,000 people each.

The recent healthcare data breach at Community Health Systems was the second-largest breach of any type in the era of breach notification. A total of 4.5 million patients have since been offered identity protection after hackers in China attacked the CHS Information systems in April and June of this year.

Hacking of data has become a growing problem and is of particular concern in healthcare because of the sensitive nature of patient data. The HHS Office for Civil Rights website of large breaches includes a list of at least 89 significant incidents of hacking, with many attacks affecting at least 50,000 individuals. Following is a look at some of the largest incidents of patient data from the website.

The Montana Department of Public Health and Human Services notified 1.3 million individuals in June 2014 that one of their computer servers was hacked. This is significant, because that number actually exceeds the state’s total population. After an investigation, it was revealed the attack likely occurred in July 2013. The patient data that was breached included names, addresses, birth dates, and social security numbers, along with a list of employee names, Social Security numbers, and bank account numbers. The Department of Public Health and Human Services offered a year of credit and identity protection services to all 1.3 million individuals.

In April 2012, the Utah Department of Public Health announced the hacking of a server holding the information of 780,000 Medicaid and CHIP recipients. Approximately 280,000 individuals had their Social Security numbers stolen and were subsequently offered one year of credit monitoring services. The breach also included names, birthdates, and addresses. The server, which held Medicaid eligibility determination transactions, was in the state’s Department of Technology Services, and the leader of the department subsequently lost his job.

In 2010, Triple-S Management, a BCBS plan serving more than one million members in Puerto Rico, discovered it had been hacked by employees of a competitor who were downloading data on more than 400,000 insured individuals into its own information systems. The competitor had not sanctioned the breach, and actually reported it to Triple-S. The hacking employees used active user IDs and passwords specific to Triple-S’s database to access the information, targeting financial information related to the government insurance plan rather than individual’s information.

In Bryan, TX, a server hacked for parts of three days in December 2013 resulted in five-hospital St. Joseph Health System sending notifications to 405,000 past and present patients, employees, and employee beneficiaries. The attack, originating in China, compromised names, birth dates, Social Security numbers, limited medical details, addressed, and bank account information for some employees. A subsequent forensic investigation was unable to determine if information was actually accessed, but affected individuals received one year of identity protection services.

In October 2013, malware in an email attachment opened by a University of Washington Medicine employee resulted in the breach of a subset of billing files for more than 76,000 patients. This included approximately 15,000 Social Security numbers, and those individuals were offered a year of credit monitoring services.