Healthcare racks up more costs from data breaches than any other sector, but the hacks just kept coming in 2018.
Even as cybersecurity ranked the top IT investment in 2018 and topped the list of concerns heading into the new year, failing to follow standard data protection protocol is a common problem.
The problem often isn't security software. It's human error.
Data protection-focused Ponemon Institute recently surveyed industry leaders and found 62% experienced a breach in the past year, with half of those breaches endangering patient data. The majority of breaches, the survey shows, stem from failures to address a known security vulnerability.
A JAMA Internal Medicine research letter published in November yielded results similar to Ponemon's. After analyzing 1,138 data breaches that occurred between October 2009 and December 2017, researchers found that more than half (53%) had originated inside the organization.
C-suite executives have largely placed the blame on a lack of cybersecurity staff. Though most organizations that don't have a chief information officer are actively looking for one, recent research shows even CIOs are failing to follow the most basic steps to protect patient data issued by the Office of the National Coordinator for Health Information Technology. Health systems have, on average, only implemented about 18% of ONC's recommendations.
It's been a boon for hackers, eager to exploit the security vulnerabilities of an EHR by getting their hands on patient data, a particularly lucrative healthcare commodity.
Cybersecurity troubles can cost health systems a pretty penny. Earlier in the year, HHS blasted Anthem with a record $16 million HIPAA fine when it exposed the health records of 79 million patients.
Below is a curated list of the five of the scariest patient data breaches of 2018, ranked in no particular order. While they aren't all the biggest breaches, they do demonstrate how frighteningly easy it still is to compromise sensitive patient information.
1. Triple-S Advantage: Mailed patient data to the wrong patients
The Puerto Rico-based insurer made a major blunder when it accidentally mailed letters to 36,305 patients, disclosing the patient information of other members, to the wrong addresses. Luckily, the letters did not contain Social Security numbers or financial data.
But it was the far from the first time the Blue Cross insurer experienced a breach. Triple S Management Corporation, the plan's parent company, has repeatedly been in hot water with the HHS Office of Civil Rights. After eight breaches between 2010 and 2014, Triple S Management Corporation was hit with a $3.5 million fine, followed by $1.5 million to the Puerto Rico Health Insurance Administration.
2. Independence Blue Cross: Uploaded patient data to its public website
An employee at the Philadelphia-based insurer accidentally uploaded the names, birthdays, diagnosis codes and provider information of 17,000 members to the company's website, where they remained public for nearly three months between April and July. The incident impacted less than 1% of the Blue's members, and no Social Security numbers or financial data were compromised, according to the company.
IBC said in a statement that it was unable to confirm whether or not the health-related data was accessed, but they did take "appropriate action" with the employee.
3. Health Equity: Employees frequently opened phishing emails
Health savings company Health Equity experienced two distinct breach events in 2018. The first took place in April, when more than 16,000 patients had their data breached by an unauthorized person who managed to hack into an employee's email account.
Months later, in October, the same thing happened with another Health Equity employee, except this time to the tune of 23,000 members who had their data breached. Although this was categorized as a single attack when Health Equity reported its forensics findings last month, another employee had their account hacked multiple times, exposing patient health data the company uses to communicate health savings account needs.
4. Atrium Health and Baylor Medical Center: Millions of records breached in an attack on biller AccuDoc
For one week in September, 2.65 million patients at Atrium Health and 40,000 patients at Baylor Medical Center had their data jacked by a hacker who obtained access into the database of AccuDoc, a billing firm that does business with both systems. This is the biggest breach on the list, but it's also one of the scariest: the attack included the Social Security numbers of 700,000 patients.
Atrium said no financial data was obtained by the hacker. As with other systems with patient data hacked, Atrium provided those 700,000 members with a year of free credit monitoring.
5. California Department of Developmental Services: Office looted and set ablaze by vandals
A tragic incident at California's Department of Developmental Services' legal and auditing building in Sacramento differs from the others — malice was at the root of the breach and it seems the perpetrators weren't interested in stealing data.
Thieves stole 12 government computers from the department, which oversees nonprofits for people with developmental disabilities, containing the personal information of 15,000 state employees, contractors and parents of minors enrolled in its programs.
Though the information was encrypted and deemed untouched, this marked the second physical break-in for California's DDS within the span of a few months, though the first may have included state employee data.