HealthData Management recently reviewed the 10 largest cyber attacks of 2015 in the healthcare setting. The report notes that some of the attacks started in 2014 (focusing on the time period of when the attacks were reported). The total number of victims from these hacks was placed at 109,671,626, which represents about one-third of the population of the U.S. Each hacked organization has offered paid credit and/or identity theft protection services.
The single largest attack was against Anthem Health Insurance, affecting 78.8 million individuals. The hack affected all Anthem product lines, compromising names, birthdates, member IDs, SSNs, addresses, phone numbers, email addresses and employment.An attack against Premera Blue Cross, started in 2014, affected 11 million individuals. As with Anthem, a wide range of member information was compromised, including personal bank account numbers. Ten million individuals were affected by an attack started in 2013 against Excellus BlueCross BlueShield, which included members from other BCBS plans in a 31 county area in update New York. The company said “Individuals who do business with us and provided us with their financial account information or Social Security number also are affected.”
UCLA Health detected suspicious network activity in late 2014 and investigated with assistance from the FBI, concluding that the attackers had not gained access to parts of the network that contain personal and medical information. In mid 2015, as part of an ongoing investigation, UCLA determined that attacks had accessed parts of its network, affecting 4.5 million individuals.Medical Informatics Engineering, which sells electronic health records with its NoMoreClipboard subsidiary, found an attack that involved 3.9 million individuals. The hack retrieved patient names, user names, hashed passwords, security questions and answers, email addresses, dates of birth, health information and Social Security numbers all compromised.
An attack against a single database at CareFirst BlueCross Blue Shield affected 1.1 million individuals. The attack was discovered during security work being done in response to attacks against other insurers. Limited personal information was said to have been involved in the attack, with no member Social Security numbers, medical claims information or financial information put at risk.In mid 2015 Beacon Health System discovered a phishing attack that accessed multiple employee e-mail boxes, starting in late 2013. The breach was found by an internal forensic team after an employee noticed email irregularities, and affected the two-hospital system and affiliated physicians. St. Mary’s Health in Indiana discovered a breach affecting 4,400 individuals after investigating a hack attack against employee email accounts.
Advantage Dental, with 30 clinics across Oregon, discovered an attack on an internal database that affected over 150,000 individuals. The access was terminated only 3 days after it was discovered and notifications were sent to affected individuals within 30 days. The intruder accessed the database through a computer infected with malware.