Top health data breaches caused by hackers
August 26, 2014 12:57 PM
Overview:
Hospital chain Community Health Systems now has the second-largest breach of any type in the era of breach notification, with 4.5 million patients being offered identity protection services after hackers in China attacked CHS information systems in April and June of 2014. The HHS Office for Civil Rights Web site of large breaches lists at least 89 major incidents of hacking, which have become much more prevalent during the past two years.
In June 2014, the Montana Department of Public Health and Human Services notified 1.3 million individuals--a number that exceeds the states population--after a computer server was hacked. An investigation found the server likely was initially attacked in July 2013. Breached information included patient names, addresses, birth dates and Social Security numbers, and employee names, SSNs and bank account numbers. All were offered a year of credit and identity protection services.
The Utah Department of Public Health in April 2012 announced the hacking of a server holding information on 780,000 Medicaid and CHIP recipients. About 280,000 individuals had their Social Security numbers stolen and were offered a year of credit monitoring services. Other breached information included names, birth dates and addresses. The server, holding Medicaid eligibility determination transactions, was in the states Department of Technology Services and the leader of the department subsequently lost his job.
Triple-S Management, a BCBS plan serving more than 1 million members in Puerto Rico, in 2010 learned that it was hacked by employees of a competitor who were downloading data on more than 400,000 insured individuals into its own information systems. The employees had gone rouge and the competitor itself reported the breach to Triple-S. The hacking employees used active user IDs and passwords specific to Triple-S database to access the information. The likely target was financial information related to the government insurance plan rather than individuals information.
A server hacked for parts of three days in December 2013 resulted in five-hospital St. Joseph Health System in Bryan, Texas, notifying 405,000 past and present patients, employees and some employee beneficiaries. Originating in China, the attack compromised names, birth dates, Social Security numbers, limited medical details, addresses and bank account information for some employees. A forensics investigation failed to confirm if information was actually accessed. Affected individuals received a year of identity protection services.
Malware in an email attachment that a University of Washington Medicine employee opened in October 2013 accessed a subset of billing files for more than 76,000 patients. About 15,000 Social Security numbers were included and those individuals were offered a year of credit monitoring services.
Between September 17 and November 8, 2013, the L.A. Gay & Lesbian Center was attacked to collect credit card and other financial information, along with Social Security numbers of approximately 59,000 present and former clients. Other compromised data may have included names, birth dates, medical information and contact information. The attacks were sophisticated and designed to go after the financial data, the center informed affected individuals, who were offered one year of identity protection services.
