The largest healthcare knowledge breaches of 2021

Amidst warnings from the U.S. Federal Bureau of Investigation about hacking teams and information from the Division of Justice about ransomware-related arrests, an adage has begun to be repeated amongst cybersecurity professionals: It is not “if” an assault will occur, however “when.”

And 2021 has been a very dire yr for healthcare knowledge breaches, with incidents taking down networks for weeks at a time and probably resulting in disruptions of care all through the nation.   

So as to add insult to harm, some hospitals even face authorized motion after restoring entry to their community. General, 40,099,751 people’ information have been affected by exposures reported to the federal authorities to date this yr.

For anybody who wants a refresher on how issues have gone, Healthcare IT Information has compiled a listing of the ten largest knowledge breaches reported to the U.S. Division of Well being and Human Providers’ Workplace of Civil Rights this yr to date:  

Group: Florida Wholesome Youngsters Company

Date reported: 1/29/2021

Variety of people affected: 3,500,000

What occurred? An evaluation discovered that “vital vulnerabilities” had been current on the youngsters’s medical health insurance program web site since 2013 – probably resulting in the publicity of non-public data similar to Social Safety numbers, dates of delivery, names, addresses and monetary data.  

Group: 20/20 Eye Care Community, Inc.

Date reported: 5/24/2021

Variety of people affected: 3,253,822

What occurred? The attention care community 20/20, which supplies eye and ear care providers and administration, found suspicious exercise in its Amazon Net Providers setting. After an investigation, it decided that knowledge had been probably eliminated, probably together with private data. Later 20/20 confronted a lawsuit over the breach.

Group: Forefront Dermatology

Date reported: 7/8/2021

Variety of people affected: 2,413,553

What occurred? The Wisconsin-based group, which has areas in 21 states and the District of Columbia, reported that an intrusion resulted in unauthorized entry to sure recordsdata on Forefront’s IT system containing affected person and worker data. 

Group: NEC Networks, LLC

Date reported: 5/5/2021

Variety of people affected: 1,656,569

What occurred? NEC, which does enterprise as CaptureRx, stated it grew to become conscious of “uncommon exercise” involving some digital recordsdata. An investigation decided that the related recordsdata contained first identify, final identify, date of delivery and prescription data.  

Group: Eskenazi Well being

Date reported: 10/01/2021

Variety of people affected: 1,515,918

What occurred? The Indiana-based well being system stated cybercriminals had gained entry to their community for practically three months. Eskenazi Well being didn’t make a ransom cost, and the criminals launched a few of the stolen knowledge on the darkish internet.  

Group: The Kroger Co.

Date reported: 2/19/2021

Variety of people affected: 1,474,284

What occurred? The Midwest grocery chain was affected by a knowledge safety incident affecting Accellion, a file-sharing firm. Clinic buyer data was discovered to be in danger, together with pharmacy information.  

Group: St. Joseph’s/Candler Well being System, Inc.

Date reported: 8/10/2021

Variety of people affected: 1,400,000

What occurred? The ransomware incident took the Georgia well being system offline for a number of days. The unauthorized social gathering had been in a position to entry the community for six months.   

Group: College Medical Middle Southern Nevada

Date reported: 8/13/2021

Variety of people affected: 1,300,000

What occurred? Though the incident solely lasted a day, the assault – linked to the infamous REvil ransomware gang – compromised recordsdata containing protected well being data and personally identifiable data. Simply after the assault the group posted images of driver’s licenses, passports and Social Safety playing cards of a handful of alleged victims.  

Group: American Anesthesiology, Inc.

Date reported: 1/8/2021

Variety of people affected: 1,269,074

What occurred? An unauthorized social gathering was in a position to achieve entry to the e-mail system of the corporate’s enterprise affiliate, MEDNAX, by way of phishing. These electronic mail accounts contained the private data of American Anesthesiology’s purchasers, though the hackers seemed to be largely targeted on payroll fraud.  

Group: Skilled Enterprise Techniques, Inc.

Date reported: 7/1/2021

Variety of people affected: 1,210,688

What occurred? The observe administration firm, which does enterprise as Practicefirst Medical Administration Options and PBS Medcode Corp., stated that hackers making an attempt to deploy ransomware had copied recordsdata from its system containing affected person data. 

Sadly, there’s nonetheless a month and alter left in 2021, which implies we’ll doubtless see much more incidents earlier than the tip of the yr – notably given the elevated risk the vacations might pose.

Kat Jercich is senior editor of Healthcare IT Information.

Twitter: @kjercich

E mail: kjercich@himss.org

Healthcare IT Information is a HIMSS Media publication.