The largest healthcare knowledge breaches of 2021

Amidst warnings from the U.S. Federal Bureau of Investigation about hacking teams and information from the Division of Justice about ransomware-related arrests, an adage has begun to be repeated amongst cybersecurity professionals: It is not “if” an assault will occur, however “when.”

And 2021 has been a very dire 12 months for healthcare knowledge breaches, with incidents taking down networks for weeks at a time and doubtlessly resulting in disruptions of care all through the nation.   

So as to add insult to damage, some hospitals even face authorized motion after restoring entry to their community. Total, 40,099,751 people’ information have been affected by exposures reported to the federal authorities to this point this 12 months.

For anybody who wants a refresher on how issues have gone, Healthcare IT Information has compiled an inventory of the ten largest knowledge breaches reported to the U.S. Division of Well being and Human Companies’ Workplace of Civil Rights this 12 months to this point:  

Group: Florida Wholesome Youngsters Company

Date reported: 1/29/2021

Variety of people affected: 3,500,000

What occurred? An evaluation discovered that “important vulnerabilities” had been current on the kids’s medical insurance program web site since 2013 – doubtlessly resulting in the publicity of non-public data resembling Social Safety numbers, dates of start, names, addresses and monetary data.  

Group: 20/20 Eye Care Community, Inc.

Date reported: 5/24/2021

Variety of people affected: 3,253,822

What occurred? The attention care community 20/20, which offers eye and ear care companies and administration, found suspicious exercise in its Amazon Internet Companies atmosphere. After an investigation, it decided that knowledge had been doubtlessly eliminated, presumably together with private data. Later 20/20 confronted a lawsuit over the breach.

Group: Forefront Dermatology

Date reported: 7/8/2021

Variety of people affected: 2,413,553

What occurred? The Wisconsin-based group, which has areas in 21 states and the District of Columbia, reported that an intrusion resulted in unauthorized entry to sure information on Forefront’s IT system containing affected person and worker data. 

Group: NEC Networks, LLC

Date reported: 5/5/2021

Variety of people affected: 1,656,569

What occurred? NEC, which does enterprise as CaptureRx, stated it turned conscious of “uncommon exercise” involving some digital information. An investigation decided that the related information contained first identify, final identify, date of start and prescription data.  

Group: Eskenazi Well being

Date reported: 10/01/2021

Variety of people affected: 1,515,918

What occurred? The Indiana-based well being system stated cybercriminals had gained entry to their community for almost three months. Eskenazi Well being didn’t make a ransom fee, and the criminals launched a number of the stolen knowledge on the darkish net.  

Group: The Kroger Co.

Date reported: 2/19/2021

Variety of people affected: 1,474,284

What occurred? The Midwest grocery chain was affected by a knowledge safety incident affecting Accellion, a file-sharing firm. Clinic buyer data was discovered to be in danger, together with pharmacy information.  

Group: St. Joseph’s/Candler Well being System, Inc.

Date reported: 8/10/2021

Variety of people affected: 1,400,000

What occurred? The ransomware incident took the Georgia well being system offline for a number of days. The unauthorized occasion had been capable of entry the community for six months.   

Group: College Medical Heart Southern Nevada

Date reported: 8/13/2021

Variety of people affected: 1,300,000

What occurred? Though the incident solely lasted a day, the assault – linked to the infamous REvil ransomware gang – compromised information containing protected well being data and personally identifiable data. Simply after the assault the group posted images of driver’s licenses, passports and Social Safety playing cards of a handful of alleged victims.  

Group: American Anesthesiology, Inc.

Date reported: 1/8/2021

Variety of people affected: 1,269,074

What occurred? An unauthorized occasion was capable of acquire entry to the e-mail system of the corporate’s enterprise affiliate, MEDNAX, through phishing. These electronic mail accounts contained the private data of American Anesthesiology’s purchasers, though the hackers gave the impression to be principally centered on payroll fraud.  

Group: Skilled Enterprise Methods, Inc.

Date reported: 7/1/2021

Variety of people affected: 1,210,688

What occurred? The observe administration firm, which does enterprise as Practicefirst Medical Administration Options and PBS Medcode Corp., stated that hackers making an attempt to deploy ransomware had copied information from its system containing affected person data. 

Sadly, there’s nonetheless a month and alter left in 2021, which suggests we’ll seemingly see much more incidents earlier than the tip of the 12 months – notably given the elevated menace the vacations could pose.

Kat Jercich is senior editor of Healthcare IT Information.

Twitter: @kjercich

E mail: kjercich@himss.org

Healthcare IT Information is a HIMSS Media publication.