According to our 2018 End-of-Year Breach Report, there were a total of 372 data breaches in the medical and healthcare sector that exposed over 10 million records. As of September 2019, there have already been 368 data breaches that have exposed over 36 million records in the sector – poised to push well past the 2018 statistics. In the last two years, the ITRC has seen an increase in medical and healthcare data breaches – more than any other category we track, aside from the business sector.
Sign up for the ITRC Monthly Breach Newsletter for more information on these data breaches.
This is one reason why the Identity Theft Resource Center has been working to empower identity theft victims with the resources and tools to resolve their cases since 1999, including helping people proactively reduce their risk of becoming a victim of identity theft – especially of their highly sensitive personally health information (PHI). Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches with monthly and cumulative end-of-year reports.
Last week we took a look at some of the largest business data breaches. This week we shift our attention to the top five most impactful medical and healthcare data breaches for consumers.
In February 2015, Anthem suffered what is considered to be the largest medical and healthcare data breach and the largest Health Insurance Portability and Accountability Act (HIPAA) settlement in the United States. Nearly 80 million consumers were impacted with information like names, birthdates, Social Security numbers, addresses, phone numbers, email addresses and employment data being compromised. Minors on their parent’s healthcare plans were affected, which is particularly troubling due to the long shelf-life of the static data (SSNs) that was compromised. Anthem agreed to take corrective actions in 2018 by paying the U.S. Department of Health and Human Services, Office for Civil Rights $16 million to settle the violations of HIPAA Privacy and Security rules. This created awareness among consumers that while their health information was regulated under HIPAA, that didn’t mean that it wasn’t at risk for exposure – and not just their health information but a host of other components to their identity.
American Medical Collection Agency
Third-party billing and collections agency, American Medical Collections Agency, experienced a medical and healthcare data breach with an intrusion in its payment system in March of 2019. That intrusion exposed personal information of millions of patients. Over 24 million people and 20 entities (so far) were affected by this breach, including Quest Diagnostics who reported approximately 11.9 million of their patients were impacted. Some of the data exposed included names, dates of birth, payment card numbers, names of labs or medical service providers, dates of medical services, referring doctors, banking information, Social Security numbers and certain medical information like patient account numbers and health insurance numbers. The information exposed varied entity to entity since the same information was not provided to AMCA for their patients. As of this blog’s publish date, we’re still receiving notifications of medical industry organizations that were victims of this breach – we will continue to update the numbers as we receive them in our monthly Data Breach Report.
Premera Blue Cross
Major healthcare services provider Premera Blue Cross announced a data breach in March of 2015 that impacted over 11 million of its customers. The data breach was caused by hackers pretending to be Premera IT, sending employees phishing emails with links containing malware. This data breach affected both Premera Blue Cross and Premera Blue Shield of Alaska, as well as their affiliate brands Vivacity and Connexion Insurance Solutions, Inc. Names, birthdays, email addresses, physical addresses, phone numbers, Social Security numbers, member ID numbers, bank account information and claims information that could have been included in clinical information were some of the information exposed. In July 2019, Premera Blue Cross paid a total of $74 million ($32 million in damages and $42 million to improve data security) as part of a settlement. Premera will pay $50 to any class member who submits a claim, and up to $100,000 if class members can provide documents showing proven out-of-pocket damages from the breach.
Excellus Blue Cross Blue Shield
Blue Cross had another breach just six months later, this time including health insurer Excellus Blue Cross Blue Shield. This medial and healthcare data breach affected over ten million plan members and vendors. The cyberattack began in December 2013 and was not detected by Excellus until nearly two years later. Information such as names, dates of birth, Social Security numbers, addresses, phone numbers, claims and financial payment information (including some credit card numbers) was compromised.
Virginia Department of Health Professionals
In May 2009, the Virginia Department of Health Professionals (DHP) announced a security breach impacting the agency’s Prescription Monitoring Program. DHP discovered the breach one month prior after a message was posted on the Prescription Monitoring Program website by a hacker claiming to have stolen eight million patient records and 35.5 million prescriptions. In fact, the message included a ransom note demanding $10 million in seven days or the hacker would sell the data to the highest bidder. The breach was first reported on WikiLeaks.
As we recap the last 10,000 breaches, the ITRC hopes to help those impacted – both consumers and businesses fall victim to the nefarious acts of fraudsters – understand how to minimize their risk and mitigate their data compromises. Medical/healthcare breaches don’t just impact health information. As we can see by these examples, static information like Social Security numbers, date of birth can also be gleaned by those harvesting data through breaches – which puts consumers at an even higher risk of every aspect of identity theft (not just medical).
If you ever receive a data breach notification letter, do not just toss it aside or throw it away. Call us toll-free at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a business impacted by a data breach incident, please reach out to the ITRC to discuss how we can provide assistance to your impacted customers.
As part of this series, in our next 10,000 Breaches Later blog we will take a look at some of the largest government and military breaches since 2005 and what they meant for consumers. For a look at all of ITRC’s 10,000 breaches blogs, visit https://www.idtheftcenter.org/10000-data-breaches-blog-series/
You might also like…