Healthcare

Healthcare stands out due to the majority of breaches being associated with internal actors. Denial of Service attacks are infrequent, but availability issues arise in the form of ransomware.

Top 3 patterns – Miscellaneous Errors, Privilege Misuse and Web Applications represent 81% of incidents within Healthcare

Threat actors– Internal (59%), External (42%), Partner (4%), and Multiple parties (3%) (breaches)

Actor motives– Financial (83%), Fun (6%), Convenience (3%), Grudge (3%), and Espionage (2%) (breaches)

Data compromised– Medical (72%), Personal (34%), Credentials (25%) (breaches)

Illustrative breaches

  • Anthem
  • Pasquotank-Camden Emergency Medical Services
  • Rutland Regional Medical Center
  • Zoll Medical
  • Critical Care, Pulmonary & Sleep Associates (CCPSA)
  • Catawba Valley Medical Center
  • Presbyterian Healthcare Services 
  • Verity Health Systems
  • Baystate Health
  • Prisma Health
  • Steps to Recovery
  • EmCare
  • Inmediata Health Group
  • Quest Diagnostics
  • LabCorp
  • Opko Health
  • Essentia Health
  • Clinical Pathology Laboratories (CPL)
  • Providence Health Plan
  • UW Medicine
  • National Healthcare Group (NHG) 
  • SingHealth
  • Community Care Physicians
  • THSuites
  • Rotherwood Healthcare
  • Walgreens
  • Health Share of Oregon
  • Beaumont Health
  • ExecuPharm
  • Ambry Genetics
  • Magellan Health
  • Babylon Health
  • MedEvolve
  • LifeLabs
  • Cano Health LLC
  • Clay County Public Health Center
  • Choice Health Management Services
  • The Central California Alliance for Health
  • American Medical Technologies
  • Young Minds
  • Trinity Health
  • Inova Health System
  • NorthShore University HealthSystem
  • SCL Health – Colorado (affiliated covered entity)
  • Nuvance Health (on behalf of its covered entities)
  • The  Baton Rouge Clinic, A Medical Corporation
  • Virginia Mason Medical Center
  • University of Tennessee Medical Center
  • Legacy Community Health Services, Inc.
  • Allina Health
  • University of Missouri Health Care
  • The Christ Hospital Health Network
  • Stony Brook University Hospital
  • Atrium Health
  • University of Kentucky HealthCare
  • Children’s Minnesota
  • Roswell Park Comprehensive Cancer Center
  • Piedmont Healthcare, Inc
  • SCL Health – Montana (affiliated covered entity)
  • Roper St. Francis Healthcare
  • Regina Clinic Breach
  • Saraburi Hospital Thailand
  • Universal Health Services
  • The Medisys Health Group and its affiliates
  • AAA Ambulance Service
  • Dickinson County Healthcare System
  • Shionogi & Co
  • St. Lawrence County Hospital
  • Dr. Lal PathLabs
  • Oswego Health
  • Pfizer
  • Dr. Reddy’s
  • Davita Florissant Dialysis
  • Mercy Iowa City Hospital
  • Timberline Billing
  • Lupin
  • Chesapeake Regional Healthcare
  • Iowa Hospital
  • US Fertility (“USF”)
  • The Duesseldorf hospital
  • Ministry of Health of Brazil and the Israelita Albert Einstein Hospital
  • NTreatment
  • Dental Care Alliance

Data breach – maximum fines and damages

  • Anthem:

U.S. health insurer Anthem suffered a breach in 2015 that impacted 79 million people. The breach included names, birthdates, Social Security numbers and medical IDs. In October 2018 the company was fined $16 million by the US Department of Health and Human Services for Health Insurance Portability and Accountability Act (HIPAA) violations. That fine was in addition to the $115 million the company had to pay out in 2017 to settle a class action lawsuit relating to the breach.

  • Fresenius Medical Care North America:

HIPAA failures strike again. In February 2018 Fresenius Medical Care North America (FMCNA) was slapped with a bill for $3.5 million after suffering five separate breaches at different company locations between February and July of 2012. An investigation by the Office for Civil Rights found FMCNA had failed to “conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the health information it was storing across its different entities.”

These failures include not preventing unauthorized access to facilities and equipment, failing to encrypt health data, not governing the removal of electronic media holding health data, and having a lack of security incident procedures.

  • Cottage Health and Touchstone Medical Imaging:

2019 has already seen two large HIPAA violations; $3 million each for Cottage Health & Touchstone Medical Imaging. Cottage health was fined for two breaches — one in 2013 and another in 2015 — resulting in electronic protected health information (ePHI) affecting over 62,500 individuals being leaked. Both incidents involved servers holding ePHI being accessible over the internet.

Tennessee-based Touchstone Medical Imaging was fined after leaving the protected health information (PHI) of over 300,000 patients available online through an exposed FTP server. Touchstone was notified about this exposure by the FBI in 2014 but claimed no patient PHI was exposed.

The US Department of Health and Human Services (HHS) found that Touchstone “did not thoroughly investigate the security incident until several months after notice of the breach from both the FBI and OCR.” In addition, the HHS said that notification to individuals affected by the breach was “untimely,” that Touchstone “failed to conduct an accurate and thorough risk analysis of potential risks,” and the company “failed to have business associate agreements in place with its vendors.”

  • National Healthcare Group (NHG) 

Public healthcare cluster National Healthcare Group (NHG) in Singapore has been fined $6,000 for failing to secure personal data – a year after another healthcare cluster, SingHealth, received a record fine after a breach in its database.

  • SingHealth

Singapore’s largest healthcare cluster SingHealth was slapped with a $250,000 fine for failing to secure patient data.

Enforcements

NameFineAuthority
Hague HospitalEUR 1,00,000Dutch Supervisory Authority for Data Protection
B.D.EUR 511Commission for Personal Data Protection
Liceo Scientifico Nobel di Torre
del Greco
EUR 4,000Italian Data Protection Authority
National Center of Addiction
Medicine (‘SAA’)
EUR 20,600Icelandic data protection authority
(‘Persónuvernd’)
Health and Medical Board of the
Region of Örebro County
EUR 11,200Data Protection Authority of
Sweden
Provincial Health Authority of
Cosenza
EUR 30,000Italian Data Protection Authority
%d bloggers like this: