Healthcare

Healthcare stands out due to the majority of breaches being associated with internal actors. Denial of Service attacks are infrequent, but availability issues arise in the form of ransomware.

Top 3 patterns – Miscellaneous Errors, Privilege Misuse and Web Applications represent 81% of incidents within Healthcare

Threat actors– Internal (59%), External (42%), Partner (4%), and Multiple parties (3%) (breaches)

Actor motives– Financial (83%), Fun (6%), Convenience (3%), Grudge (3%), and Espionage (2%) (breaches)

Data compromised– Medical (72%), Personal (34%), Credentials (25%) (breaches)

Illustrative breaches

  • Anthem
  • Pasquotank-Camden Emergency Medical Services
  • Rutland Regional Medical Center
  • Zoll Medical
  • Critical Care, Pulmonary & Sleep Associates (CCPSA)
  • Catawba Valley Medical Center
  • Presbyterian Healthcare Services 
  • Verity Health Systems
  • Baystate Health
  • Prisma Health
  • Steps to Recovery
  • EmCare
  • Inmediata Health Group
  • Quest Diagnostics
  • LabCorp
  • Opko Health
  • Essentia Health
  • Clinical Pathology Laboratories (CPL)
  • Providence Health Plan
  • UW Medicine
  • National Healthcare Group (NHG) 
  • SingHealth
  • Community Care Physicians
  • THSuites
  • Rotherwood Healthcare
  • Walgreens
  • Health Share of Oregon
  • Beaumont Health
  • ExecuPharm
  • Ambry Genetics
  • Magellan Health
  • Babylon Health
  • MedEvolve
  • LifeLabs
  • Cano Health LLC
  • Clay County Public Health Center
  • Choice Health Management Services
  • The Central California Alliance for Health
  • American Medical Technologies
  • Young Minds
  • Trinity Health
  • Inova Health System
  • NorthShore University HealthSystem
  • SCL Health – Colorado (affiliated covered entity)
  • Nuvance Health (on behalf of its covered entities)
  • The  Baton Rouge Clinic, A Medical Corporation
  • Virginia Mason Medical Center
  • University of Tennessee Medical Center
  • Legacy Community Health Services, Inc.
  • Allina Health
  • University of Missouri Health Care
  • The Christ Hospital Health Network
  • Stony Brook University Hospital
  • Atrium Health
  • University of Kentucky HealthCare
  • Children’s Minnesota
  • Roswell Park Comprehensive Cancer Center
  • Piedmont Healthcare, Inc
  • SCL Health – Montana (affiliated covered entity)
  • Roper St. Francis Healthcare
  • Regina Clinic Breach
  • Saraburi Hospital Thailand
  • Universal Health Services
  • The Medisys Health Group and its affiliates
  • AAA Ambulance Service
  • Dickinson County Healthcare System
  • Shionogi & Co
  • St. Lawrence County Hospital
  • Dr. Lal PathLabs
  • Oswego Health
  • Pfizer
  • Dr. Reddy’s
  • Davita Florissant Dialysis
  • Mercy Iowa City Hospital
  • Timberline Billing
  • Lupin
  • Chesapeake Regional Healthcare
  • Iowa Hospital
  • US Fertility (“USF”)
  • The Duesseldorf hospital
  • Ministry of Health of Brazil and the Israelita Albert Einstein Hospital
  • NTreatment
  • Dental Care Alliance
  • UoFL Health
  • CVS Health
  • Rehoboth McKinley Christian Health Care Services
  • Badan Penyelenggara Jaminan Sosial- Indonesia’s National Health Insurance Scheme
  • CareFirst BlueCross BlueSheild’s Community Health Plan District of Columbia (CHPDC)
  • Madrid health system
  • University of North Carolina at Chapel Hill School of Medicine
  • UC San Diego Health
  • Homewood Health
  • Simon Eye
  • Alaska Department of Health
  • True Health
  • Viverant PT
  • Texas ENT
  • Professional Healthcare Management, Inc.
  • Epilepsy Foundation of Texas
  • Throckmorton County Memorial Hospital
  • Olympus
  • Independent Health
  • Oregon Eye Specialists
  • Sandwell and West Birmingham Hospitals
  • Ravkoo
  • Lakeside Healthcare Research
  • Comprehensive Health Services

Data breach – maximum fines and damages

  • Anthem: U.S. health insurer Anthem suffered a breach in 2015 that impacted 79 million people. The breach included names, birthdates, Social Security numbers and medical IDs. In October 2018 the company was fined $16 million by the US Department of Health and Human Services for Health Insurance Portability and Accountability Act (HIPAA) violations. That fine was in addition to the $115 million the company had to pay out in 2017 to settle a class action lawsuit relating to the breach.
  • Fresenius Medical Care North America: HIPAA failures strike again. In February 2018 Fresenius Medical Care North America (FMCNA) was slapped with a bill for $3.5 million after suffering five separate breaches at different company locations between February and July of 2012. An investigation by the Office for Civil Rights found FMCNA had failed to “conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the health information it was storing across its different entities.”

Enforcements

NameFineAuthority
Hague HospitalEUR 1,00,000Dutch Supervisory Authority for Data Protection
B.D.EUR 511Commission for Personal Data Protection
Liceo Scientifico Nobel di Torre
del Greco
EUR 4,000Italian Data Protection Authority
National Center of Addiction
Medicine (‘SAA’)
EUR 20,600Icelandic data protection authority
(‘Persónuvernd’)
Health and Medical Board of the
Region of Örebro County
EUR 11,200Data Protection Authority of
Sweden
Provincial Health Authority of
Cosenza
EUR 30,000Italian Data Protection Authority
OLVG Hospital EUR 44,000 Netherlands Data Protection Authority
Provincial Health Authority of Enna EUR 30,000 Italian Data Protection
MedhelpSEK 12 million Swedish Authority for Privacy Protection (IMY)
ST. OLAVS HOSPITAL HFEUR 75,600Norwegian Supervisory Authority
Danish Cancer SocietyEUR 107,000 Danish Data Protection Authority
CEDICO, CENTRO DE DIAGNÓSTICO POR LA IMÁGEN, S.L.EUR 18,000
Spanish Data Protection Authority
NOW DOCTOREUR 5,000
Hellenic Data Protection Authority
Actamedica SRLEUR 3,000Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP)