Healthcare stands out due to the majority of breaches being associated with internal actors. Denial of Service attacks are infrequent, but availability issues arise in the form of ransomware.
Top 3 patterns – Miscellaneous Errors, Privilege Misuse and Web Applications represent 81% of incidents within Healthcare
Threat actors– Internal (59%), External (42%), Partner (4%), and Multiple parties (3%) (breaches)
Actor motives– Financial (83%), Fun (6%), Convenience (3%), Grudge (3%), and Espionage (2%) (breaches)
Data compromised– Medical (72%), Personal (34%), Credentials (25%) (breaches)
Illustrative breaches
- Anthem
- Pasquotank-Camden Emergency Medical Services
- Rutland Regional Medical Center
- Zoll Medical
- Critical Care, Pulmonary & Sleep Associates (CCPSA)
- Catawba Valley Medical Center
- Presbyterian Healthcare Services
- Verity Health Systems
- Baystate Health
- Prisma Health
- Steps to Recovery
- EmCare
- Inmediata Health Group
- Quest Diagnostics
- LabCorp
- Opko Health
- Essentia Health
- Clinical Pathology Laboratories (CPL)
- Providence Health Plan
- UW Medicine
- National Healthcare Group (NHG)
- SingHealth
- Community Care Physicians
- THSuites
- Rotherwood Healthcare
- Walgreens
- Health Share of Oregon
- Beaumont Health
- ExecuPharm
- Ambry Genetics
- Magellan Health
- Babylon Health
- MedEvolve
- LifeLabs
- Cano Health LLC
- Clay County Public Health Center
- Choice Health Management Services
- The Central California Alliance for Health
- American Medical Technologies
- Young Minds
- Trinity Health
- Inova Health System
- NorthShore University HealthSystem
- SCL Health – Colorado (affiliated covered entity)
- Nuvance Health (on behalf of its covered entities)
- The Baton Rouge Clinic, A Medical Corporation
- Virginia Mason Medical Center
- University of Tennessee Medical Center
- Legacy Community Health Services, Inc.
- Allina Health
- University of Missouri Health Care
- The Christ Hospital Health Network
- Stony Brook University Hospital
- Atrium Health
- University of Kentucky HealthCare
- Children’s Minnesota
- Roswell Park Comprehensive Cancer Center
- Piedmont Healthcare, Inc
- SCL Health – Montana (affiliated covered entity)
- Roper St. Francis Healthcare
- Regina Clinic Breach
- Saraburi Hospital Thailand
- Universal Health Services
- The Medisys Health Group and its affiliates
- AAA Ambulance Service
- Dickinson County Healthcare System
- Shionogi & Co
- St. Lawrence County Hospital
- Dr. Lal PathLabs
- Oswego Health
- Pfizer
- Dr. Reddy’s
- Davita Florissant Dialysis
- Mercy Iowa City Hospital
- Timberline Billing
- Lupin
- Chesapeake Regional Healthcare
- Iowa Hospital
- US Fertility (“USF”)
- The Duesseldorf hospital
- Ministry of Health of Brazil and the Israelita Albert Einstein Hospital
- NTreatment
- Dental Care Alliance
- UoFL Health
- CVS Health
- Rehoboth McKinley Christian Health Care Services
- Badan Penyelenggara Jaminan Sosial- Indonesia’s National Health Insurance Scheme
- CareFirst BlueCross BlueSheild’s Community Health Plan District of Columbia (CHPDC)
- Madrid health system
- University of North Carolina at Chapel Hill School of Medicine
- UC San Diego Health
- Homewood Health
- Simon Eye
- Alaska Department of Health
- True Health
- Viverant PT
- Texas ENT
- Professional Healthcare Management, Inc.
- Epilepsy Foundation of Texas
- Throckmorton County Memorial Hospital
- Olympus
- Independent Health
- Oregon Eye Specialists
- Sandwell and West Birmingham Hospitals
- Ravkoo
- Lakeside Healthcare Research
- Comprehensive Health Services
Data breach – maximum fines and damages
- Anthem: U.S. health insurer Anthem suffered a breach in 2015 that impacted 79 million people. The breach included names, birthdates, Social Security numbers and medical IDs. In October 2018 the company was fined $16 million by the US Department of Health and Human Services for Health Insurance Portability and Accountability Act (HIPAA) violations. That fine was in addition to the $115 million the company had to pay out in 2017 to settle a class action lawsuit relating to the breach.
- Fresenius Medical Care North America: HIPAA failures strike again. In February 2018 Fresenius Medical Care North America (FMCNA) was slapped with a bill for $3.5 million after suffering five separate breaches at different company locations between February and July of 2012. An investigation by the Office for Civil Rights found FMCNA had failed to “conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of the health information it was storing across its different entities.”
Enforcements
| Name | Fine | Authority |
| Hague Hospital | EUR 1,00,000 | Dutch Supervisory Authority for Data Protection |
| B.D. | EUR 511 | Commission for Personal Data Protection |
| Liceo Scientifico Nobel di Torre del Greco | EUR 4,000 | Italian Data Protection Authority |
| National Center of Addiction Medicine (‘SAA’) | EUR 20,600 | Icelandic data protection authority (‘Persónuvernd’) |
| Health and Medical Board of the Region of Örebro County | EUR 11,200 | Data Protection Authority of Sweden |
| Provincial Health Authority of Cosenza | EUR 30,000 | Italian Data Protection Authority |
| OLVG Hospital | EUR 44,000 | Netherlands Data Protection Authority |
| Provincial Health Authority of Enna | EUR 30,000 | Italian Data Protection |
| Medhelp | SEK 12 million | Swedish Authority for Privacy Protection (IMY) |
| ST. OLAVS HOSPITAL HF | EUR 75,600 | Norwegian Supervisory Authority |
| Danish Cancer Society | EUR 107,000 | Danish Data Protection Authority |
| CEDICO, CENTRO DE DIAGNÓSTICO POR LA IMÁGEN, S.L. | EUR 18,000 | Spanish Data Protection Authority |
| NOW DOCTOR | EUR 5,000 | Hellenic Data Protection Authority |
| Actamedica SRL | EUR 3,000 | Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) |
