The Top 10 HIPAA Data Breaches of 2017 (So Far)

2017 is still several months away from ending and it is already shaping up to be one of the most volatile years on record for PHI data breaches. So far, 178 incidents are under investigation by the U.S. Department of Health and Human Services, impacting well over 3 million individual patient records. Below is a list of the top 10 HIPAA data breaches as of August 2017.

10. Primary Care Specialists (65,000 individuals affected)

First on our list is a breach that took place in May of this year. The Memphis-based doctor’s office fell victim to a cyber attack that left thousands of patient records encrypted and inaccessible through typical ransomware methods. Administrators did not give into demands and alerted HHS of the attack.

9. Emory Healthcare (79,930 individuals affected)

The Atlanta-based health system was one of the early victims of ransomware this year. Hackers deleted patient data from Emory’s servers and demanded a ransom be paid before the data would be restored. This is atypical for most ransomware attacks, as the data is typically not deleted from servers, merely locked.

8. Washington University School of Medicine (80,270 individuals affected)

This attack actually occurred in December of 2016 but was not discovered, and therefore not reported until late January of the new year. This phishing attack compromised an email account that had access to thousands of patient records.

7. VisionQuest Eyecare (85,995 individuals affected)

Next on our list is a cyber attack on PHI at VisionQuest Eyecare in Indianapolis. The April attack exposed thousands of pieces of information including medical claim data, patient contact info, and medical history.

6. Harrisburg Gastroenterology (93,323 individuals affected)

This data breach at the Pennsylvania practice occurred in March and seems to be the result of unauthorized access by an individual. While there is no evidence of a cyber attack having been perpetrated, sensitive, identifying information of thousands of patients was exposed.

5. Peachtree Neurological Clinic (176,295 individuals affected)

The Atlanta-based clinic fell victim to a ransomware attack in July, though further digging discovered unauthorized access as early as February 2016. Data backups allowed for systems to be restored quickly.

4. Urology Austin (279,663 individuals affected)

This ransomware attack took place earlier in the year, compromising servers and restricting access to nearly 300,000 patient records. As with every organization, Urology Austin notified the impacted patients via mail. The ransom was not paid and data was able to be restored from previous backups.

3. Women’s Health Care Group of PA (300,000 individuals affected)

Soon after the completion of a merger that created the largest U.S.-based OB/Gyn practice, a ransomware attack against the organization’s network was detected. The ransomware notification indicated that access had been gained as early as January, though it did not present itself until several months later.

2. Airway Oxygen (500,000 individuals affected)

Personal data of half a million customers and employees of the Michigan-based home medical equipment supplier was compromised by a ransomware attack in mid April. While there was no indication that any of the data was a acquired or abused, the attacker was still able to disable the company's network.

1. Commonwealth Health Corporation (697,800 individuals)

Easily the largest data breach of 2017 (so far), this incident stands apart from the rest on our list. In March, Commonwealth reported that a former employee had placed sensitive information of nearly 700,000 individuals on an encrypted device with the intention of using that data for a personal project. While there is question of whether or not theft of a data on an encrypted device is truly a HIPAA violation, the number of records accessed is still staggering.Whether through ransomware, phishing, or theft, the threat of data breaches is real. When an organization falls victim, the trust of your patients is eroded and can be very difficult to repair. It is up to administrators to get at the front of such issues as quickly as possible in order to analyze the extent of the damage and notify patients immediately.

QliqSOFT’s Quick Tips on Preventing Breaches

Your users are the weakest link in your security posture. Simulating the conditions of a real security breach is the most effective way to train your staff. If you are already have a mechanism in place, continue to simulate security breaches periodically. Here are the simple steps.

1. Run a mock Phishing attack by sending a mass email to all your users with the a subject of “SECURITY ALERT:”. In the message mention that they need to download a patch from a link and install it on their computer immediately. Craft the message like it is urgent and the user must take action. Make sure that it is sent from a Security Administrator’s email. Make sure that the link is trackable to the user who clicks it and installs the patch.

1. Conduct a follow-up training for your staff that focuses on your findings. Make sure that users understand that they should never download and install anything on their computers.

1. After training the staff, repeat the same message after a month. This will reinforce the lesson.

Perform the above steps every year and you will be glad that you did. Most security breaches happen through Phishing attacks. And the weakest link is the unsuspecting users.As we have shared in other blog posts, it really is a matter of when, not if a breach will occur. Do you have an adequate response plan in place? QliqSOFT can help. Our team of cyber security experts are available to discuss your concerns, vulnerabilities, and actionable solutions. Contact us today.