The Biggest HIPAA Breaches of 2021 So Far
In the month of September 2021 alone, the Department of Health and Human Services (HHS) received 40 reports of data breaches within the healthcare industry.
That’s a total of 1,206,799 people in the United States with compromised protected health information (PHI)...in just one month.
If that doesn’t sound like much, take note that the list of reports only includes data breaches that affect 500 or more individuals — you can imagine how long the list would be if they included incidents that affected fewer than 500 people.
The 2021 Identity Breach
Report by Constella found a 51% increase in data breaches and leakages in the healthcare industry compared to 2019. Cybersecurity experts attribute this upswing to the COVID-19 pandemic.
According to Constella CEO Kailash Ambwani, "The COVID-19 pandemic has shown us the fragility of our online infrastructure. As people continue to rely on digital solutions and working from home, both companies and individuals must take new precautions to protect themselves from potential threat actors."
The HIPAA Wall of Shame
Data breaches in the healthcare industry translate to one thing: HIPAA violations.
The HHS’s Office of Civil Rights takes every HIPAA breach very seriously — so seriously that it posts an updated list of breaches of unsecured PHI on the web. The list has an unwelcome moniker in the healthcare compliance industry:
The HIPAA Wall of Shame.
We’ve looked into the HIPAA Wall of Shame, and the list was alarmingly long. For the year 2021, here are the top five biggest data breaches among healthcare organizations so far, based on the number of individuals they affected.
Florida Healthy Kids Corporation
Individuals Affected: 3,500,000
Type of Breach: Hacking/IT Incident
The Florida Healthy Kids Corporation kicked off 2021 with not just the largest
breach of the year, but the largest one ever reported.
On January 29, the Florida-based health insurer reported that a breach had occurred at Jelly Bean Communications Design, the company that hosted its website as well as the Florida KidCare app.
Investigation reports show that hackers exploited long-existing vulnerabilities in the platform to gain access to a portion of the Florida KidCare application, compromising the PHI of up to 3.5 million people.
The hackers then altered the addresses of thousands of applicants and enrollees. However, they also potentially accessed other data such as:
- Names
- Dates of birth
- Telephone numbers
- Email addresses
- Social Security numbers
- Financial information
- Secondary insurance information
Forefront Dermatology, S.C.
Individuals Affected: 2,413,553
Type of Breach: Hacking/IT Incident
In June 2021, Wisconsin-based Forefront Dermatology, S.C. detected a major
breach. Its investigation shows that unauthorized parties were able to gain access to its IT system and were able to access files that contained the personal data and PHI of employees, current patients, and former patients. The breach appears to have taken place between May 28 and June 4.
The information potentially accessed by the unauthorized parties were:
- Patient names
- Addresses
- Dates of birth
- Patient account numbers
- Health insurance plan member ID numbers
- Medical record numbers
- Dates of service
- Accession numbers
- Provider names
- Medical and clinical treatment information
So far, there is no evidence that the individuals’ Social Security numbers, driver's license numbers, or financial account information were involved.
The Kroger Company
Individuals Affected: 1,474,284
Type of Breach: Hacking/IT Incident
Kroger may look out of place on this list, but the Cincinnati-based grocery chain actually operates 2,254 pharmacies and 224 medical clinics all over the United States.
In January 2021, Kroger was notified that an unauthorized party had gained access to Accellion — the software company Kroger used to securely transfer files — by exploiting a vulnerability in the service.
Though the
incident did not affect Kroger’s own IT systems and grocery store systems, it impacted HR data, pharmacy customer information, and clinic patient information because these were the files that Kroger transferred using the Accellion software. The breached information included:
- Patient names
- Addresses
- Telephone numbers
- Dates of birth
- Social Security numbers
- Insurance claim information
- Prescription information
- Some medical history information
According to Kroger’s investigation, the incident did not impact customer passwords, credit or debit card information, and digital wallet information.
St. Joseph's/Candler Health System, Inc.
Individuals Affected: 1,400,000
Type of Breach: Hacking/IT Incident
In August 2021, St. Joseph's/Candler Health System reported a ransomware
attack. The Savannah-based organization announced that a hacker had gained access to its IT network sometime between December 18, 2020, and June 17, 2021.
The network breach temporarily disrupted telephone communications, took computer systems offline, and made certain files inaccessible. Unable to access their computer systems because of the attack, St. Joseph’s/Candler staff had to implement emergency protocols and revert to pen and paper to record patient data.
According to investigation reports, hackers gained access to parts of the network that contained files that included patients’ PHI. The files contained patient data such as:
- Names
- Addresses
- Dates of birth
- Social Security numbers
- Driver’s license numbers
- Patient account numbers
- Billing account numbers
- Financial information
- Health insurance plan member IDs
- Medical record numbers
- Dates of service
- Provider names
- Medical and clinical treatment information regarding care received from St. Joseph/Candler
University Medical Center of Southern Nevada
Individuals Affected: 1,300,000
Type of Breach: Hacking/IT Incident
In June 2021, University Medical Center of Southern Nevada experienced a ransomware
attack that resulted in stolen patient data. The perpetrators appear to be the Russia-based ransomware gang REvil (short for Ransomware Evil), whom the affected hospital described as “a well-known group of cybercriminals that seeks to use the information for commercial gain.”
The attackers seem to have been targeting a server that was used to store patient data.
Though the hospital said no evidence has been found to indicate misuse of patient information, the forensic investigation confirms that the attack compromised certain files containing patients’ PHI including:
- Names
- Addresses
- Dates of birth
- Social Security numbers
- Health insurance information
- Financial information
- Some clinical information (medical histories, diagnoses, test results)
The Common Denominator
Did you notice the common denominator on our list? We did.
They all had the same cause of data breaches: Hacking or IT incidents.
In fact, out of the top 100 HIPAA breaches in 2021 so far, 93 were caused by hacking or IT incidents.
Being vulnerable to a cyber attack is no joke. One incident can put your patients’ lives at risk, cost you a lot of money, and take your entire practice down.
Cybercriminals are constantly looking for ways to access your data, and the five HIPAA breaches on our list are proof of that. Malicious actors exploit technology vulnerabilities, employ social engineering, and patiently wait for the perfect opportunity to strike just to get their hands on the data that you handle.
Equip yourself, your practice, and your entire team with the
technology and
training you need to steer clear of cyber threats.
Partner Up and Avoid the HIPAA Wall of Shame
With cybercriminals using advanced technology, tried-and-tested techniques, and the effects of a pandemic to their advantage, you’re going to need all the cybersecurity help you can get.
The simple antivirus and firewall protection just won’t cut it anymore. You need HIPAA-compliant technology and cyber literate manpower to keep attackers away from your practice.
Here at
ER Tech Pros, we specialize in giving healthcare organizations the IT, cloud, and HIPAA compliance support they deserve. Our entire team of tech and cybersecurity experts are ready to help you.
Search Articles
News & Resources
ER Tech Pros is a managed service provider (MSP) that specializes in catering to the IT needs of healthcare practices in and around the Sacramento area.
We use our cutting-edge technology, extensive experience, and 24/7 support to make sure your IT network is in its most secure and optimal state.
HIPAA- and SOC-compliant, we are healthcare’s trusted IT experts.
We take care of your IT so you can care for your patients.
8795 Folsom Blvd., Suite #205
Sacramento, CA 95826
info@ertech.io
Resources
Search this Site
Get Updates
Enter your email address below to receive healthcare tech tips and resources from ER Tech Pros.
Connect With Us