Latest Data Breaches Put Spotlight on U.S. Hospitals

From ransomware and vulnerable systems to data breaches, the healthcare industry continues to be a primary target for many cybercriminals. Following latest reports of data breaches in hospitals and healthcare organizations, critical patient information and financial data are yet again put at risk of being used for criminal activities.

The Florida-based Southeast Eye Institute (Eye Associates of Pinellas) reported a data breach after an unauthorized party accessed patient files in its network servers managed by its offsite practice management software vendor, Bizmatics. According to the U.S. Department of Health and Human Service’s Office for Civil Rights, the breach affected 87,314 patients. The attack was said to have started as early as January 2015 and was not detected until the end of March 2016.

Southeast Eye Institute’s report was prompted by investigations following news of hacking incidents involving Bizmatics, a third-party vendor of electronic health record (EHR), practice management, and medical billing software. Pain Treatment Centers of America (PTCOA) and Interventional Surgery Institute (ISI), a health network in Arkansas that employed Bizmatics, were similarly affected after a breach exposed the medical records of 19,397 of its patients. The Complete Family Foot Care in Nebraska was also impacted, exposing 5,883 medical records.

[Special Report: Dissecting Data Breaches and Debunking Myths]

In a notice posted on its website, the Medical Colleagues of Texas, LLP in Katy, Texas, disclosed that hackers gained access to its computer network and accessed 68,631 records that included the names, addresses, Social Security numbers and health insurance information of its patients and employees.

In New Mexico’s San Juan County, the medical records of 12,000 patients in a federally-funded drug and alcohol abuse program has been leaked, exposing patient names, addresses, health assessments, medications and treatment methods. In March 2016, 21st Century Oncology Holdings in Florida reported a breach that affected more than two million patients across 145 of its cancer treatment centers in the U.S. and 36 more in Latin America.

Last February, it was reported that the medical information of as much as 22,000 dental patients were put at risk when dental computer technician and security researcher Justin Shafer discovered that the dental practices’ management software, Eaglesoft, stored patient information on its FTP server in a way that made it easily accessible to anyone. Affected facilities included the Timberlea Dental Clinic and Dr. M Stemalschuk in Canada, Massachusetts General Hospital Dental Group, and Patterson Dental.

 [Read: Why is Healthcare an Ideal Target?]

The healthcare sector’s security issues are well-documented. Healthcare is also considered a treasure-trove for cybercriminals, since these records include an individual’s personally identifiable information (PII), as well as credit data and medical records. For cybercriminals, this translates to high returns as personal and financial data can be sold on underground marketplaces to criminals who can then use them to conduct further illegal activities.

In fact, the healthcare industry had the most number of identity theft, fraud, and other related crimes in 2015. High-profile incidents included breaches on Anthem, which exposed the PII of 80 million of its customers, and Premera Blue Cross, which exposed the bank account credentials and treatment information of 11 million patients.  From October 2009 to May 25, 2016, the Office for Civil Rights has logged 1,567 data breach incidents involving healthcare facilities and organizations.

Southeast Eye Institute is currently working with experts to strengthen its cybersecurity. It has also offered its patients free identity protection and credit monitoring services for one year. The Medical Colleagues of Texas notified the patients whose information may have been exposed, and provided one free year of credit monitoring services. It is also working to implement two-factor authentication system for remotely accessing EHRs. The same was done in the San Juan County facility, where $50,000 was earmarked as insurance coverage for data breaches.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.