Largest healthcare data breach of 2021

Amid warnings from the US Federal Bureau of Investigation of hacking groups and news from the Department of Justice of ransomware-related arrests, a saying has repeated itself among cybersecurity experts: It’s not about “if” an attack occurs, but “when.” ”

And 2021 was an especially bad year for healthcare data breaches as incidents cripple networks for weeks and potentially disrupt supplies across the country.

To make the injury worse, some hospitals are even required to take legal action after access to their network is restored. A total of 40,099,751 personal data sets were affected by exposures that were reported to the federal government.

For anyone who needs a refresher on how things went, IT news in healthcare compiled a list of the 10 largest data breaches reported to the Department of Health’s Civil Rights Bureau so far this year:

Organization: Florida Healthy Kids Corporation
Date reported: 01/29/2021
Number of people affected: 3,500,000
What happened? An analysis found that the children’s health insurance program website had had “significant vulnerabilities” since 2013 – potentially leading to the disclosure of personal information such as social security numbers, dates of birth, names, addresses and financial information.

Organization: 20/20 Eye Care Network, Inc.
Date reported: 05/24/2021
Number of people affected: 3,253,822
What happened? Eye care network 20/20, which provides eye and ear care services and administration, has discovered suspicious activity in its Amazon Web Services environment. After an investigation, she found that data may have been removed, possibly personal data as well. Later, 20/20 faced a lawsuit for the violation.

Organization: Cutting edge dermatology
Date reported: 07/08/2021
Number of people affected: 2,413,553
What happened? The Wisconsin-based organization with offices in 21 states and the District of Columbia reported that an intrusion resulted in unauthorized access to certain files in Forefront’s IT system containing patient and employee information.

Organization: NEC Networks, LLC
Date reported: 05/05/2021
Number of people affected: 1,656,569
What happened? NEC, which operates as CaptureRx, said it became aware of “unusual activity” with some electronic files. An investigation found that the relevant files included first name, last name, date of birth and prescribing information.

Organization: Eskenazi health
Date reported: 10/01/2021
Number of people affected: 1,515,918
What happened? The Indiana-based health system said cyber criminals had been gaining access to their network for nearly three months. Eskenazi Health made no ransom payments, and the criminals posted some of the stolen data on the darknet.

Organization: The Kröger Co.
Date reported: 02/19/2021
Number of people affected: 1,474,284
What happened? The Midwest grocery chain was affected by a data security incident involving Accellion, a file sharing company. The clinic’s customer information was found to be at risk, including pharmacy records.

Organization: St. Joseph’s / Candler Health System, Inc.
Date reported: 08/10/2021
Number of people affected: 1,400,000
What happened? The ransomware incident took the Georgia healthcare system offline for several days. The unauthorized person had had access to the network for six months.

Organization: University Hospital South Nevada
Date reported: 08/13/2021
Number of people affected: 1,300,000
What happened? Although the incident lasted only a day, the attack, coupled with the infamous ransomware gang REvil, compromised files containing protected health and personal information. Immediately after the attack, the group released photos of driver’s licenses, passports and social security cards of a handful of alleged victims.

Organization: American Anaesthesiology, Inc.
Date reported: 01/08/2021
Number of people affected: 1,269,074
What happened? An unauthorized person could gain access to the e-mail system of the business partner MEDNAX via phishing. These email accounts contained the personal information of American Anesthesiology’s customers, although the hackers apparently focused primarily on payroll fraud.

Organization: Professional Business Systems, Inc.
Date reported: 07/01/2021
Number of people affected: 1,210,688
What happened? The practice management company, which operates as Practicefirst Medical Management Solutions and PBS Medcode Corp. operating said hackers attempting to deploy ransomware had copied files from his system containing patient information.

Unfortunately, there is still a month and a change left in 2021, which means we’ll likely see more incidents by the end of the year – especially given the increased threat from the holidays.

Kat Jercich is the Editor-in-Chief of Healthcare IT News.
Twitter: @kjercich
E-mail: [email protected]
Healthcare IT News is a HIMSS Media publication.

Leave a Comment