Elevate Your Healthcare Security

In 2015, Anthem, formerly WellPoint, faced a significant cyber security breach, marking a watershed moment in the healthcare industry.

The breach resulted from a phishing email, granting hackers access to the corporate database and compromising electronic Protected Health Information (ePHI).

The attackers successfully pilfered an alarming 79 million records, encompassing sensitive patient and employee data. The compromised information included names, addresses, Social Security numbers, birth dates, medical IDs, insurance membership numbers, income data, and employment details. Undoubtedly, this incident stands as the largest cyber attack in the history of the healthcare sector.

Cyber Attack Type: Phishing/Malware
Location: Indiana, USA
Cost: $115 million
Affected Individuals: 78.8 million patients and employees

To address the aftermath, Anthem agreed to a $115 million settlement, involving not only financial compensation but also a mandate to overhaul data security systems and policies. The U.S. District Judge, overseeing the settlement, emphasized the necessity for substantial enhancements, including a nearly tripled cyber security budget, ensuring a fortified defence against future threats.

In 2018, the American Medical Collection Agency (AMCA), a provider of billing collections services for major entities like Quest Diagnostics and LabCorp, fell victim to a cyber breach with severe consequences.

The assailant, still unidentified, successfully infiltrated AMCA's systems, pilfering sensitive patient information. The stolen data included Social Security numbers, addresses, dates of birth, medical details, and payment card information. Shockingly, this purloined data found its way into underground forums on the dark web, advertised for sale.

Cyber Attack Type: Hacked online payment portal
Location: New York, USA
Cost: $21 million (payment suspended unless settlement terms violated)
Affected Individuals: At least 21 million patients

Facing dire repercussions, AMCA's four largest clients terminated their agreements, leading the company to declare bankruptcy. A subsequent multistate investigation by 41 attorneys general, concluding in December 2020, held AMCA liable for $21 million in injunctive damages.

In response to the breach, AMCA took decisive actions, migrating its web payments portal services to a different third-party vendor.

Additionally, the company engaged an external forensics firm to probe the incident thoroughly and enlisted additional experts to guide and implement heightened security measures.

Advocate Aurora Health, a healthcare giant with 26 hospitals spanning Wisconsin and Illinois, faced a significant data exposure incident in July 2022. The misuse of a common website tracking tool, Meta Pixel, led to the compromise of sensitive data belonging to three million patients.

Meta Pixel, leveraging JavaScript, is typically employed for website visitor tracking, providing valuable insights into user interactions, duration of site visits, and navigation patterns. While this tool proves beneficial for enhancing website user experiences, Advocate Aurora Health's use of Meta Pixel on patient portals resulted in the unintended disclosure of Protected Health Information (PHI). This risk was particularly pronounced for users simultaneously logged into Facebook or Google.

Cyber Attack Type: Third-party vendor
Location: Wisconsin, Illinois, USA
Affected Individuals: 3 million patients

It's noteworthy that Meta Pixel is widely utilised by healthcare providers nationwide. Patients, often unaware of this practice, may discover it when targeted ads related to their medical conditions start appearing. This unsettling scenario has triggered a surge in class-action lawsuits against both Meta and healthcare providers on a national scale.

In March 2022, a Massachusetts-based medical imaging service provider, Shields Health Care Group, fell victim to a cybercriminal who gained unauthorized access to its IT systems. The breach came to light in May 2022, revealing the compromise of over two million patients' Protected Health Information (PHI), encompassing details such as names, addresses, Social Security numbers, insurance information, and medical histories.

Shields Health Care Group, responsible for managing imaging services for approximately 50 healthcare providers, faced a substantial impact due to the breach. The sheer scale of the attack prompted swift legal action, resulting in a class-action lawsuit.

Cyber Attack Type: Not disclosed
Location: Massachusetts
Affected Individuals: 2 million patients

While Shields Health Care Group promptly notified affected patients in July, asserting no evidence of identity fraud or theft, the full extent and cost of the breach remain undisclosed, underscoring the severity of the incident.

In 2023, Cerebral, a prominent telehealth organisation, garnered attention not for its technological advancements but due to a significant data breach.

Intriguingly, Cerebral itself may have unintentionally assumed the role of a cyber perpetrator. The organisation incorporated tracking pixels from major technology entities, such as Google, Meta, and TikTok, into its applications. This action led to the exposure of Protected Health Information (PHI) to third parties without obtaining patient consent, a serious violation of HIPAA regulations.

Upon discovering the error through an internal review of their privacy and logging technology, Cerebral promptly notified both HIPAA and affected patients. The notification suggests that the organisation might not have been aware of third-party access to patient data.

The compromised data encompassed names, dates of birth, contact information, self-assessment responses, treatment details and other clinical information.

Cyber Attack Type: Data breach
Location: International
Affected Individuals: 3.1 million patients

In a concerning incident, hackers with suspected ties to the notorious REvil ransomware gang, based in Russia, successfully accessed the personal information of 9.7 million customers. The breach extended to 1.8 million international customers, impacting individuals globally, including prominent Australian figures like Prime Minister Anthony Albanese and Cybersecurity Minister Clare O’Neil.

The compromised data encompassed sensitive details such as patient names, dates of birth, social security numbers, and, alarmingly, medical records for some individuals. The cybercriminals demanded a substantial $10 million ransom from Medibank. However, the healthcare provider took a firm stance against payment, expressing the belief that paying the ransom offered only a limited chance of ensuring the safe return of customer data and preventing its public disclosure.

Cyber Attack Type: Ransomware
Location: Australia, with a global impact
Affected Individuals: 9.7 million patients

In a stark illustration of cybercrime realities, the most susceptible targets often attract the attention of criminals. This truth was underscored in a 5th July, 2023 attack on HCA Healthcare, based in Nashville, Tennessee.

Cybercriminals successfully breached an external storage location, compromising emails and calendar reminders sent to patients.

While there's no indication that the stolen data included medical records, it encompassed sensitive information such as names, email addresses, birth dates, and other personally identifiable details for over 11 million patients across 20 states.

By the 10th July, the unknown hackers had already advertised the pilfered HCA data on the dark web. Subsequently, on the 12th July, affected HCA patients initiated a class-action lawsuit, alleging a failure to provide adequate protection for their personally identifiable information and seeking monetary damages.

Cyber Attack Type: Third-party storage breach
Location: Nashville, Tennessee
Affected Individuals: 11 million U.S. healthcare patients