Since the breach notification requirements of the Health Insurance Portability and Accountability Act (HIPAA) took effect in 2009, nearly 143.8 million individuals’ protected health information has been compromised in privacy and security breaches (a figure that stood at only approximately 31.4 million as of May 2014). The table below lists the top ten healthcare organizations with the largest violations of privacy and security rules.
(1)Anthem
On February 4, 2015, Anthem suffered a cyberattack. This breach compromised the personal information of nearly 80 million individuals, including current and former enrollees of Anthem or its affiliated companies. The exposed data included members’ names, health insurance ID numbers, Social Security numbers, dates of birth, home addresses, phone numbers, email addresses, and certain employment information.
Pursuant to regulations of the U.S. Department of Health and Human Services, the company was fined $1.5 million for this incident.
(2)Premera Blue Cross
The cyberattack on Premera Blue Cross is considered the largest data breach in the healthcare information sector to date.
Nearly 11 million individuals were affected. This cyberattack was complex in nature; the initial breach occurred on March 5, 2014, but was not discovered until January 29, 2015.
The leaked information includes personal identification codes, medical history records, names and dates of birth of plan members and applicants, zip codes, Social Security numbers, bank account information, clinical information, details of health insurance claims, and financial data.
In fact, the leaked data was not limited to the company’s internal systems but also involved its branches and affiliated subsidiaries. Furthermore, companies partnering with Premera Blue Cross were affected, including Amazon, Microsoft, and Starbucks, which collectively hold 6 million employee accounts. The victims spanned all 50 U.S. states.
(3)SAIC
The SAIC data breach was reported in September 2014, involving the exposure of records belonging to 4.9 million individuals. The incident originated from the theft of an SAIC employee’s car, in which backup tapes were stolen, leading to the data breach. These tapes contained various data spanning from 1992 to July 2011. The compromised information included Social Security numbers, home addresses, patients’ mobile phone numbers, and personal health and medical data.
SAIC is one of the Pentagon’s primary contractors.
(4)Community Health Systems
On August 18, 2014, the Community Health System (CHS) publicly disclosed that its computer network had been compromised by Chinese hackers between April and June 2014. Leveraging highly sophisticated malware and techniques, the hackers were able to bypass CHS’s security defenses and exfiltrate confidential data.
The data includes the names and Social Security numbers of patients who received CHS services over the past five years. The breach affects 4.5 million individuals.
(5)UCLA
In July 2011, an incident involving the breach of celebrity privacy was disclosed. The incident spanned from 2005 to 2009, during which multiple employees of the UCLA Health System were terminated for snooping into the medical records of celebrities. These celebrities included singer Britney Spears, actor Tom Cruise, and former First Lady of California Maria Shriver. UCLA was fined $865,000.
(6)Advocate Health&hospitals
On July 15, 2013, four unencrypted computers were stolen from the administrative building of Park Ridge Health in the United States, compromising the information of more than 4 million patients. The laptops were stolen from an unmonitored room, offering virtually no protection against unauthorized access. Previously, patients’ Social Security numbers, protected health information (PHI), and other protected insurance data had been improperly handled or stored, failing to comply with cybersecurity protocols.
(7)Medical Informatics Engineering
In mid-June 2015, electronic health record (EHR) vendor Medical Informatics Engineering informed its customers that its network systems had been subjected to a severe cyberattack, resulting in unauthorized access to data.
The compromised internet-based EMR system contained patient information from many U.S. states, including patients’ names, ZIP codes, email addresses, dates of birth, Social Security numbers, laboratory results, dictated reports, and other medical information.
(8)Xerox State Healthcare
Xerox was once a business partner of THHSC, primarily providing administrative services for the Texas Medicaid program. However, THHSC terminated its contract with Xerox in May 2014 and subsequently accused Xerox of supplying orthodontic braces to thousands of Medicaid patients without any medical necessity.
Three months later, after THHSC replaced its business partner with another company, THHSC sued Xerox for failing to immediately return computer equipment and paper documents upon termination of the contract. The data stored on these computers, along with the paper records, contained a substantial amount of confidential information, including identifiers and Medicaid numbers for approximately 2 million individuals, as well as protected health information.
(9)IBM
In March 2011, nine servers were lost from the Health Net data center operated by IBM. This incident resulted in the exposure of personal information belonging to up to 1.9 million current and former company customers, medical personnel, and employees. The compromised data may have included names, addresses, health information, Social Security numbers, and financial details.
(10)GRM Info. Management Services
In February 2011, unencrypted backup tapes were stolen from a GRM vehicle, resulting in the exposure of electronic information belonging to nearly 1.7 million patients, hospital staff, and vendor employees.
Text | Tang Wanfen
Editor: Mo Renying