Healthcare spent the entirety of 2016 being lambasted by cybercriminals from all angles. Ransomware attacks increased by 400 percent this year, PhishMe's 2016 Enterprise Phishing Susceptibility and Resiliency report found, while hackers had a field day stealing millions of patient records - with millions placed for sale on the black market. For this gallery we included hospitals based not only the number of records stolen, but also relentless ransomware attacks that shut down entire hospitals.
In August, Banner Health revealed hackers may have accessed the healthcare, payment and health plan information of up to 3.7 million individuals. The attackers reportedly gained access through payment processing systems for food and beverage purchases at the Phoenix-based health system.
Newkirk Products, a provider of identification cards for insurance carriers, including BlueCross BlueShield, in August reported a data breach that may have exposed the personal information of 3.3 million members of insurance plans. According to the report, no health plan systems were accessed or affected. On July 6, Newkirk discovered a server had been accessed without authorization and was immediately shut down, the company reported. It opened an investigation through a third-party forensic investigator to determine the extent of the breach. The first unauthorized access occurred on May 21, 2016.
The information systems of Washington, D.C.-based hospital chain, MedStar Health, were taken down at the end of March. The virus affected Washington’s Georgetown University Hospital and other medical offices in the region. Medstar said in a statement that the virus prevented some employees from logging into system, but that all of its clinics remained open and functioning. However, MedStar was forced to turn away some patients, before giving into hackers and paying them $19,000 or 45 bitcoin.
In February, Hackers launched a ransomware attack against Hollywood Presbyterian Medical Center and held the hospital’s data hostage until they received $17,000 or 40 bitcoin. The hospital’s system was shut down for 10 days. Without access to their systems, Hollywood Presbyterian caregivers fell back on handwritten notes and faxes.
Atlanta-based Peachtree Orthopedic Clinic notified 543,879 patients their records had been exposed in a data breach, which was confirmed by the organization on Sept. 22. According to officials, there was unauthorized access to the system, forensic experts discovered. The FBI is also investigating the breach. While Peachtree didn’t disclose when the breach was first noticed, the official notice said patients of the clinic prior to July 2014 were affected and some patients who visited the clinic after July 2014 may also have been included in the breach. Affected data includes: names, addresses, emails and dates of birth. For another small group of patients, treatment codes, prescription records and Social Security numbers were also exposed. Affected patients were notified via mail and offered one free year of credit monitoring.
Athens Orthopedic Clinic discovered a hack on June 28 that began June 14 that exposed the data of some 397,000 current or former patients. Patients were notified in August. The organization immediately hired cyber-security experts and notified the FBI. Officials chose not to publicly disclose the breach so as not to interfere with the investigation or incite the hacker into a mass public release of data. The hack was perpetrated through the use of a third-party vendor's log-in credentials. To make matters worse, about 500 of the stolen patient records emerged on the black market by a group of hackers, ‘Dark Overlords,’ according to Keller Rohrback LLP.
Community Health Plan of Washington was breached and 381,534 current and former patient records may have been exposed, according to Seattle Times. The Seattle-based nonprofit, which provides health insurance through Medicaid, has not yet added a notification to its website. However, it sent letters Dec. 21 to affected individuals notifying them of the breach and the steps to take to protect their data. The incident began on Nov. 7, when an individual left a voice message with CHPW saying there was a vulnerability in the network of the firm that provides the organization technical services. The firm is a subsidiary of NTT Data.
The computer systems and electronic health record of Appalachian Regional Healthcare, based in eastern Kentucky and southern West Virginia, were offline for about three weeks after a computer virus was found on the system. The system was shut down on Aug. 27 and brought back online Sept. 16. While all ARH Emergency Departments continued to accept patients, the question remained how long a health system could operate under emergency conditions. In that time, patient care, registration, medication, imaging and laboratory services were handled with paper and pen. Providers also had to evaluate critical patients to see if they should be transferred to other medical facilities for care. West Virginia requires healthcare institutions to notify patients when their data is compromised, but after nearly a week the health system had yet to issue such notifications.
An attack on Methodist Hospital in Henderson, Kentucky began on March 18 and lasted five days, during which officials declared an internal state of emergency. The ransomware limited the use of electronic web-based services and electronic communications. However, the provider regained control of its computer systems and effectively fended off the attack without paying the cybercriminals. The FBI was contacted and investigated the attack.
Ransomware and spear-phishing attacks continue to spread, while hackers double-down on infiltrating the healthcare industry. With IoT attacks on the rise that can shut down some of the most popular websites and in some cases - entire countries, it's becoming more obvious that no one is safe from these attacks. What's important in the year ahead is to become more aware of security weaknesses and what an organization can do to thwart these - seemingly inevitable - attacks.