The year is only half over, but healthcare cybersecurity breaches continue to proliferate at an alarming rate. In fact, according to US government data, the number of healthcare cybersecurity breaches in the first five months of 2022 was nearly double what it was during the same time last year.
Healthcare has always been a significant target for cybercriminals, and with good reason: The data is valuable and widespread—and the security is often completely inadequate.
Which healthcare cybersecurity breaches stood out in the first half of 2022, and what can we learn from them? Read on for the top five notable ones.
From March 7–21, 2022, a malicious actor accessed the Shields Healthcare network, a Massachusetts-based medical services provider. This incident compromised the private data of 2 million people, including names, Social Security numbers, birth dates, addresses, billing information, medical treatment information, and more. Such stolen data can be used for social engineering, phishing, scamming, and in some cases, extortion.
It was later determined that Shields investigated a security alert around March 18, but was not able to confirm any data theft at the time. This allowed the malicious activity to continue for another three days, and so it was only first discovered on March 28.
The incident forced Shields to rebuild certain systems. Meanwhile, lawyers are investigating the possibility of a class action lawsuit against Shields, claiming that the data breach was a known and foreseeable risk that Shields should have taken steps to prevent. They also say that the company did not adequately monitor its computer network and that it did not inform patients about the data breach until the beginning of June.
This incident illustrates why it is so essential for healthcare organizations to not only comprehensively assess their security posture, but to also have a plan in place in the event of a healthcare cybersecurity breach.
In January 2022, the Florida-based Broward Health hospital system announced that it had experienced a data breach in October, when a cybercriminal accessed the personal and medical information of 1.3 million patients and employees. The compromised data included names, addresses, driver’s license numbers, Social Security numbers, insurance information, and more.
The malicious actor gained access through a third-party medical provider. Broward Health detected the breach in October and notified the FBI and the Department of Justice.
Following the incident, Broward Health beefed up its security with password resets and by implementing multi-factor authentication for all users. It announced that it was implementing “minimum security requirements for devices not managed by Broward Health Information Technology with access to its network.”
This cyber incident underscores the importance of robust third-party security risk management, and in particular, strong access control. Implementing both can unquestionably help prevent similar healthcare cybersecurity breaches.
In February 2022, Michigan-based business services company Morley announced that it had suffered a ransomware attack in August 2021, which resulted in the exposure the data of 521,000 clients and former and current employees. The exposed data included names, Social Security numbers, client identification numbers, and health insurance details.
Because Morley was also a third-party provider to medical industries, this put the company at risk of violating HIPAA’s requirement of notifying impacted individuals of healthcare cybersecurity breaches within 60 days of discovery.
Following the attack, Morley said that it had made significant changes to its cyber environment to prevent similar attacks in the future. A class action suit is in progress for those who were affected by the breach.
Although Morley is technically not a healthcare company, having access to healthcare data means that it must consider regulations such as HIPAA. Compliance should be top of mind for all organizations, but especially for those businesses that deal with healthcare.
Texas Tech University Health Sciences Center
In June 2022, Texas Tech University Health Sciences Center announced that the health information of 1.2 million patients was compromised due to a breach of its electronic medical record vendor, Eye Care Leaders. The exposed data included names, addresses, phone numbers, health insurance information, Social Security numbers, and more.
Eye Care Leaders said they had detected the breach in early December and disabled the systems within 24 hours. Along with Texas Tech University Health Science Center, the breach also affected eight eye care practices.
Once again, this incident indicates a lack of adequate third-party security risk management. There are steps that healthcare organizations can take to prevent breaches like this, including a comprehensive assessment and mitigation plan.
Baptist Medical Center
In June 2022, Texas-based Baptist Medical Center announced that a cybercriminal had accessed its computer network after installing a line of malicious code on the system’s website. As a result, the private data of more than 1.2 million people was compromised, including names, dates of birth, Social Security numbers, and sensitive medical information.
An investigation of the incident revealed that an unauthorized third party was able to access systems and remove data from the network between March 31 and April 24. Baptist Medical Center said that it was bolstering its digital security, improving its monitoring capabilities, and hardening systems to prevent future attacks.
Organizations like Baptist Medical Center must find a way to guard its systems more thoroughly, thereby ensuring the security of patient health information.
How Can Healthcare Organizations Improve Cybersecurity?
To minimize the risk of being breached, healthcare organizations should be sure to:
- Conduct a risk assessment and risk quantification annually to stay on top of possible gaps. Be sure to assess the internet perimeter, insider threats, and supply chain.
- Enhance password security and access control, including MFA, for sensitive systems and outbound connections.
- Provide security training and awareness for personnel.
- Update and patch software on a regular basis.
- Always be on the lookout for new trends and dangers, and mitigate these cyber gaps while considering efficient allocation of resources.
- Make sure you have either an internal or external SOC, CTI, and IR team ready for an event after you make IR readiness preparations.
Learn how CYE saved a medical device company from five years of disruption.