This one happened in late 2014, but it fell under the Office of Civil Rights' reporting standards for 2015 -- and it's really appropriate, too. Despite being the weakest of the top 10, it seems in retrospect like a harbinger of embarrassments to come in an already beleaguered industry.
DJO Global makes medical equipment, and as such, they have information about patients who use their equipment. A ton of that data was on a laptop that was stolen from the locked car of an employee in Roseville, Minnesota. To their credit, the laptop was protected by passwords, firewalls, and remote management software, and they immediately reached out to data privacy experts for help.
But the laptop wasn't actually encrypted, and the information on it was crucial -- patient names, diagnosis codes, information about the doctors involved, shipment dates, and product details for patients using DJO equipment, and even Social Security numbers for some of the 160,000 patients whose records were on the computer.
In May, Beacon Health System came forward with the admission that unauthorized individuals had been accessing their employees' email inboxes for over a year. Initially, they didn't disclose how many people were involved and engaged in a lot of PR smoke-and-mirrors to hide the full effect of the screw-up. They referred to the infiltration as a "sophisticated phishing attack." As Fierce IT Security adroitly pointed out, "sophisticated" in this case usually just means "our people fell for it." They also hilariously referred to the entire ordeal as a "Data Security Event" in their official press release, making it sound like some sort of gala instead of a massive IT failure.
The information that was vulnerable to theft included patient names, doctor names, internal patient ID numbers, patient statuses, Social Security numbers, birthdates, driver's license numbers, diagnoses, and all sorts of fun medical information. By the time the news was finally released, there had already been so many medical data breaches that the only thing anyone was surprised over was that it was a provider this time, instead of an insurer.
In February, a data breach at Centene exposed personal data to over half a million members of Georgia Medicaid and PeachCare for Kids. Centene had loaded up several hard drives with information on 950,000 members, including name, address, birthdate, Social Security and member ID numbers, and health information. The drives were being used in a data project intended to improve members' health outcomes, but Centene managed to lose six of them in the process.
The initial figure Centene cited was 148,334 members, but the number that found its way to the Office of Civil Rights Wall of Shame wound up being about four times higher than that. (Funny how that seems to happen with these scenarios, isn't it?)
Virginia's medical assistance office lost the information of nearly 700,000 members in a hacking/IT incident on March 12th. At the time, it was in the top five medical breaches for the year. And yet, most of the information online about the breach seems to be in summary articles that lump it in with the rest of the breaches so far that year.
The reason for that relative lack of information is presumably the Anthem data breach, which came out about a month prior and was literally more than a hundred times worse. Relatively good news for whatever poor public relations person was going to have to spin this, but still pretty terrible news for almost 700,000 other folks. Interestingly, this was not the first time that the department had lost thousands and thousands of member records.
News of CareFirst's hack came out in May, and while the numbers were big -- seven figures big -- a lot of the more sensitive medical and financial information stayed safe. The hackers got names, email addresses, and birthdates, but credit card info, medical claims, and most importantly, Social Security numbers weren't part of the leak. User IDs were lost, but thankfully, passwords were not.
The bad news is that the breach happened the previous July and wasn't caught until nearly a year later, when they revisited security in the wake of the Anthem and Premera hacks and learned that a problem they thought they'd fixed wasn't fixed after all. The good news is that CareFirst's response was refreshingly straightforward, open, and apologetic, and rightfully so, featuring attention-getting banners right on the front page of their website, and an apologetic video featuring the CEO. None of this "data security event" weasel-word nonsense.
In June, Fort Wayne, Indiana-based company MIE announced that it had detected a security vulnerability in late May. They immediately reported it to the FBI and had a press release out two weeks later. Still, after half a year of sordid medical hack stories, people had had enough. The victim count came out to nearly 4 million, including 1.5 million residents of Indiana. Victims brought a class action suit almost immediately, and another one came on its heels less than a week later.
In addition to its size, the data loss was severe -- patient names, telephone numbers, mailing addresses, usernames, hashed passwords, security questions and answers, spouse information, email addresses, birthdates, Social Security numbers, lab results, insurance policy information, diagnoses, disability codes, doctors' names, medical conditions, and children's names and birth conditions. All in all, that's a pretty terrifying list. Let's not forget that medical ID fraud is one of the major types of identity theft, and one of the ones that can wreck your records worse than any other.
In July, hackers broke into UCLA Health System and accessed information for 4.5 million patients -- all unencrypted, of course. The info included names, birthdates, Social Security numbers, Medicare and health plan information, and info on diagnoses and medical procedures. After learning of the massive breach, UCLA Health -- whose system includes 4 hospitals and 150 offices -- sat on the information for two months.
The hospital offered a year of identity theft recovery services to the patients and even staff who were victimized by the breach. That wasn't enough for everyone, including Michael Allen and Miguel Ortiz, who both filed lawsuits citing, among other things, that UCLA should have known better because of its history of data breaches, including the 2007 database breach that exposed the SSNs of 800,000 students, staff, and administrators, the 2011 case where a hard drive with information on 16,000 patients was stolen from a physician's home, and on a smaller scale, the 2012 inside job where a temp texted a romantic rival's health information to her boyfriend.
Excellus is a Blue Cross Blue Shield organization out of Rochester, New York, that learned in early August 2015 that somebody had been accessing their IT systems since late 2013. For those keeping score at home, that's nearly two years of strangers mucking about in their data before they managed to realize it, putting the personal information of over 10 million members at risk, between Excellus itself and its partners.
The information was pretty thorough in scope, as well -- names, birthdates, Social Security numbers, mailing addresses, telephone numbers, member ID numbers, clinical information, and even financial account and claims info were all subject to leakage, though Excellus was unable to confirm just what had actually been accessed.
They wound up offering 2 years' worth of credit monitoring and identity theft protection services, but all of that could have been avoided with tighter IT security. It really says something about the year we had when the potential loss of 10 million patient files was met with phrases like "familiar litany."
A month after Anthem (you get to read about that one next!), it came out that Blue Cross provider Premera experienced a data breach that exposed the information of 11 million of its members. Like so many of the others, the breach had wildly dangerous information in it -- names, birthdates, email addresses, physical addresses, phone numbers, SSNs, member IDs, clinical information, claims information, and bank account information -- not only of members of Premera itself, but of any Blue Cross Blue Shield policyholder who sought treatment in Premera's home turf of Alaska and Washington.
A week later, Premera was slammed by no fewer than five class-action lawsuits. Not surprising, considering how many of the details drive home the sluggishness that's become almost rote in these stories - the initial attack occurred in May of 2014. They managed to suss it out in January, and they finally bothered to let the public know in March. Of course, slow response time wasn't the only factor in the fire. It came to light that a mere three weeks before the initial breach, the federal government warned Premera that its security wasn't up to snuff as part of a routine audit.
This was the Big One. In February, Anthem Inc. announced that personal information for "as many as 80 million" current and former policyholders had been stolen. While Anthem was quick to point out that no medical data or credit card numbers were stolen, followers of our coverage know credit card numbers are relatively harmless compared to your sweet, sweet social security number. And Anthem managed to leak those, along with names, birthdates, addresses, and member ID numbers.
The hack seems to have been carried out by a group with ties to the Chinese government, who accidentally exposed themselves during a veiled attempt to break into a Virginia defense contractor, and used very similar malware to break into Anthem, leading one security research firm to claim definitively that China was involved, and the FBI to also level suspicion, if in less certain terms.
Regulations at the time somehow didn't require Anthem to encrypt its data, and while it may or may not have helped given the type of the attack, it seems odd that they would skimp on IT protection while spending the money to insure themselves to the tune of $100,000,000. They set up a website to address questions and offered 24 months of free identity repair by way of atonement.
At the time, the breach was one of the five largest to ever occur. Though, less than a year and a half later, it doesn't even rank in the top ten.
