The financial sector and retail industries have suffered the largest data breaches over the past couple of years, but 2015 was without doubt the year of the healthcare data breach. The biggest healthcare data breaches of 2015 were all caused by hackers and the industry has been increasingly targeted by cybercriminals seeking valuable healthcare data.
Biggest Healthcare Data Breaches of 2015
The two biggest healthcare data breaches of 2015 exposed more patient records than were exposed in all healthcare industry data breaches over the last four years combined. Heading into 2015, the previous largest healthcare data breach had exposed 4.9 million patient records. A security incident of that magnitude was fortunately a rarity. In 2015, there were two healthcare data breaches reported in that order of magnitude; two exposed more than twice that number of records, and one created more than 17 times as many victims.
Healthcare providers were targeted, but the top three biggest healthcare data breaches of 2015 all affected health insurers.
2015 Healthcare Data Breach Summary
|Company||Breach Victims||Covered Entity||Incident Type|
|Anthem Inc.||78,800,000||Health Plan||Hacking/IT Incident|
|Premera BlueCross||11,000,000||Health Plan||Hacking/IT Incident|
|Excellus BlueCross BlueShield||10,000,000||Health Plan||Hacking/IT Incident|
|UCLA Health||4,500,000||Healthcare Provider||Hacking/IT Incident|
|Medical Informatics Engineering||3,900,000||Business Associate||Hacking/IT Incident|
|CareFirst BlueCross BlueShield||1,100,000||Health Plan||Hacking/IT Incident|
|Virginia Department of Medical Assistance Services (VA-DMAS)||697,586||Healthcare Provider||Hacking/IT Incident|
|Georgia Department of Community Health||557,779||Healthcare Provider||Hacking/IT Incident|
|Georgia Department of Community Health||355,127||Healthcare Provider||Hacking/IT Incident|
|Beacon Health System||306,789||Healthcare Provider||Hacking/IT Incident|
|Empi Inc., / DJO, LLC||160,000||Healthcare Provider||Device theft|
Source: Dept. Health & Human Services’ Office for Civil Rights
The problem for the healthcare industry was underinvestment in cybersecurity protections, and more individuals targeting the industry due to the value of the data held on patients and plan subscribers.
A full set of patient data carries a far higher value than a credit card number, which can only be used for a matter of hours before theft is noticed and the account is blocked. Heath data and Social Security numbers can be used for days, months, or even years before the victim becomes aware of any fraud. The healthcare industry simply wasn’t ready for the phishing campaigns and increasing sophistication of attacks.
In order to stop the worrying data breach trend continuing into 2016, the healthcare industry must increase investment in cybersecurity defenses. All healthcare data should be encrypted at rest and in motion and staff training must be increased to prevent careless mistakes from being made that allow hackers to gain access to computer networks.
The two biggest healthcare data breaches of 2015 were caused as a result of employees falling for phishing emails. The provision of staff training to aid phishing email recognition can greatly reduce the probability of a cyberattack being suffered.
Multi-layered security systems, increased training, and encryption could have prevented many of the biggest healthcare data breaches of 2015 from occurring. Fortunately, 2015 has been a wakeup call and healthcare organizations have increased budgets and invested more heavily in cybersecurity protections. It is hoped that as a result, 2016 will be a much better year.