Biggest Healthcare Data Breaches of 2015

The financial sector and retail industries have suffered the largest data breaches over the past couple of years, but 2015 was without doubt the year of the healthcare data breach. The biggest healthcare data breaches of 2015 were all caused by hackers and the industry has been increasingly targeted by cybercriminals seeking valuable healthcare data.

Biggest Healthcare Data Breaches of 2015

The two biggest healthcare data breaches of 2015 exposed more patient records than were exposed in all healthcare industry data breaches over the last four years combined. Heading into 2015, the previous largest healthcare data breach had exposed 4.9 million patient records. A security incident of that magnitude was fortunately a rarity. In 2015, there were two healthcare data breaches reported in that order of magnitude; two exposed more than twice that number of records, and one created more than 17 times as many victims.

Healthcare providers were targeted, but the top three biggest healthcare data breaches of 2015 all affected health insurers.

2015 Healthcare Data Breach Summary

CompanyBreach VictimsCovered EntityIncident Type
Anthem Inc.78,800,000Health PlanHacking/IT Incident
Premera BlueCross11,000,000Health PlanHacking/IT Incident
Excellus BlueCross BlueShield10,000,000Health PlanHacking/IT Incident
UCLA Health4,500,000Healthcare ProviderHacking/IT Incident
Medical Informatics Engineering3,900,000Business AssociateHacking/IT Incident
CareFirst BlueCross BlueShield1,100,000Health PlanHacking/IT Incident
Virginia Department of Medical Assistance Services (VA-DMAS)697,586Healthcare ProviderHacking/IT Incident
Georgia Department of Community Health557,779Healthcare ProviderHacking/IT Incident
Georgia Department of Community Health355,127Healthcare ProviderHacking/IT Incident
Beacon Health System306,789Healthcare ProviderHacking/IT Incident
Empi Inc., / DJO, LLC160,000Healthcare ProviderDevice theft

Source: Dept. Health & Human Services’ Office for Civil Rights

The problem for the healthcare industry was underinvestment in cybersecurity protections, and more individuals targeting the industry due to the value of the data held on patients and plan subscribers.

A full set of patient data carries a far higher value than a credit card number, which can only be used for a matter of hours before theft is noticed and the account is blocked. Heath data and Social Security numbers can be used for days, months, or even years before the victim becomes aware of any fraud. The healthcare industry simply wasn’t ready for the phishing campaigns and increasing sophistication of attacks.

In order to stop the worrying data breach trend continuing into 2016, the healthcare industry must increase investment in cybersecurity defenses. All healthcare data should be encrypted at rest and in motion and staff training must be increased to prevent careless mistakes from being made that allow hackers to gain access to computer networks.

The two biggest healthcare data breaches of 2015 were caused as a result of employees falling for phishing emails. The provision of staff training to aid phishing email recognition can greatly reduce the probability of a cyberattack being suffered.

Multi-layered security systems, increased training, and encryption could have prevented many of the biggest healthcare data breaches of 2015 from occurring. Fortunately, 2015 has been a wakeup call and healthcare organizations have increased budgets and invested more heavily in cybersecurity protections. It is hoped that as a result, 2016 will be a much better year.

Author: NetSec Editor