Five of the 10 biggest data breaches in the U.S. this summer involved healthcare records. As the black market price of U.S. financial records and credit card numbers drops, more criminals are targeting medical institutions.
The ordering of this list is based on the number of records reported to have been exposed; it’s important to note that many organizations that fall victim to a breach don’t release numbers, and therefore are not included here. The list includes breaches of which the public was notified in the summer of 2014, regardless of when they actually occurred.
1. Community Health Systems (CHS): 4,500,000 records
TrustedSec reported that hackers exploited the Heartbleed vulnerability to access login credentials on a CHS Juniper device. They were then able to log in using a virtual private network and worm their way through the system until they found the 4.5 million records in a database. According to CNN, the attackers were based in China and used sophisticated malware. CHS responded to the attack by sending letters to affected patients with information about free identity theft protection.
As a point of reference, the Target breach in late 2013 affected 70 million to 110 million people.
2. Montana Department of Public Health and Human Services (DPHHS): 1,062,509 records
In June, Montana’s DPHHS announced that hackers had accessed a database containing the Social Security numbers and medical information of over a million patients. The department sent letters notifying the victims and is offering free credit monitoring services and insurance.
Read more about this breach here on our blog.
3. Virginia Wesleyan College: 380,000 records
The Virginian-Pilot reports, “A former student employee at Virginia Wesleyan College faces federal charges of accessing a school database of more than 380,000 students and alumni, stealing identities and opening credit card accounts.” The former student was stopped by suspicious credit card companies after stealing $11,000 from the fraudulent accounts. Although the school learned of the breach in 2012, word got out to the public in July when the former student was brought to court.
This event exhibits how insiders can be one of your biggest security threats. It’s of the utmost importance to make sure employees have the level of access needed to do their jobs: no more, no less.
4. Indian Health Service: 214,000 records
The HITECH Act requires healthcare organizations to notify the public of data breaches affecting 500 or more individuals. The U.S. Department of Health and Human Services website announces that the Indian Health Service (based in Maryland) was involved in an “Unauthorized Access/Disclosure” breach in February of this year, though it was just reported in July. Data Breach Today highlighted the organization’s security issues after a penetration test revealed vulnerabilities in their systems.
In late May, 2014, an Indian Health Service employee left a folder containing sensitive medical information in a public area, a stern reminder that people are often the weakest link in your security.
5. Butler University: 163,000 records
While investigating an identity theft suspect, California police found a flash drive containing the personal information of Butler University affiliates. Butler sent notification letters to the affected individuals, offering a year of free identity theft services.
6. United Parcel Service (UPS): 105,000 records
UPS was the latest victim in a string of retail breaches this year. Hackers accessed customer data (including personal and payment card information) from UPS stores in 24 states. No fraud has yet been reported in connection with this breach.
7. NRAD Medical Associates, P.C.: 97,000 records
A former NRAD employee bypassed the organization’s security systems to access a database containing patients’ personal information, including Social Security numbers and medical information. NRAD is offering free credit monitoring to affected patients.
8. American Express: 76,608 records
American Express was the victim of a targeted attack by the hacktivist group Anonymous, who accessed customers’ credit card numbers and posted them online. Anonymous claimed their motive was to punish financial firms for “enslaving” people. American Express notified their customers and enabled additional fraud monitoring.
9. TotalBank: 72,500 records
TotalBank notified customers that an unauthorized user accessed its network, potentially exposing their personal and banking information (passwords were not exposed, however, according to the bank). The company set up a calling center to address customer concerns.
10. St. Vincent Breast Center: 63,325 records
Due to a clerical error, letters from St. Vincent Breast Center were inadvertently mailed to the wrong people. The letters included names, addresses, and sometimes a reference to a scheduled appointment. The organization says it is making changes to its mailing processes.
Unfortunately, this list is just the top layer of a ubiquitous problem. According to the Identity Theft Resource Center (ITRC), 521 breaches have occurred so far in 2014, exposing nearly 18 million records. For the full year in data breaches, consult the ITRC’s comprehensive list of attacks.