Companies in any industry can be susceptible to data breaches. Despite the ongoing pandemic which has many people working from home, cyberattacks aren’t slowing. This goes to show that cybercriminals will stop at nothing to steal your information. At a time when people should be working together to combat a global crisis, there are individuals out there who see an opportunity to take advantage of others.
Perhaps the most despicable of these attacks are carried out against health care companies, the very organizations that need the most support during a pandemic. Their workers are on the frontlines working incredibly hard to save lives and improve health outcomes. But where most people see a brave group of health care workers, others see an opportunity.
The health care field is a significant target for cyberattacks. Why? On a day-to-day basis, they handle a vast amount of sensitive information. Protected health information (PHI) can include a person’s demographics, medical history, test and lab results, mental conditions, insurance information, and other data. This information is so private that the U.S. government imposes two strict regulations on how health care companies handle it, HIPAA and HITECH.
A data breach occurs when confidential information gets released (intentionally or unintentionally) to an untrusted environment. A data breach can happen to an organization of any size, and the stolen data need not be related to a person’s health; it can include credit card numbers, trade secrets, proprietary information, or any number of confidential materials.
Data breaches that affect health care companies are especially damaging to the victims. A hospital, for instance, needs to hold a vast amount of information about every person that they serve, including health records but also social security numbers, addresses, and more.
Health care providers can reduce the risk of data breaches by educating their employees on proper disposal of documents and identification of phishing attacks. They also need to comply regularly and completely with HIPAA, HITECH, and other regulations mandated by the government since they are designed to protect people.
Data breaches have not slowed in 2020. In fact, they’ve occurred at pretty steady pace. To put this into perspective, here are five of the largest health care breaches of 2020 (so far). As you read, keep in mind that these numbers represent real people who have fallen victim and had their information stolen.
Top Five Data Breaches
- Health Share of Oregon (January 2, 2020): A laptop was stolen from one of their vendors and put 654,000 patients’ information at risk because the laptop was not encrypted.
- Florida Orthopaedic Institute (April 9, 2020): The personal information of about 640,000 patients were compromised in this data breach. A ransomware attack was able to encrypt data stored on FOI’s servers, but not before the attackers were able to retrieve it.
- Elite Emergency Physicians (April/May 2020): This provider had a vendor that improperly disposed of their patients’ records, and the resulting breach affected 550,000 patients.
- Magellan Health (April 6, 2020): One of their servers was compromised after a phishing scheme impersonating a Magellan client successfully downloaded credential-stealing malware. Hackers were then able to steal data before delivering a ransomware payload. Close to 365,000 patients and employees were affected. This was not the first time an attack of this type has affected Magellan.
- BJC HealthCare (May 1, 2020): 287,876 patients were affected by a breach resulting from a phishing attack. Three employees were unaware of this attack and fell right into its trap, giving the attacker access to their email, allowing the hackers to then steal medical records, account numbers, Social Security numbers, and health insurance data. The hacker had access for only one day before the security team detected the breach.
These few examples provide some insight into what can happen when even one person in a much larger organization makes a mistake. It can be something as simple as improperly disposing records or clicking a link in a legitimate-looking phishing email. In fact, in 2019, nearly one-third of all data breaches involved phishing in one way or another. Something so small and simple to avoid can jeopardize the futures of hundreds of thousands of people when overlooked.
You can’t stop attackers from trying, but you can educate your employees. Something as simple as having them read our short blog on identifying phishing emails is one place to start. Another is to start critically examining your cybersecurity practices. Are your systems and networks adequately protected from theft or damage? Can one employee’s mistake grant a hacker the keys to the castle, or are there policies in place to limit their effectiveness? Following the cybersecurity industry’s best practices is key to avoiding data breaches for yourself.
If you're interested in getting additional help securing yourself against threats to your health care company, our team at Machado Consulting is more than happy to show you! You can reach us here or at (508) 453-4700.