The Worst Health Data Breaches in 2016
It’s relatively easy to identify which were the biggest breaches involving health data that were disclosed in 2016, but which of the hundreds of breaches disclosed were the worst ones if you look beyond the numbers? As in past years, we learned of devices with sensitive unencrypted health information being stolen from vehicles, paper records were found where they shouldn’t have been or in the streets, and employees snooped in patient’s files. Records continued to be accidentally exposed online, hackers hacked, fraudsters altered and misused records to support fraud schemes, and burglars burgled.
Recognizing that “worst” implies a subjective judgment and one person’s judgment can be quite different than another’s, here’s a look-back at what I think were some of the worst health data breaches disclosed in 2016:
- Ransomware attacks. In 2016, we saw an explosion of ransomware attacks that not only had the potential to interfere with patient care or hospital operations, but actually did interfere, with impact ranging from inconvenience to slowing down of care or services to not being able to provide care at all. Some hospitals reportedly had to divert patients to other facilities, and one NHS trust canceled appointments and operations in three hospitals as a result of a ransomware attack. Overall, hospitals struggled to cope without access to electronic records, and a few entities irretrievably lost patient records during recovery from backup after an attack on their business associate.
- Non-ransomware hacks with extortion demands. In 2016, DataBreaches.net covered some of TheDarkOverlord’s medical sector hacks and extortion attempts. The hacks were often accompanied by the PHI being put up for sale on the dark web and leaked in “press releases” posted on Pastebin to increase pressure on his victims to pay up.
Although it wasn’t the largest of his hacks at 201,000 patients affected, the Athens Orthopedic Clinic in Atlanta made my “worst” list for the clinic’s incident response. AOC has more than one dozen locations and yet didn’t carry adequate breach insurance, resulting in them announcing that they would provide no credit monitoring services at all. Given that their patients may spend the rest of their lives not knowing who bought their information and who may misuse it and when, AOC’s incident response made this one of the worst incidents in my opinion.
- Hacktivists attacking and dumping patient data. Not all of the really bad hacks were motivated by financial gain. One of the worst breaches reported during 2016 involved Turkish state hospital patients having their data hacked and dumped publicly – including HIV status and abortion records – by a self-proclaimed member of Anonymous. And in the U.S., a Ukrainian hacktivist attacked a Ohio urology group and dumped over 300,000 patients’ records to “send a warning” to the U.S., even though he acknowledged that his victim had nothing to do with the issue that concerned him.
- Rogue employees. Some of those trusted to care for patients allegedly abused patients and gleefully shared images of their abuse. We learned of a case being prosecuted in New York where disturbing images of disabled nursing home patients being mistreated were uploaded to social media. And in Florida, there was a “selfie war” between paramedics who allegedly took pictures and videos of themselves with unconscious patients in ambulances and then shared the images with others. They, too, have been charged criminally.
- No clue what happened. Incidents reported by Fairbanks Hospital and Bizmatics, Inc. tied for a place on my “worst” list for not having adequate logs and monitoring:
In December, Fairbanks Hospital announced that it was notifying almost 13,000 patients because it could not determine whether employees had inappropriately accessed patient records, and if it had happened, which employees and which patients were involved or affected. Their inability to make such determinations goes back to November 2013 or earlier, they reported.
In an unrelated incident, Bizmatics, Inc., reported that they had been hacked, but they generally couldn’t determine whether particular PrognoCIS clients’ patient records had been accessed or not. The absence of adequate logs left covered entities in the unhappy position of having to notify patients that their PHI may or may not have been accessed by hackers. More than 260,000 patients were notified of the possible or definite access; many more might also have been notified but their notifications were not available to this site.
- Deflection: Shoot the messenger. As in past years, some entities tried to absolve themselves of responsibility by trying to paint themselves as “victims” and by characterizing those who investigate the scope of their mistakes as “hackers.” In 2016, we saw a number of “shoot the messenger” cases where entities who had failed to adequately secure FTP servers, MongoDB installations, or RSync backups accused those who found and investigated their mistakes of being hackers. The worst of these cases involved the FBI raiding Justin Shafer after he found, investigated, and then responsibly notified Patterson Dental of a server exposing clients’ patients’ PHI. The year is drawing to a close with Community Health Plan of Washington talking about “invasion” after Shafer uncovered an FTP server that their business associate, NTT Data, Inc., had allegedly failed to adequately secure.
- And then there was this one. If I had to pick one report as being the most disturbing, it would be an insider wrongdoing case prosecuted in the federal courts that generally flew under the media radar. As part of an insurance fraud operation, a Pasadena doctor, Boyao Huang, not only altered 79 patients’ records to indicate that patients were terminally ill and therefore qualified for hospice care, but he actually told them and their families that they were terminally ill. The four years in prison he was sentenced to, plus restitution, do not even come close to what I’d wish for him.
So that’s my list of what I think were the worst health data breaches disclosed in 2016. I recognize – and as Steve Bellovin reminded me on Twitter – that the worst breach disclosed in 2016 may be a breach that we first learn about this week. Hopefully, I won’t need to update this post.
If you have another breach involving health data that was disclosed in 2016 that you think should have made a “worst” list for its impact, what was it?
Update 1: It appears that one family and sports medicine center lost all of its patient records in a ransomware attack, as no one could figure out how to decrypt it. They make no mention of having any backup, and do not explain whether they paid the ransom demand. I’d say that may qualify it as one of the worst breaches of the year.