Lapses in security measure testing can give healthcare employees a false sense of protection against data breaches, says cybersecurity expert
Cyberattacks on our nation’s hospitals, clinical laboratories, other healthcare organizations, and health plans, continue to plague the healthcare industry. As of July 7, 2023, 324 data breaches have occurred and are currently under investigation, according to the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) data breach portal.
This has affected more than 39 million people, HealthITSecurity reported.
When cybercriminals attack hospitals, clinical laboratories, and other medical organizations, healthcare consumers’ protected health information (PHI) may be stolen.
Dark Daily has covered such cyberattacks extensively.
In “Healthcare Cyberattacks at Two Hospitals Prompt Tough Decisions as Their Clinical Laboratories Are Forced to Switch to Paper Documentation,” we reported how in response to cyberattacks on two hospitals, medical laboratories in Florida and Maryland were forced to switch from digital to paper documentation and, in at least one case, the organization reportedly had difficulty accessing electronic laboratory test results.
And in, “Nearly One Million Patient Records of Hospitals, Health Clinics, Medical Laboratories, and other Providers Stolen in Ransomware Attack on Medical Records Company,” we covered how a single ransomware attack on a medical records company netted nearly a million PHI records from 28 healthcare providers in New York. This include names, home addresses, treatment dates, health plan numbers, and internal account numbers of 934,138 patients.
Below is a list of the data breaches this year that affected the most people.
“The way that computer network environments work today, users are acknowledged as the weakest link and offer the most potential for access to a hacker,” Ben Denkers (above), former Chief Innovation Officer at CynergisTek, told Dark Daily’s sister publication The Dark Report. He added that data breaches at clinical laboratories can start with “missteps” by lab employees who have a false sense of protection caused by lapses in testing a lab’s security measures. CynergisTek merged with Clearwater in 2022. (Photo copyright: CynergisTek.)
Top Data Breaches in First Six Months of 2023
Here are healthcare’s top 10 data breaches for the first half of 2023, listed by organizations with the most people affected, according to HHS:
- Managed Care of North America, dental benefits organization, Atlanta, Georgia, 8.8 million individuals affected.
- PharMerica Corporation, pharmacy services for skilled nursing, Louisville, Kentucky, 5.8 million individuals affected.
- Regal Medical Group, Reseda, California, 3.3 million individuals affected.
- Cerebral, mental health services, Claymont, Delaware, 3.1 million individuals affected.
- NationsBenefits Holdings, supplemental benefits company, Plantation, Florida, three million individuals affected.
- Harvard Pilgrim Health Care, health plan, Canton, Massachusetts, 2.5 million individuals affected.
- Enzo Clinical Labs, clinical reference laboratory, Farmingdale, New York, 2.4 million individuals affected.
- ZOLL Services, medical equipment, Pittsburgh, Pennsylvania, 997,097 individuals affected.
- Community Health Systems, healthcare provider with 15,000 licensed beds at 89 acute care hospitals in 16 states, Brentwood, Tennessee, 962,884 individuals affected.
- CentraState Healthcare System, healthcare provider with a 284-bed acute care medical center, an ambulatory campus, and an urgent care clinic, Freehold, New Jersey, 617,901 individuals affected.
Clinical Laboratory Brings in Cybersecurity Experts
Following a ransomware incident in April on its computer network, Enzo Clinical Labs in Farmingdale, New York, “immediately took steps to secure our systems and began an investigation with the assistance of a cybersecurity firm,” the lab’s Notice of Data Security Incident explains.
“The investigation determined an unauthorized party accessed files on our systems,” the notice continues. “The files contained patient names, dates of service, clinical test information, and, in some instances, Social Security numbers.”
Enzo “has incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter,” according to the lab’s Securities and Exchange Commission (SEC) filing.
Multiple Large Health Systems Suffer Data Breaches
At Community Health Systems (CHS) it was a security incident at Fortra, a cybersecurity firm engaged by CHS, that resulted in “unauthorized disclosure of patient information,” according to CHS’s Notice of Third Party Security Incident.
The extent of data theft from the breach of Fortra’s GoAnywhere MFT secure managed file transfer software was not immediately clear, HIPAA Journal reported.
“The personal information may have included full name, address, medical billing and insurance information, certain medical information such as diagnoses and medication, and demographic information such as date of birth and Social Security number,” the CHS notice explained.
At CentraState Healthcare System, “an unauthorized person obtained a copy of an archived database that stored certain patient information,” the healthcare provider’s Notice of Security Incident states.
“There was no financial account and/or payment card information involved in this incident,” CentraState noted.
Financial Impact of Data Breaches
One of the effects on healthcare providers is costly settlement of lawsuits following data breaches that allege failure to secure patients’ PHI. For example, according to Becker’s Health IT:
- UMass Memorial Medical Center in Worcester, Massachusetts, paid $1.2 million “to settle a March 2022 lawsuit regarding a data breach of its payroll management system Kronos.”
- Advent Health in Altamonte Springs, Florida, paid $500,000 “to settle a data breach lawsuit alleging that the health system failed to protect patients’ confidential information after a September 2021 data breach.”
- CommonSpirit Health in Chicago spent $150 million recovering from a ransomware attack in October 2022 that also sparked lawsuits over stolen PHI.
Tips for Clinical Laboratories on Securing Patient Data
In “Labs Must Audit Their Cybersecurity Measures,” Ben Denkers, former Chief Innovation Officer at CynergisTek, an Austin-based cybersecurity company which has since merged with healthcare cybersecurity and compliance company Clearwater, told Dark Daily’s sister publication The Dark Report, “The way that computer network environments work today, users are acknowledged as the weakest link and offer the most potential for access to a hacker.”
Denkers advises that while training employees is important for cybersecurity because it aims at changing human behavior, laboratories and other healthcare organizations also need to audit the technological measures they have in place to protect data.
“What we find is that organizations have security technology or processes in place that are either not effective or not working as designed,” he said, adding that when data breaches do occur “it’s a complete blindside for a lot of organizations that think they have protections in place because they bought a product, or they developed a policy.
“Testing, validating, and auditing whether measures are working as designed is a change of mentality for a lot of organizations. I would recommend taking those steps,” he added.
Clinical laboratories hold vast amounts of patient data and cannot afford disruptions to testing and results reporting. Vigilance can help labs avoid catastrophic cyberattacks, secure their patients’ protected health information from being stolen, and prevent the subsequent lawsuits that ensue following a data breach.
—Donna Marie Pocius
Related Information:
US Department of Health and Human Services Office for Civil Rights Breach Portal
2023 Largest Health Data Breach So Far Brings Legal Flurry
Biggest Healthcare Data Breaches Reported This Year, So Far
Notice of Data Security Incident: Enzo Clinical Laboratories
Securities and Exchange Commission (SEC) Filing: Enzo
Third Party Security Incident Impacting Community Health Systems
Up to One Million Community Health Systems Patients Affected by GoAnywhere MFT Hack
CentraState Healthcare System Notice of Security Incident
How Much Three Health Systems are Paying to Resolve Cyberattacks
Sophisticated Cyberattacks Target Healthcare