DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

2016: Healthcare data breaches in review, Part 1

Posted on January 13, 2017 by Dissent

There were a number of year-in-review analyses for the healthcare sector, but now Protenus has released its report, which is based on analyses of 450 U.S. incidents first disclosed in 2016. The incidents were compiled by DataBreaches.net, who also provided some of the analyses.

While some media outlets still headline external hacks where massive numbers of records are involved, Protenus’s report shines a brighter light on why covered entities need to pay greater attention to, and allocate more resources to, preventing and detecting insider breaches and business associate or third-party breaches.

To demonstrate how media headlines may over-focus on hacks and under-report the insider factors or third-party factors, let’s review the “top 12” list for 2016 based on number of records or patients.

  1. Unnamed vendor for health plan: 10,300,000 records. No one ever admitted that they were the owner of this hacked database and the data were old, but according to the hacker, it was a vendor’s insurance leads file for a major health insurer. Many outlets don’t seem to even know about this incident and consider the Banner incident the largest of the year.
  1. Banner Health: 3,620,000 patients. Banner announced that on July 7, it discovered its payment card system at food and beverage outlets had been hacked. On July 13, they learned that the hacker(s) might have also gained access to protected health information (PHI).
  1. Newkirk Products: 3,466,120 health plan members.  Newkirk Products is a service provider that issues healthcare ID cards for health insurance plans. On July 6, they detected that a server may have been hacked.
  1. 21st Century Oncology: 2,213,597 patients. 21st Century Oncology, which operates 181 treatment centers, announced it was investigating a hack of their network that they first learned about from the government in November, 2015.
  1. Valley Anesthesiology and Pain Consultants: 882,590 patients. On June 13, 2016, Valley Anesthesiology and Pain Consultants (VAPC) learned that a third party may have gained unauthorized access to VAPC computer systems on March 30, 2016.
  1. Los Angeles County: 756,000. It was a great day for a phisher and a bad day for Los Angeles County residents. More than 750,000 people had their PII or PHI stolen.
  1. Bon Secours Health System: 651,971 patients. On June 14, 2016, Bon Secours discovered that files containing patient information had accidentally been left accessible via the internet after one of their vendors, R-C Healthcare Management, misconfigured network settings.
  1. Peachtree Orthopaedic Clinic: 531,000 patients. On October 13, Peachtree issued a public statement that on September 22, they had confirmed a hack. Although not in their disclosure/press release, an employee had told me in August that they were investigating a potential breach involving one of their vendors – and it was the same vendor presumably linked to other hacks by TheDarkOverlord. That was never confirmed by Peachtree, however.
  1. Radiology Regional Center: 483,063 patients.  Radiology Regional Center announced that on December 19, 2015, its records disposal vendor, Lee County Solid Waste Division, informed it that paper records containing the personal information of the center’s patients blew off the truck while the records were being transported to an incineration site. Despite diligent efforts to retrieve all the records, because the center couldn’t be sure it had recovered everyone’s records, they sent notifications to everyone.
  1. California Correctional Health Care Services: 400,000 patients. In July, California Correctional Center found themselves in the same situation as Radiology Regional Center: having to notify everyone because they were not sure who needed to be notified. In this case, on June 19, 2013, dental records were reported missing from a California Correctional Health Care Services staff member’s possession while off the premises of a correctional institution.
  1. Community Health Plan of Washington: 400,000 patients. CHPW described the information in a way that made it sound like a hack of their business associate/claims processor, Transaction Applications Group Inc., doing business as NTT Data. But Justin Shafer publicly announced that he had found that their FTP server had not been secured and was allowing anyone and everyone to access and download files with no login required.
  1. Central Ohio Urology Group: 300,000 patients. On August 2, a pro-Ukrainian hacktivist announced that he had hacked and dumped Central Ohio’s databases, presumably to send a warning to the U.S.

Nine of the 12 largest incidents were announced or described as hacks.  And as Protenus reported, we found that 87% of all breached records were associated with incidents that were coded as “hacks.” But did you notice that 6 of the 12 largest incidents above involved third parties and that 5 out of the 12 largest incidents involved human error? Is there anything we can – and should – learn from those observations?

I think there is, so please follow me to Part 2 of this post.

Related posts:

  • Health Data Breaches in 2017: The Year in Review
  • 2016: Healthcare data breaches in review, Part 2
  • Updating: CaptureRx incident impacted more than 2.4 million. List of Entities.
Category: Breach IncidentsCommentaries and AnalysesHealth DataOf NoteU.S.

Post navigation

← Children’s Hospital Los Angeles and the Children’s Hospital Los Angeles Medical Group notify parents of laptop theft
2016: Healthcare data breaches in review, Part 2 →

2 thoughts on “2016: Healthcare data breaches in review, Part 1”

  1. Justin Shafer says:
    January 14, 2017 at 5:39 pm

    I think the largest was BCBS, and I heard it probably TDOHack3r that did it.

    1. Dissent says:
      January 15, 2017 at 9:23 am

      What BCBS hack? To my knowledge, TheDarkOverlord never hacked BCBS.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.