Human Error Behind 5 ‘High-Profile’ Healthcare Data Breaches

Over the last few years, the healthcare industry has become an extremely popular target amongst cyber criminals. Serving as a gold mine of valuable data, this industry has attracted the interest of malicious actors worldwide. According to an article by Heath IT Security, hospitals account for 30% of all large data breaches. With so many high-profile cyber attacks on healthcare institutions recently, the growing significance of cyber security in the healthcare industry has become glaringly clear.

From disrupting the workings of high-traffic hospitals for ransom to selling sensitive healthcare data on the dark web, cyber criminals are going all out to fill their pockets at the expense of healthcare institutions. According to Experian, medical records can be sold for up to $1000 on the dark web. An article by HIPAA Journal reports that 28,756,445 healthcare records were exposed in 2020. Can you imagine the extent of impact these data breaches have?

Cyber criminals are becoming increasingly creative when it comes to finding new ways of bypassing the security of the target organizations. More often than not, they target the weakest and most vulnerable link in an organization’s cyber security chain. Do you know what that is?

Well, it’s your employees!

Yes, you read that right. According to a study by IBM, 95% of cyber security breaches are primarily caused by human error. Being unaware of the proper security protocols and cyber security best practices, your employees can inadvertently grant hackers access to your network and systems. Despite having cutting-edge IT security infrastructure, several renowned healthcare organizations have fallen victim to devastating cyber attacks and data breaches due to human error.

Find out some of the most grievous healthcare data breaches of all times caused by human errors.

#1 Health Insurer Anthem Inc.

In February 2014, the reputed health insurer Anthem Inc. suffered a massive data breach that affected a total of 78.8 million individuals, compromising their Personally Identifiable Information (PII). This healthcare data breach affected multiple brands used by Anthem for marketing its healthcare plans including Empire Blue Cross and Blue Shield, Anthem Blue Cross, Anthem Blue Shield, Amerigroup, Blue Cross and Blue Shield of Georgia, Caremore, Healthlink and UniCare. The huge extent of damage caused by the breach makes this one of the biggest cyber attacks in the healthcare industry.

This data breach started on 18th February 2014 after an employee of one of Anthem’s subsidiaries unintentionally opened a phishing email, which contained malicious content. Opening the phishing email downloaded malicious files into the employee’s computer, granting hackers remote access to that computer along with several of the other Anthems’ systems, including its data warehouse. Queries to the compromised data warehouse caused the exposure of around 78.8 million user records!

#2 Medical Informatics Engineering

In May 2015, the electronic health records software firm called Medical Informatics Engineering (MIE) suffered a data breach that led to the compromise of 3.9 million Electronic Personal Health Information (ePHI) records. This healthcare data breach affected patients through 11 healthcare providers and 44 radiology clinics in 12 US states that used the MIE WebChart web app holding the stolen data.

The hackers infiltrated the organization’s network remotely by using easily-guessed credentials. MIE had provided a customer with access to its network using two test accounts, both of which had identical and easy to guess usernames and passwords. The use of weak credentials led to one of the most prominent cyber attacks on this healthcare institution.

#3 56 Dean Street Sexual Health Clinic

In September 2015, the sexual health clinic in London called 56 Dean Street mistakenly leaked the details of 781 patients who had attended HIV clinics. This clinic, operated by Chelsea and Westminster Hospital NHS Foundation Trust, sent out a newsletter that accidently revealed the recipients’ email addresses to one another. The patients affected by the breach were supposed to be blind-copied into the email. Instead, the details were sent as a group email! This reckless human error led to one of the gravest data breaches, resulting in an NHS trust being fined £180,000.

ThreatCop is a cyberattack simulator and security awareness training tool to help employees combat phishing, vishing, smishing, cyber scam, ransomware, etc.