Unprotected Medical Systems Expose Data On Millions Of Patients
Every year, millions of patients suffer injuries or die because of unsafe and poor-quality health care. Many medical practices and risks associated with health care are emerging as major challenges for patient safety and contribute significantly to the\r\n burden of harm due to unsafe care. Below are some of the patient safety situations causing most concern.
Unprotected Medical Systems Expose Data on Millions of Patients
Every year, millions of patients suffer injuries or die because of unsafe and poor-quality health care. Many medical practices and risks associated with health care are emerging as major challenges for patient safety and contribute significantly to theburden of harm due to unsafe care. Below are some of the patient safety situations causing most concern.
Although unprotected servers were found manually by Schrader, he chose this route to demonstrate that no hacking skills are required in this process. An attacker could have written a script to separate the protected from the unprotected servers in a fraction of the time. In total, he had access to more than 2 petabytes of medical data.
January 9, 2019: The personal health information of more than 31,000 patients of Managed Health Services of Indiana has been exposed following a phishing attack. Names, insurance ID numbers, addresses, dates of birth and medical conditions are among the potentially compromised data.
January 17, 2019: Millions of government files, including records pertaining to FBI investigations, were left unprotected on an open storage server belonging to the Oklahoma Department of Securities (ODS). The oldest records exposed dated back to 1986 and ranged from personal data to login credentials and internal communication records.
February 20, 2019: Patients of Florida-based Advent Health Medical Group are being notified of a 16-month long data breach. Approximately 42,000 individuals had their sensitive personal and health information exposed, including medical histories, insurance information, Social Security numbers, names, phone numbers and addresses.
February 22, 2019: In another major data breach of a university health facility, patients of UConn Health have had their personal information exposed after a third party accessed employee email accounts. About 326,000 people were affected in the breach, which compromised names, dates of birth, addresses, Social Security numbers and limited medical information.
March 4, 2019: About 45,000 patients of Chicago-based Rush health system were exposed in a data breach. Names, addresses, birthdays, Social Security numbers and health insurance information were compromised after an employee disclosed billing documents to an unauthorized third party.
March 20, 2019: The personal information of 277,319 patients has been exposed by a Zoll Medical data breach. The medical device manufacturer headquartered in Chelmsford, MA announced that data from emails was leaked during a server migration, including names, addresses, dates of birth and medical information. Some patients also had their Social Security numbers exposed.
April 8, 2019: An estimated 12,000 patients of Springfield, MA-based hospital, Baystate Health had their information exposed after a phishing attack compromised the email accounts of several employees. Patient names, dates of birth, health information, and some Medicare and Social Security numbers were involved in this healthcare data breach.
April 19, 2019: Patients seeking treatment for drug and alcohol abuse have had their sensitive personal information exposed in a data breach of several addiction rehabilitation centers. The data was discovered unprotected by security researcher Justin Paine. Approximately 145,000 patients have been impacted.
May 9, 2019: A data breach of Freedom Mobile has affected an estimated 1.5 million customers after a database of information was found unprotected on an Elasticsearch server. The Canada-based telecommunications company exposed customer names, email addresses, phone numbers, physical addresses, dates of birth, account numbers and credit card information.
May 20, 2019: More than 49 million Instagram influencers, celebrities and brands have had their private contact information exposed after an India-based social media marketing company left the data unprotected on an Amazon Web Services database. TechCrunch reported that the bio, profile photo, location, verification status, email address and phone number of high-profile accounts were exposed.
May 23, 2019: The website of a healthcare company, Inmediata was breached after a setting allowed search engines to index internal pages that contained patient data. More than 1.5 million people may have had their names, addresses, dates of birth, gender, medical information and Social Security numbers may have been exposed. The company has notified those affected.
July 17, 2019: Another clinical lab reported personal information of their patients was compromised following the previously-reported AMCA data breach. Clinical Pathology Laboratories (CPL) disclosed 2.2 million patients had their names, addresses, phone numbers, dates of birth, dates of service, balance information and treatment provider information exposed, and an additional 34,500 patients had their credit card or banking information affected.
August 5, 2019: A phishing attack on Presbyterian Healthcare Services of New Mexico gave hackers unauthorized access to the personal and medical information of 183,000 patients. The reported data breach exposed the names, dates of birth, Social Security numbers, along with health plan and clinical information.
October 26, 2019: The account information of over 7.5 million users of Adobe Creative Cloud was exposed due to an unprotected online database, including email addresses, usernames, location, Adobe products, account creation dates, dates of last login, subscriptions and payment status.
December 4, 2019: A database belonging to American communications company, TrueDialog, exposed tens of millions of SMS text messages as well as the personal information of more than 1 billion subscribers. Impacted information includes names of recipients, account holders and users, email addresses, phone numbers of recipients and users, content of messages, dates and times messages were sent, message status and account details.
CybelAngel tools scanned approximately 4.3 billion IP addresses and detected more than 45 million unique medical images left exposed on over 2,140 unprotected servers across 67 countries including the US, UK, France and Germany.
Health providers using unsecured Picture Archiving and Communication Systems (PACS) pose a potential threat to patients. New research from Greenbone has revealed that there has been a 60 percent increase in the exposed medical data due to leaky PACS servers.
Advocate Health Care divulged in mid-2013 that several data breaches, including at least two involving computer theft, had revealed personal information and unencrypted medical records of 4.03 million patients. News of the massive breach came just four years after the company reported a theft of unencrypted data; encryption protocols were enacted after that 2009 incident, but had not yet been deployed at the offices affected in 2013. In August 2016, Advocate agreed to pay $5.55 million to settle a lawsuit related to the breach.
In August 2015, Excellus discovered a cyber attack that had claimed the private information of approximately 10 million members. After a rash of cyber attacks targeting healthcare data in early 2015 (including the Premera and Anthem data breaches described below), Excellus ordered a forensic review of its own systems; what they discovered turned out to be the third-largest healthcare data theft in history. The breach extended to as early as December 2013 and involved medical data, Social Security numbers, and financial information.
Summary: This medical center in Kalispell, Montana, suffered a data breach on February 22, 2022. An unknown entity gained unauthorized access into one file server that included shared folders. As a result, it potentially accessed personal information related to business associates, patients, and employees. The accessed information varies by individual but includes dates of birth, names, and Social Security numbers.
Summary: South Shore Hospital, a non-profit hospital in Chicago, Illinois, which treats patients receiving Medicaid or Medicare benefits, noticed suspicious activity on its IT network. It discovered that the protected health information of certain employees and patients was compromised. The leaked data includes first and last names, dates of birth, financial information, medical information, health insurance policy numbers, diagnoses, and Medicare and Medicaid information.
Summary: An unclaimed and unprotected ElasticSearch database exposed more than 13 million records. These records included the personal data of people willing to provide fake reviews in return for free items from Amazon vendors. Specifically, these records included email addresses and Telegram and WhatsApp phone numbers. In addition, information related to the vendors was also exposed, including PayPal account details, email addresses, and usernames (many containing names and surnames).
Summary: Excellus Health Plan, a New York-based health insurer, experienced a data breach that exposed the personal data of over 9.3 million people between late 2013 and May 2015. The breached information included a variety of sensitive information, such as names, dates of birth, addresses, email addresses, bank account information, Social Security numbers, medical treatment information, and health plan claims.