Human Error Behind 5 ‘High-Profile’ Healthcare Data Breaches
Over the last few years, the healthcare industry has become an extremely popular target amongst cyber criminals. Serving as a gold mine of valuable data, this industry has attracted the interest of malicious actors worldwide. According to an article by Heath IT Security, hospitals account for 30% of all large data breaches. With so many high-profile cyber attacks on healthcare institutions recently, the growing significance of cyber security in the healthcare industry has become glaringly clear.
From disrupting the workings of high-traffic hospitals for ransom to selling sensitive healthcare data on the dark web, cyber criminals are going all out to fill their pockets at the expense of healthcare institutions. According to Experian, medical records can be sold for up to $1000 on the dark web. An article by HIPAA Journal reports that 28,756,445 healthcare records were exposed in 2020. Can you imagine the extent of impact these data breaches have?
Here’s an opportunity for you to stand out from the crowd!
Join our weekly newsletter Cyber Times and become a part of our Cyber Resilient Community
Cyber criminals are becoming increasingly creative when it comes to finding new ways of bypassing the security of the target organizations. More often than not, they target the weakest and most vulnerable link in an organization’s cyber security chain. Do you know what that is?
Well, it’s your employees!
Yes, you read that right. According to a study by IBM, 95% of cyber security breaches are primarily caused by human error. Being unaware of the proper security protocols and cyber security best practices, your employees can inadvertently grant hackers access to your network and systems. Despite having cutting-edge IT security infrastructure, several renowned healthcare organizations have fallen victim to devastating cyber attacks and data breaches due to human error.
So, here are some of the most grievous healthcare data breaches of all times caused by human errors.
#1 Health Insurer Anthem Inc.
In February 2014, the reputed health insurer Anthem Inc. suffered a massive data breach that affected a total of 78.8 million individuals, compromising their Personally Identifiable Information (PII). This healthcare data breach affected multiple brands used by Anthem for marketing its healthcare plans including Empire Blue Cross and Blue Shield, Anthem Blue Cross, Anthem Blue Shield, Amerigroup, Blue Cross and Blue Shield of Georgia, Caremore, Healthlink and UniCare. The huge extent of damage caused by the breach makes this one of the biggest cyber attacks in the healthcare industry.
This data breach started on 18th February 2014 after an employee of one of Anthem’s subsidiaries unintentionally opened a phishing email, which contained malicious content. Opening the phishing email downloaded malicious files into the employee’s computer, granting hackers remote access to that computer along with several of the other Anthems’ systems, including its data warehouse. Queries to the compromised data warehouse caused the exposure of around 78.8 million user records!
#2 Medical Informatics Engineering
In May 2015, the electronic health records software firm called Medical Informatics Engineering (MIE) suffered a data breach that led to the compromise of 3.9 million Electronic Personal Health Information (ePHI) records. This healthcare data breach affected patients through 11 healthcare providers and 44 radiology clinics in 12 US states that used the MIE WebChart web app holding the stolen data.
The hackers infiltrated the organization’s network remotely by using easily-guessed credentials. MIE had provided a customer with access to its network using two test accounts, both of which had identical and easy to guess usernames and passwords. The use of weak credentials led to one of the most prominent cyber attacks on this healthcare institution.
#3 56 Dean Street Sexual Health Clinic
In September 2015, the sexual health clinic in London called 56 Dean Street mistakenly leaked the details of 781 patients who had attended HIV clinics. This clinic, operated by Chelsea and Westminster Hospital NHS Foundation Trust, sent out a newsletter that accidently revealed the recipients’ email addresses to one another. The patients affected by the breach were supposed to be blind-copied into the email. Instead, the details were sent as a group email! This reckless human error led to one of the gravest data breaches, resulting in an NHS trust being fined £180,000.
#4 Public Health Wales
Public Health Wales suffered a data breach involving the personally identifiable information (PII) of thousands of Welsh residents who tested positive for COVID-19. On 30th August 2020, the personal information of 18,105 Welsh residents who had tested positive for COVID-19 was accidentally uploaded to a public server, making it accessible by anyone using the site. Caused by individual human error, the incident led to the leak exposure of the patients’ initials, geographical area, date of birth and sex. While the data was removed the next morning as soon as Public Health Wales was alerted of the breach, it was viewed 56 times during the 20 hours that it had been online!
#5 VillageCare Rehabilitation and Nursing Center
A renowned medical center in New York named VillageCare Rehabilitation and Nursing Center (VCRN) suffered a BEC attack in December 2019. An employee at the medical center received an email that was designed to look like it came from one of the institution’s senior staff members. The email requested information about VCRN patients. Being tricked by the fraudulent email, the employee handed over the personal information of 674 patients. The compromised information included the patients’ names, surnames, dates of birth and medical insurance information.
Eliminating Human Error in the Healthcare Industry with ThreatCop
The above-mentioned instances make one thing abundantly clear. Something needs to be done to prevent cyber attacks on healthcare institutions, especially those caused by human error. There is no better way to mitigate human error than creating a cyber resilient work culture in your organization. To do that, you need to provide every single member of your staff with effective cyber security awareness training.
Security awareness training is absolutely essential to equip your employees with the knowledge they need to detect and avoid cyber attack attempts. It makes your employees understand the risk of not following cyber security best practices and the benefits of being vigilant. They become aware enough to identify different kinds of attack vectors being used by cyber criminals. This can significantly help in mitigating human error and the risk of cyber attacks.
You can implement cyber security awareness training tools like ThreatCop to make these training sessions more effective and hassle-free. ThreatCop allows you to run dummy cyber attack campaigns on your employees to test their response to cyber attack attempts. This lets you accurately assess the real-time threat posture of your organization and provides your employees with hands-on experience in dealing with cyber attacks.
In addition to realistic cyber attack campaigns, this tool also has an extensive library of engaging and informative cyber security awareness content for effective knowledge imparting. It also assesses the vulnerability level of your employees before and after the training exercise through interactive quizzes. So, you can choose to get ThreatCop for providing your employees with comprehensive training in the basics of cyber security and creating a cyber hygienic work environment.
Worried About Getting Phished?
Detect malicious links with ThreatCop Link Scanner.