Data breaches can be costly and damaging to the victims involved, and in 2022, it looks like the trend of health data breaches is only getting bigger. From huge companies such as Eye Care Leaders and Shields Health Care Group to smaller ones such as Practice Resources, LLC, there have been a growing number of health data breaches in the past year. In fact, it’s estimated that over 17 million individuals have been impacted by medical data breaches in 2022 alone. So what is causing these breaches? Where are they occurring? And what is 2022 looking like for medical data security? Tune in to find out more about the biggest health data breaches of this year!

In 2022, there was a great risk of data breaches and leaks

In 2022, there were 4,100 reported public data breaches. It is reported that in 2020, around 22 billion records were compromised. Security Magazine projected that the number of records accessed in 2022 could be up to five percent higher than this figure.

Among these data breaches and leaks, several phishing attacks, malware, and cyber-attacks were counted among the most-read cyber security news stories of the year. These included Rockstar’s data breach which exposed around 2 million customer records, Uber’s leak of 57 million accounts, Twitter’s hack impacting 33 million users, and Revolut’s leak of 2.3 million customers’ information.

It is clear that data breaches remain a serious problem in today’s digital world and organizations must take greater steps to protect their customers’ sensitive information. Unfortunately, as technology becomes ever more advanced so do the techniques used by hackers – meaning it is an ongoing battle between companies and criminals trying to get access to our personal data.

OneTouchPoint and 2.6 million individuals impacted

OnTouchPoint has provided an amended breach notification to the Maine Attorney General’s Office that shows the data breach impacting 1,073,316 people is larger than initially reported. 2,651,396 individuals were affected. OTP reported that the affected files held names, member IDs, and health assessment data. In late April, OTP identified encrypted files on certain computer systems and initiated an investigation to determine whether any unauthorized party had gained access to its servers. As the individuals notified in this round of notices are current or former employees, OTP is issuing this notice as a reminder of the need for robust cybersecurity protocols to safeguard sensitive data and hinder data breaches from occurring.

This data breach highlights the need for cyber security and serves as a reminder that our data is not always safe from potential risks. This incident should act as a reminder for businesses to commit to data protection and enhance their security. Let us now investigate the most common data breaches and leaks of 2022.

Eye Care Leaders and 2 million individuals impacted

On June 17th, 2022, a security breach was detected on the myCare Integrity system of Eye Care Leaders, possibly impacting two million people from multiple organizations. The Texas Tech University Health Sciences Center (TTUHSC) was responsible for 1.3 million of the affected cases. TTUHSC has notified that the breached databases potentially included patient names, phone numbers, addresses, emails, gender, birth dates, driver’s license numbers and health insurance information. ECL’s ophthalmology services had their medical information accessed and is now being sued for their handling of the incident.

This data breach is a stark reminder of the importance of developing and maintaining adequate cybersecurity protocols to protect sensitive data. Companies must take responsibility for their actions, and ECL will face serious repercussions as it works to address the fallout from this incident.

Eye Care Leaders (ECL) is a leading provider of eye care products and services. Founded in 2011, ECL works with eye care organizations to provide medical screenings and treatments, contact lenses, eyeglasses, and more. Unfortunately, the company was hit with a massive data breach in June 2022 that exposed the personal information of over two million individuals. Investigators believe that sensitive data such as patient names, addresses, phone numbers, emails, gender, birth dates, driver’s license numbers, and health insurance information may have been accessed. Additionally, medical information relating to ophthalmology services may also have been compromised.

In response to the breach, ECL has released a statement saying that they are “working tirelessly to strengthen our security protocols and processes in order to prevent similar incidents in the future.” The company has also implemented a number of security measures to protect customer data and is working with law enforcement to investigate the breach. Eye Care Leaders has also set up a hotline for those affected by the breach and is providing identity monitoring services at no cost.

This incident serves as an important reminder that businesses must prioritize cybersecurity and invest in robust security measures to protect customer data. Companies must also be prepared to handle a data breach if one should occur, as the repercussions can be severe. By taking the proper steps to protect sensitive information, businesses can help ensure that their customer’s privacy is not compromised.

The Shields Health Care Group has served two million individuals

On 28 March 2022, Shields Health Care Group noticed unusual activity on their network. An investigation revealed that an unidentified third party had accessed systems between March 7th and 21st, resulting in the exposure of sensitive data from two million individuals. Shields experienced a data breach that exposed full names, Social Security numbers, provider information, diagnoses, billing information, and more of approximately two dozen facility partner patients in Massachusetts. As a response to this incident, Shields is evaluating its safeguards to increase patient data protection.

Shields Health Care Group is deeply sorry for this unfortunate incident and the impact it has had on 2 million individuals. We are committed to doing whatever we can to protect patient data going forward, and take this matter very seriously. As a next step in our efforts to ensure security, Shields will be collaborating with Professional Finance Company to review existing safeguards and create more secure systems.

Professional Finance Company and 1.9 million individuals impacted

In July, Professional Finance Company (PFC), an account receivable management agency based in Greeley, Colorado, disclosed a ransomware attack to the Office of Civil Rights (OCR). The breach was discovered and addressed in late February and impacted 660 healthcare organization clients as well as around 2 million individuals. Personal information such as first and last names, account receivable balance, payment info, addresses, birthdates, health insurance information, medical treatment data, and Social Security numbers was compromised.

Following the incident, PFC took steps to upgrade its network security by sanitizing and reconfiguring affected systems.

PFC is committed to providing the highest level of data security to its clients, and they are working hard to ensure that its systems remain secure. The incident serves as a reminder of why it is important for organizations and individuals alike to be vigilant in protecting personal information. Stay tuned for more on this story as we explore the impact of the Novant Health ransomware attack which affected 1,362,296 individuals.

Novant Health and 1.3 million individuals impacted

In December 2022, Novant Health announced a data breach involving 1.3 million patients. An incorrect Meta pixel code was found to be the cause of the incident, which might have caused an unauthorized disclosure of PHI. According to The Markup and STAT, hundreds of hospital websites in patient portals were misutilizing MetaPixel from Facebook’s parent company, risking data transmission to Facebook upon appointment scheduling. This has led to a legal dispute regarding the breach incident.

Novant Health’s data breach is a reminder that the personal information of millions of individuals can be at risk when companies fail to properly secure their systems. It’s an instance that should prompt organizations to take a closer look at their own practices and ensure that they are doing everything in their power to protect patient privacy. As the investigation into Novant Health’s breach continues, it remains to be seen what further implications this incident will have. And in another major health system breach, Broward Health is

Broward Health and 1.3 million individuals impacted

In January 2022, Broward Health, based in Florida, sent out notifications to over 1.3 million individuals regarding a healthcare data breach. The notification was delayed at the request of the Department of Justice as they wished to not interfere with a law enforcement investigation. Unauthorized access to Broward Health’s network was gained through an office of a third-party medical provider, exposing personal and financial information, including Social Security numbers, phone numbers, birth dates, addresses, email addresses, financial account information, insurance information, and account numbers, medical record numbers, driver’s license numbers and medical information for all affected individuals. In order to counter the breach and ensure patient data security, Broward Health carried out an enterprise-wide password reset and instituted multi-factor authentication.

This breach highlights the need for organizations to take proactive measures to protect confidential information. While the full extent of the breach is still being determined, Broward Health has taken steps to help protect patient data security and ensure proper notification. Next up: Baptist Medical Center is facing a similar data security issue – stay tuned for more details!

Baptist Medical Center and 1.2 million individuals impacted

On April 20, 2022, the Baptist Medical Center, which is affiliated with Tenet Healthcare and a part of the Baptist Health System, experienced a cyberattack that impacted the personal data of 1,243,031 individuals. The unauthorized access to certain systems included patient demographic information such as Social Security numbers, health insurance information, medical record numbers, diagnoses information, and dates of service. Furthermore, billing and claims information was also exposed.

Tenet Healthcare has since taken steps to ensure that similar incidents do not occur in the future by enhancing security measures and hardening systems as appropriate. However, this does not undo the damage already done and has prompted a lawsuit against Tenet Healthcare for alleged negligence in implementing technical safeguards to protect patient data. It remains to be seen what will happen with Baptist Medical Center’s case but it serves as an example of why all healthcare organizations must take cybersecurity seriously and invest in proper protection measures.

It is clear that cyberattacks on healthcare organizations can have devastating consequences, and it is essential for all organizations to take proactive measures to protect patient information and data. The case of Baptist Medical Center is a prime example of why this is so important, and the outcome of this lawsuit will be an important reminder for all healthcare organizations to stay vigilant when it comes to cybersecurity. Now, we turn our attention to MCG Health, where another massive breach has recently occurred impacting 1.1 million individuals.

Crypto Hacks

MCG Health and 1.1 million individuals impacted

In March of 2022, MCG Health suffered a large-scale data breach that affected 1.1 million individuals and eight client organizations. The breach compromised names, addresses, phone numbers, gender, dates of birth, medical codes, and Social Security numbers. The number of affected individuals was reported as 793,283 according to the MCG Health report to the Office for Civil Rights (OCR); a report filed with the Maine Attorney General’s office suggested that the total reached 1.1 million. It is probable that separate notifications were sent to law enforcement which prompted this discrepancy. The breach may have occurred as early as February 2020 and is an alarming reminder of how vulnerable our health data can be in an increasingly connected world.

The MCG Health breach is a stark reminder of the risks associated with trusting our sensitive health data to third-party organizations. We must take steps to better protect our privacy, both as individuals and as organizations. But first, let’s take a look at Practice Resources LLC, which saw an even bigger data breach impacting 942,128 individuals.

Practice Resources, LLC and 942,128 individuals impacted

Practice Resources, LLC (PRL) has recently suffered a ransomware attack that affected over 942,000 individuals. The incident originated in April and involved names, addresses, dates of treatment, health plan numbers, and medical record numbers. In response to the attack, PRL quickly sought out the help of third-party experts to secure their systems and issued a statement saying they are “proactive in the careful handling of such information”. Following this event, PRL has implemented a series of cybersecurity enhancements to ensure the safety of sensitive data. All impacted healthcare organizations have been notified and are taking steps to protect their patients’ information from further harm.

PRL is committed to the highest level of security and data protection for our patients, striving to ensure that no one else experiences a similar incident in the future and all impacted individuals are informed. As we continue to work hard on our cyber safety initiatives, Partnership HealthPlan of California has reported that 854,913 individuals have been affected by this attack — read on to learn more about their response.

Partnership HealthPlan of California has reached 854,913 individuals

In March 2022, Partnership HealthPlan of California (PHC) was the victim of a cyberattack by the notorious Hive ransomware group. This attack resulted in a complete shutdown of PHC’s systems and phone networks with no expected time for repair. By April 15, PHC had restored its website functionality and provided a breach notification indicating that 854,913 individuals’ data may have been impacted. The data potentially exposed included patient names, medical record numbers, tribal IDs, diagnoses, prescription information, treatment information, and health insurance information. Following the attack, an impacted individual filed a lawsuit against PHC claiming that it failed to take the steps necessary to prevent such an incident from occurring.

The attack on Partnership HealthPlan of California serves as a reminder that companies must always remain vigilant in defending their networks, especially against sophisticated threats like ransomware. Companies must take all necessary steps to ensure the security and privacy of their customer’s data, or they could suffer the consequences. However, this is not the last time we will hear about a cyberattack impacting patient information – next up: Advocate Aurora Health and 3 million patients.

Advocate Aurora Health and 3 million individuals impacted

Advocate Aurora Health recently revealed that 3 million of its patients’ personal data was inadvertently disclosed to Google and Facebook due to the use of Pixel on its patient portals, websites, applications, and scheduling tools. This data included IP addresses, appointment dates and times, location proximities to Advocate Aurora Health locations, provider details, procedure types, communications on the MyChart platform, insurance information, and proxy names.

Since then Advocate Aurora has removed or disabled the affected pixels and is currently assessing the impacts of their actions while working to reduce the risk of unauthorized disclosures. They are also actively defending themselves against multiple class action lawsuits brought in the wake of this security breach.

Advocate Aurora Health has taken initial steps to improve its security protocols and protect patient data, but the full impact of this breach is still uncertain. As the organization continues to work towards restoring trust with its patients, it’s important to note that another large-scale security breach involving Connexin Software exposed 2.2 million patients’ information – and an even bigger story awaits.

Connexin Software and 2.2 million individuals impacted

On August 26th, Connexin Software, a vendor of pediatric electronic medical records and management software, detected an anomaly in their network. Subsequent investigation determined that an unauthorized user had accessed the offline data used for conversion and troubleshooting, resulting in a breach of 2.2 million patients from 119 provider offices.

Connexion has reported that the stolen data includes names, contact details, social security numbers, guarantor names, parent or guardian names, dates of birth, health insurance information, treatments and procedures, diagnoses, prescriptions, medical record numbers, and billing and/or claims data. They also noted that their live EMR system was not affected by the incident and gave an explanation regarding why there was a delay in informing patients and their families.

Connexin should take measures to protect offline data, and ensure that patients and their families are kept informed in a timely manner. This incident highlights the fact that computer systems and networks can be vulnerable, exemplified by the recently revealed data breach of 8 Community Health Networks, affecting 1.5 million users.

Community Health Network and 1.5 million individuals impacted

In 2022, Community Health Network (CHN) reported one of the largest health data breaches to date, impacting approximately 1.5 million users. CHN had integrated a tracking tool known as Pixel in order to facilitate better access to details regarding critical care services and regulate its patient-facing websites. However, they found that Pixel was inadvertently gathering and sharing user information with technology companies Meta and Google for marketing endeavors. The organization immediately removed or disabled the pixels from their impacted platforms and launched an investigation into the breach. The breach has since been classified as a HIPAA violation due to its failure to protect user data, resulting in serious repercussions for CHN. This incident highlights the importance of proper security measures when handling sensitive healthcare data, as well as the need for organizations to be aware of potential risks when using new technologies.

In the wake of this breach, it’s clear that organizations must take a more proactive approach to data security in order to protect user information. The next section will explore how Novant Health is taking steps to ensure the privacy and security of its patients’ data.

Novant Health and 1.3 million individuals impacted

Novant Health identified a potential misconfiguration of Meta pixel code which may have caused an unauthorized disclosure of PHI. Following the identification of an issue, a pixel was eliminated and an investigation was conducted. Through this investigation, it was determined that some personal data may have been divulged to Meta based on a person’s activity on the Novant Health website and patient portal. As a safety precaution, Novant Health sent out letters to all potentially impacted patients, which included those registered with medically independent sites and facilities linked to MyChart records. A total of 1,362,296 people were affected by the data breach. Novant Health encourages patients to be aware of protecting their personal health information, as there is currently no evidence that Meta or any other third party has tried to misuse patient data.

Novant Health takes the security of its patients’ data very seriously and is working hard to ensure that all information remains secure. As we continue to strive for increased safety, it’s important to stay aware of the potential risks that data breaches present. 

Check out the service where you can see a list of data leaks

The bottom line

Data breaches in the healthcare sector continue to increase, posing a serious risk to patient privacy and security. Organizations must take proactive steps to protect patient data and ensure that they are aware of potential risks when using new technologies. A web application firewall (WAF) is an important solution that can help organizations detect and prevent malicious activities, ensuring that user data remains secure. By implementing these measures, organizations can prevent the devastating consequences of data breaches and ensure that user information remains safe.

Additionally, organizations should ensure that they are aware of potential risks when using new technologies and take steps to mitigate them. Organizations should also regularly review and update their security policies in order to protect user data from potential breaches.

By taking these preventative measures, organizations can better protect their users’ information and prevent the devastating consequences of health data breaches.

We recommend using at least the free online Test WAF tool to find out the security level of your organization.

For innovative healthcare organizations that want to deliver the best patient experiences, need to ensure protection for the patients data (PII) while meeting HIPAA compliance requirements, we recommend use Wallarm’s solution – HIPPA Compliance For Healthcare