Assessing the 10 largest healthcare breaches of 2018

Published
  • July 12 2018, 4:00am EDT

The largest healthcare breaches of 2018

So far in 2018, healthcare organizations have been hit by a steady stream of data breaches that have compromised protected health information. Here are the 10 largest breaches covered by Health Data Management so far this year.

Med Associates

Latham, N.Y.

Records affected: 276,057

Med Associates, a vendor offering claims processing services for providers in the Albany region of New York, recently notified 276,057 individuals about a data breach after a computer was hacked. The company discovered that a third party had accessed the computer remotely after an associate noticed that another user was logged into her workstation.

More information can be found here.

Content Continues Below

Center for Orthopaedic Specialists

West Hills, Calif.

Records affected: 85,000

The Center for Orthopaedic Specialists in the greater Los Angeles area—part of the Providence Health & Services delivery system—offered 85,000 patients a comprehensive suite of protective services after a ransomware incident earlier this year. The attack affected three of the center’s five sites, with malicious software deployed to gain access to and encrypt patient data.

More information can be found here.

The Oregon Clinic

Portland, Ore.

Records affected: 64,487

The Oregon Clinic, serving the Portland metropolitan region, on March 9 learned that an unauthorized party had accessed one of the organization’s email accounts, thus potentially gaining access to patient information. The clinic disabled the email account, launched an investigation and contracted with a digital forensics firm to assess the nature and extent of the breach.

More information can be found here.

Triple-S Advantage

Puerto Rico

Records affected: 36,305

Triple-S Advantage, the Blue Cross Blue Shield licensee in Puerto Rico, ran afoul of privacy and security regulations after mailing a large number of notices with protected health information to incorrect addresses. The insurer sent notification letters to 36,305 patients outlining the disclosure of protected health information after the error was discovered.

More information can be found here.

Content Continues Below

Decatur County General Hospital

Parsons, Tenn.

Records affected: 24,000

Decatur County General Hospital, a 40-bed facility, offered 24,000 patients one year of credit monitoring services after its electronic health record system was hacked. The incident appeared to be a ransomware attack, although the organization did not use that term in the notification letter it sent to patients.

More information can be found here.

UnityPoint Health

West Des Moines, Iowa

Records affected: 16,429

UnityPoint Health, a multi-hospital delivery system serving parts of Iowa, Illinois and Wisconsin, was the victim of a phishing attack discovered in February that compromised some employees’ email accounts. In acknowledging the breach, the organization reported that access could have been undetected for several months.

More information can be found here.

HealthEquity

Draper, Utah

Records affected: 16,000 individuals

HealthEquity, a custodian of more than 3.4 million health savings accounts, had a data breach after one employee’s email account was accessed by an unauthorized person. Two companies in Michigan that receive services from HealthEquity were affected by the breach.

More information can be found here.

Content Continues Below

Kansas Department for Aging and Disability Services

Topeka, Kan.

Records affected: 11,000

On February 23, the Kansas Department for Aging and Disability Services became aware of a potential breach of protected health information after an employee sent an unauthorized email containing personal health information to a group of current KDADS business associates.

More information can be found here.

Primary Health Care

Des Moines, Iowa

Records affected: 10,313

Primary Health Care in Des Moines, Iowa, on March 1 discovered that the email accounts of four employees were accessed without authorization, as well as related Google drives handing cloud storage and file backups. The organization believed that patient information was only accessible for a day, because the email accounts were compromised on February 28.

More information can be found here.

Charles River Medical Associates

Framingham, Mass.

Records affected: 9,387

Charles River Medical Associates, a part of Partners Healthcare System with 75 multi-specialty providers serving 15 sites, discovered an unencrypted hard drive was missing. The hard drive was used to perform monthly backups of the Bone Density Testing workstation and without the hard drive, the organization could not determine if information on the drive was compromised. In the end, 9,387 individuals were notified.

More information can be found here.