By Hackers targeted a medical transcription service earlier this year and managed to steal the personal health data of nearly nine million individuals, making it one of the largest breaches to hit U.S. healthcare providers in recent years.
The breach, disclosed on November 3 to both California and federal regulators, impacts patients from various hospital systems across the country. Notably, Northwell Health, a prominent nonprofit network in New York, and Cook County Health, a Chicago-based public hospital system, were among the affected organizations.
The breached files contained data pertaining to 8,952,212 individuals. Although the specific information accessed varied for each person, it generally included names, addresses, and initial diagnoses. In some cases, the hackers may have also obtained Social Security numbers, insurance details, test results, medications, and even the names of the treating physicians.
The healthcare industry has been increasingly targeted by hackers, causing significant concerns. Over the past two years alone, U.S. healthcare providers have reported major data breaches impacting more than 128 million individuals, as documented by the U.S. Department of Health and Human Services’ breach database. This database accounts for breaches that affected at least 500 individuals within a 24-month period.
Notably, the healthcare and public-health sectors experienced a surge in ransomware attacks in 2022, surpassing all other industries in terms of victimization, as stated by the Federal Bureau of Investigation.
The breach of the medical transcription service highlights the urgent need to prioritize cybersecurity measures within the healthcare industry. Safeguarding sensitive personal health information from cyber threats should remain a top priority for providers in order to protect both patients and their invaluable confidentiality.
The Largest Healthcare Data Breach: HCA Healthcare
The healthcare industry has recently been hit by one of the most significant data breaches in the last two years. HCA Healthcare, a well-known publicly traded company operating hospitals and medical facilities across the U.S., fell victim to this breach, which compromised the personal information of over 11 million individuals.
Discovery and Response: HCA identified the breach on July 5th of this year and promptly issued a public statement on July 10th, addressing the incident. Following this, affected patients were notified beginning in mid-August.
Additional Incident Reports: Another company, PJ&A, revealed that it had become aware of a potential data security incident on May 2nd. After investigation, they confirmed that customer data had been compromised by May 22nd. The incident was reported to the California attorney general on November 3rd.
In a separate statement, Cook County Health disclosed that PJ&A had informed them about the data security incident on July 21st.
Investigation Progress: PJ&A engaged a cybersecurity consultant to conduct a thorough investigation into the breach. They shared the results of this investigation with their customers on September 29th. Subsequently, Cook County Health received a final list of affected patients on October 9th. Patient notifications began on October 31st.
Disclosure Timing: When questioned about the timing of their disclosures, PJ&A did not provide a response.
Repercussions: Cook County Health, which had 1.2 million patient records involved in the breach, has severed its relationship with PJ&A due to the incident.
Protection Measures: Both Northwell and Cook County Health have proactively offered identity-theft protection services to their affected patients at no cost.
It’s evident that this breach has serious implications for both HCA Healthcare and the other healthcare providers involved. The swift response and accountability demonstrated by these organizations are crucial in mitigating the potential risks for the affected individuals.
Comments