More than 100 breaches have been reported to the federal government since Jan. 1, and some have affected hundreds of thousands. As part of our series on cybersecurity this week, we look at the largest attacks in the first three months of the year.
Cybersecurity experts warned that there would be many attacks aimed at the healthcare industry in 2022, and their projections have been accurate.
Healthcare organizations must report breaches affecting more than 500 people to the U.S. Department of Health and Human Services. In the first quarter of 2022, the health department is investigating 125 breaches affecting at least 500 people.
Combined, those incidents have affected millions of people nationwide.
These are the 10 largest cyberattacks reported to the health department in the first three months of the year. All 10 of these incidents affected at least 100,000 people.
It’s worth noting some of these breaches occurred in 2021 but were reported in 2022. Cybersecurity experts say it can take months for healthcare organizations - and companies in other sectors - to detect a breach.
1. Broward Health
The Florida-based health system reported the breach on Jan. 2. The breach has affected more than 1.3 million people, according to the health department.
In a statement, Broward Health said someone gained access through a third-party medical provider. The system said it first discovered the breach on Oct. 19, 2021 and said it promptly notified the FBI and the U.S. Department of Justice.
Broward Heatlh said the justice department advised the organization to “briefly delay this notification to ensure that the notification does not compromise the ongoing law enforcement investigation.”
Broward instituted a password reset and undertook other measures to bolster security. It also has enacted tougher security requirements for those devices outside the organization with access to its network.
The health system said the intruders were able to access private data including patient names, dates of birth and Social Security numbers. The system said there was no evidence the information was misused.
Broward Health said it has worked to bolster its defenses and offered those affected services to detect and resolve identity theft.
2. Morley Companies
The organization reported a hacking incident to the health department Feb. 2. More than 520,000 people have been affected.
Michigan Attorney General Dana Nessel said the company reported “a data security incident that may have impacted data belonging to current employees, former employees and various clients,” ABC12 in Flint, Michigan reported in February.
The Michigan prosecutor sent an advisory to the public in February. Morley, which serves health plans and other businesses, found attackers gained access to client and employee data. The company has offered resources to those affected.
Nessel warned those who have been affected to be wary of suspicious emails from bad actors who may try to take advantage of victims by gaining access to more information.
3. Monongalia Health System
The West Virginia healthcare provider reported a breach affecting more than 492,000 people. It was reported Feb. 28.
The system said in a news release it learned of the breach in December involving information pertaining to patients, employees, and contractors. The system said intruders gained access between Dec. 8-19, 2021.
Mon Health said it did not involve unauthorized access to electronic health record systems.
The organization said it took part of its IT network offline and began downtime procedures, along with other measures to strengthen security.
4. South Denver Cardiology Assoc.
The Colorado-based group reported an incident that affected more than 287,000 people. South Denver Cardiology reported the breach to the health department on March 4.
In a statement, the organization said it first learned of unusual activity in the network Jan. 4 and determined someone accessed files between Jan. 2 and 5.
South Denver Cardiology said the intruder was able to access patients’ private data, but there was no impact to the content of the patient medical records and no unauthorized access to the patient portal. The group provided a toll-free number for patients to ask questions and said it was taking steps to improve security.
5. Norwood Clinic
The Alabama-based healthcare provider disclosed it had an incident affecting 228,000 patients. The health department said the incident was reported Feb. 25.
The Norwood Clinic said in a statement it discovered a cyber attack had taken place in October. The clinic said the attacker gained access to servers that stored patient information, such as birthdates and Social Security numbers. The information did not include financial information or credit or debit card numbers, Norwood said.
Norwood said it has employed cybersecurity experts to review its systems and has worked to improve its network security. Norwood also offered credit monitoring and identity theft protection services to patients.
6. Logan Health Medical Center
The medical center in Kalispell, Montana suffered a breach affecting more than 213,000 people, according to the health department. The incident was reported Feb. 22.
Logan Health said it first learned of suspicious activity in November and confirmed intruders gained unauthorized access to files in January. The medical center said there was no unauthorized access to electronic health records and there is no indication personal information was misused.
The medical center said it is offering two years of identity protection to those affected and is working to bolster security of its systems.
7. Medical Review Institute of America
The Utah-based organization suffered a breach affecting more than 134,000 people, the health department says. The incident was reported Jan. 7. The institute offers clinical reviews for health plans and providers.
In a statement, the organization said it was the victim of a “sophisticated cyber-attack” in November. The institute said intruders gained access to personal information including dates of birth, Social Security numbers and other demographic details. The system said in January it was not aware of any incidents of identity theft due to the breach.
The institute said it retrieved and “confirmed the deletion of the obtained information to the best of its ability and knowledge.” Credit and identity monitoring services are being offered.
8. Medical Healthcare Solutions, Inc.
The organization, based in Massachusetts, reported an incident affecting nearly 134,000 people, according to HHS. The breach was reported Jan. 22. Medical Healthcare Solutions provides surgical billing services.
The company said it discovered the breach in November and determined files were removed from its network between Oct. 1 and 4, 2021. The intruders gained access to patients’ protected health information and the medical care they received.
Medical Healthcare Solutions established a hotline for patients to call with questions and offered two years of credit monitoring and identity protection. The company also said it has stabilized and reopened the network and added tougher security measures.
9. South Shore Hospital Corp.
The data breach at the Chicago-based healthcare provider affected more than 115,000 people, the health department says. The incident was reported Feb. 7.
The intruders gained access to personal health information that may have contained Social Security numbers, Medicare and Medicaid information, financial information and health insurance information, South Shore Hospital said.
South Shore Hospital is offering 12 months of identity theft protection services and credit monitoring. The organization said it has imposed stronger password requirements, multi-factor authentication and more training, along with additional malware and email phishing tools.
10. Comprehensive Health Services
The organization suffered a breach affecting more than 106,000 people, according to HHS. It was reported to the health department Feb. 15.
The provider, based in Cape Canaveral, Florida, said in a statement it learned in November 2021 some personal information may have been accessed. The organization first detected unusual activity Sept. 30, 2020.
The information accessed may have contained names, birth dates, and Social Security numbers.
Comprehensive Health Services, which provides medical management services, established a toll-free hotline to address questions from those affected. The company said it is “investing in enhanced security measures.”