Few forms of data breaches are as frightening to companies and customers as those involving personal health information. In addition to the potential financial impact of these breaches, there’s also a sense of personal exposure that sets them apart from other forms of cyberattacks. Some of the biggest data breaches of the last few years have involved healthcare information, with the most recent incident making headlines earlier this month. These attacks highlight the important role that HIPAA compliance plays in data center security and stand as cautionary tales about failures to invest adequate resources in protecting vital healthcare data.
2019 Quest and LabCorp Breaches
In June of 2019, Quest Diagnostics, one of the largest US providers of laboratory testing services, reported that a massive third-party data breach in their supply chain potentially exposed the personal information of 12 million customers. The breach itself involved the billing collections vendor AMCA (American Medical Collection Agency), which had fallen victim to a “man in the middle” cyberattack that allowed hackers to log the personal and payment information entered by visitors. Although Quest assured customers that their internal medical records were not compromised, any personal health information entered on the AMCA site might have been exposed as part of the vendor data breach.
The breach was discovered by AMCA and reported to Quest in May of 2019, but the attackers are believed to have been accessing information since August of 2018. Unfortunately, the damage wasn’t confined only to Quest’s customers. Days after Quest issued an announcement revealing the breach, another major laboratory testing provider, LabCorp, revealed that up to 7.7 million of its customers might have had their personal health information exposed due to this third-party data breach as well. Subsequent SEC filings about the breach revealed that LabCorp also contracted with AMCA for billing services.
Another testing provider, BioReference, would later announce that around 422,000 of their patients could have been impacted by the vendor data breach, pushing the total number of customers affected up to 20 million. Additional companies would be added in the following days, leading to a number of class-action lawsuits against the companies involved and calls for government investigations to uncover what went wrong. The intense scrutiny and financial pressure quickly overwhelmed AMCA, forcing the company to file for Chapter 11 bankruptcy protection within weeks of Quest’s initial announcement of the third-party data breach.
Record-Setting Breaches for 2019
News of this vendor data breach came in the wake of a rather dismal two-month stretch for the state of healthcare cybersecurity. The month of April set an all-time record for the number of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights, with a total of 46 incidents. May wasn’t much better itself with 44 such breaches that potentially exposed nearly two million people’s health information, a much higher number than the previous month.
It remains to be seen whether or not these months are an anomaly or the beginning of a new trend. On average, there were 29.5 healthcare data breaches per month in 2018, accounting for about one-quarter of data breaches across all industries. That same year saw the US government issue $26 million in HIPAA penalties to healthcare-connected companies.
A Place in Infamy
With 20 million people affected (with potentially more that have yet to be revealed), the AMCA data breach already ranks among the largest healthcare data breaches in history. It takes its place among a number of infamous breaches that were revealed throughout the course of 2015, which stands out as the worst year on record by a substantial margin. Here is a quick rundown of three of the worst data breaches in the healthcare industry, all of which were revealed in 2015:
- Excellus (10 million people affected): A two-year long intrusion into the health insurer’s records exposed a wide range of information about potentially all of its customers. Although this information was encrypted, hackers managed to gain administrative access to the network, rendering many of the company’s cybersecurity measures useless.
- Premera (11 million people affected): The breach was noteworthy for the large number of medical records involved in the attack. In addition to banking accounts and Social Security numbers, the months-long attack also exposed clinical information that is highly prized by cybercriminals who can use it to carry out insurance fraud.
- Anthem (78 million people affected): The big one. When the health insurer announced this record-setting data breach, many of the people impacted had no idea that Anthem even had access to their healthcare information (the company often managed paperwork and other tasks for smaller insurance companies). From the moment the attack was made public, people began questioning how such a catastrophic security failure could happen. Federal regulators had the same questions, and the answers they found wound up costing Anthem a record $16 million as part of its HIPAA violation settlement in 2018.
Given the developments of the last several years, organizations cannot afford to take any chances when it comes to protecting healthcare information. They can take a strong first step toward that goal by partnering with vendors who fully comply with HIPAA regulations and standards. Colocation data centers can give companies a great leg up on compliance by providing a secure environment for healthcare data. SSAE compliance standards also help to ensure that any vendor a data center works with will adhere to the same compliance requirements, greatly reducing the risk of a third-party data breach like the one involving Quest, LabCorp, and AMCA.