Healthcare data breaches of 2018

healthcare breaches

The healthcare industry continues to be a prime target for data breaches. According to the Office of the Australian Information Commissioner (OAIC), the healthcare sector reported 65 breaches between February and June 2018, which was far more than any other industry.

Some of the breaches involved small clinics and private practices, but even large healthcare organisations were also affected. Here are a few of the biggest healthcare data breaches of 2018 so far.

  • HealthEngine
    HealthEngine, the healthcare booking platform, reported a data breach to the OAIC when it found out its ‘patient recognition system’ could be accessed by unauthorised users due to a coding error in their website. Of the 59,600 entries in the system, 75 contained personally identifiable information that may have been stolen by hackers.
  • Health Department
    The Federal Health Department also reported a breach when it released “de-identified” health records of over 2.5 million people online. Although the published records did not contain names or contact information, they did include year of birth, sex, medical histories, and prescriptions, which would allow any sufficiently motivated cybercriminal to identify the patient.
  • Family Planning NSW
    On Anzac Day, a ransomware attack on Family Planning NSW (FPNSW) compromised the information of up to 8,000 clients, including their names, contact details, and enquiries about reproductive and sexual health. The ransomware targeted a string of vulnerabilities on the FPNSW website, which could have been avoided with regular security patching.

Why is healthcare a target?

Any organisation that handles personally identifiable information is always going to be an attractive target for cybercriminals. Healthcare records and databases contain troves of contact details, tax file numbers, health information, and credit card data that are extremely valuable on the black market. Access to this information enables would-be criminals to make false insurance claims, resell prescription drugs, and even launch more effective phishing attacks.

Why are they so vulnerable?

Modern healthcare institutions are more reliant on web portals, digital records, and internet-enabled devices than ever, creating more potential access points to healthcare networks. At the same time, cybercriminals are employing more sophisticated ransomware, phishing, and brute-force attacks that make it easy to compromise user accounts and data.

However, the biggest threat to healthcare industries according to the OAIC is human error. Up to 59% of healthcare breaches were due to sending personal details to the wrong email address, loss of paperwork and storage devices, and unintended publication of sensitive information. Such lax approach to cybersecurity allows hackers to freely steal data.

What should healthcare organisations do?

The recent OAIC report reinforces the idea that healthcare providers need powerful, multi-layered cybersecurity. This means installing the latest firewalls, intrusion prevention systems, antivirus programs, email security software, and security patches, while performing routine maintenance checks to prevent FPNSW and HealthEngine-esque breaches.

It’s also important not to forget about the human element of cybersecurity. Healthcare institutions must provide comprehensive cybersecurity training to teach employees about password best practices, information handling protocols, and how to recognise phishing attempts.

If you’re in the healthcare sector, a top-class managed services provider like Empower IT Solutions can give you all this and more. We provide advanced security software, data backups, and security training services to ensure the confidentiality, integrity, and availability of your data. We even customise our solutions and services to meet your specific needs, and the best part is, you don’t have to pay hundreds of thousands to get such high-levels of service. Call us today for more information.