small- and mid-sized business healthcare data breaches

We’ve discussed some truly malicious data breaches in this blog. (We’re talking about the exposure of hundreds of thousands of taxpayer social security numbers and millions of LinkedIn passwords ugly stuff. Ring any bells?) But we’ve yet to focus on the genuinely terrifying topic of healthcare data breaches. Why would hackers care about John Doe’s blood pressure log, the heart medication he takes or the genetic mutation he carries that makes him prone to cancer? Clearly, they don’t. But they are happy to nab that data and make it public in a twisted bid for “fame” or to hold that information ransom pending payment. We here at Frontier IT in Colorado Springs review five seriously scary healthcare data breaches. We hope this serves as a reminder to business owners and healthcare providers of the importance of backing up and securing your clients’ electronic protected health information (ePHI). It could be a matter of life and death.

21st Century Oncology Holdings
Fort Myers, Florida
More than 2 million potentially affected

Stealing the data of cancer patients. Could you go much lower? In November 2015, the FBI informed healthcare giant 21st Century Oncology Holdings that patients’ data was illegally accessed, according to Health Data Management. This information may have included diagnoses, details of treatment, doctors’ names and insurance information a traumatic information breach targeting those fighting for their lives. In an SEC filing, 21st acknowledged that it may have not carried enough insurance to cover all liabilities resulting from the attack and said it would be responsible for “deductibles and any other expenses that may be incurred in excess of insurance coverage,” Health Data Management reported. The company operates nearly 200 cancer treatment centers in the U.S. and Latin America.


Brandywine Pediatrics
Wilmington, Delaware
Nearly 30,000 potentially affected

Here again, this may be a new low: stealing the protected health information of children. According to HIPAA Journal, the attack occurred in the fall of 2016 and involved tens of thousands of patient records. Though Brandywine did not explicitly state that the attack was ransomware, it “informed patients that the virus rendered ePHI inaccessible. In order to regain access to files it was necessary to restore files from data backups,” HIPAA Journal reported. At-risk data included the usual personally identifiable information, as well as health records and insurance details.


Related post
Related post
Not Just HIPAA: What small businesses need to know about HITECH


Akron Children’s Hospital
Akron, Ohio
Nearly 8,000 potentially affected

Imagine that your voice was recorded during one of your most vulnerable moments — during your child’s transport to a hospital and that the recording wasn’t kept private. The families of thousands of Akron Children’s Hospital patients were notified in the fall of 2015 that their healthcare data may have been compromised specifically “voice recordings of conversations between dispatchers and hospital workers during the medical transport of Akron Children’s Hospital patients,” according to Health IT Security. Additional data potentially exposed included names, dates of transport, chief medical complaints and names of physicians. The information was stored on a backup drive that had been misplaced, Health IT Security reports.


Kaiser Permanente Northern California Division of Research
Oakland, California
More than 5,000 potentially affected

This one took guts (and we don’t mean that as a compliment). Hackers used malware to infiltrate a server owned by insurance giant Kaiser Permanente’s Northern California Division of Research, according to Becker’s Health IT & CIO Review. The breach occurred in October 2011, but wasn’t discovered for more than two years. Information potentially exposed included names, addresses, ethnicities and lab results of research participants, among other items. At the time it was KP’s fourth major privacy breach in five years, according to Health IT Outcomes.

Banner Health
Based in Phoenix, Arizona
Nearly 4 million potentially affected

Banner Health, which operates clinics, hospitals, surgery centers, pharmacies and other types of medical facilities in seven states, announced last July that its computer systems had been compromised, potentially exposing the personal data of 3.7 million, according to Health Informatics.

Patients weren’t the only targets. The personal information of healthcare providers like doctors and nurses, including names, social security numbers, birth dates and Drug Enforcement Administration numbers, were also exposed, according to Health Data Management.

To make matters worse, the payment information of those who purchased food and beverages perhaps at a hospital cafeteria while visiting a loved one were also put at risk.

Affected parties in the seven states Banner operates in Alaska, Arizona, California, Colorado, Nebraska, Nevada and Wyoming were sent a letter offering a free year of credit monitoring.

The lesson in all this? Businesses that deal with medical records would be wise to ensure those records are ruthlessly protected in order to guard against data breaches. They should also ensure that these records are also¬†backed-up in “the cloud” so that this important information is always accessible, even in the case of localized disasters like hurricanes, tornadoes and fires.

Why? For one, there are those pesky, hefty HIPAA fines. And most importantly, it’s the right thing to do, as a lack of access to medical records at the wrong time could result in a patient’s death.

How’s a small business owner to coordinate all of this?


Just pick up the phone and call a reputable managed service provider, or MSP, that can offer you the IT services your business needs (like disaster recovery planning and server/network monitoring) in an affordable, à la carte fashion.

Let’s chat about how an MSP like Frontier IT can come alongside your company to ensure its success, as well as the security of your patients’ medical records. Drop us a line today.

Like what you read? Looking for additional tips and tricks to help small business owners succeed? Check out more of our blog posts here.