2022 Key Third-Party Breaches: Healthcare Still At Major Risk
As we reach the middle of the year, let’s take a moment to look back, reflect, and learn from some of the key third-party breaches of 2022 where healthcare continued to be a top target. Managing vendors and staying aware of who holds your data is a full time job. Each one has a different set of security measures and rarely is your data shared with just one individual or team. In the world of healthcare, where PII is extremely sensitive and systems are often out-dated, opportunities are rampant for threat actors.
Over 500,000 Individuals Were Victim to the Eye Care Leaders EMR Data Breach
Eye Care Leaders, an EMR solution, notified all impacted companies in early March that they had been compromised due to a third-party data breach. This impact first encapsulated 16 companies, and over 500,000 individuals.
The 16 companies impacted include:
- EvergreenHealth: 21,000 individuals impacted
- Arkfeld, Parson, and Goldstein, P.C. doing business as ilumin: 14,984 individuals impacted
- Northern Eye Care Associates: 8,000 individuals impacted
- Ad Astra Eye: 3,700 individuals impacted
- Regional Eye Associates: 194,035 individuals impacted
- Moyes Eye Center: 38,000 individuals impacted
- Burman & Zuckerbrod Ophthalmology Associates: 1,337 individuals impacted
- Shoreline Eye Group: 57,047 individuals impacted
- Finkelstein Eye Associates: 58,587 individuals impacted
- Sylvester Eye Care: 19,377 individuals impacted
- Associated Ophthalmologists of Kansas City: 13,461 individuals impacted
- Fishman vision: 2,646 individuals impacted
- AU Health: 50,631 individuals impacted
As months have passed, that number has grown to 2.9 million patients impacted, and the company list has grown as well.
Affected Eye Care Provider | Breached Records |
|---|---|
Texas Tech University Health Science Center | 1,290,104 |
Stokes Regional Eye Centers in South Carolina | 266,170 |
Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown in West Virginia | 194,035 |
Spectrum Eye Physicians in California | 175,000 |
Mattax Neu Prater Eye Center in Missouri | 92,361 |
Sight Partners Physicians in Washington | 86,101 |
Texas Eye Associates | 75,092 |
Carolina Eye Care Physicians in South Carolina | 68,739 |
Precision Eye Care in Missouri | 58,462 |
Shoreline Eye Group in Connecticut | 57,047 |
Summit Eye Associates in Tennessee | 53,818 |
AU Health in Georgia | 50,631 |
Finkelstein Eye Associates in Illinois | 48,587 |
Aloha Laser Vision in Hawaii | 43,263 |
Center for Sight in Massachusetts | 41,041 |
Moyes Eye Center, PC in Missouri | 38,000 |
McCoy Vision Center in Alabama | 33,930 |
Chesapeake Eye Center in Maryland | 32,770 |
Long Vision Center in Texas | 29,237 |
Frank Eye Center in Kansas | 26,333 |
Lori A. Harkins MD, P.C. dba Harkins Eye Clinic in Nebraska | 23,993 |
Allied Eye Physicians & Surgeons in Ohio | 20,651 |
EvergreenHealth in Washington | 20,533 |
Sylvester Eye Care in Oklahoma | 19,377 |
Cherry Creek Eye Physicians and Surgeons, P.C. in Colorado | 17,732 |
Arkfeld, Parson, and Goldstein, dba Ilumin in Nebraska | 14,984 |
Associated Ophthalmologists of Kansas City, P.C. in Missouri | 13,461 |
Kernersville Eye Surgeons in North Carolina | 13,412 |
Northern Eye Care Associates in Michigan | 8,000 |
Sharper Vision in Kansas | 6,891 |
Ad Astra Eye in Arkansas | 3,684 |
Fishman Vision in California | 2,646 |
Burman & Zuckerbrod Ophthalmology Associates, P.C. in Michigan | 1,337 |
Total | 2,927,422 |
This healthcare data breach was caused by individuals gaining unauthorized access to systems, deleting databases, and altering data. The access allowed threat actors to release and compromise data including patient names, dates of birth, medical record numbers, health insurance information, Social Security numbers, and information regarding the care received at the affected eye care practices.
Data Breach at MCG Health Impacted 8 Organizations and Nearly 800 Thousand Individuals
Similar to the breach at Eye Care Leaders, the MCG Health attack was also due to unauthorized access of data systems. This unauthorized access is often caused by actions like:
- Weak passwords
- Failure to implement MFA
- Phishing and social engineering
- Vulnerable, out-dated, or compromised accounts
- Malicious insiders
MCG is a technology and AI-solution for patient care guidelines. The compromised data was PII including names, addresses, phone numbers, gender, dates of birth, medical codes, and Social Security numbers.
This cyber attack impacted 793,283 individuals and 8 organizations, with those organizations having released notices about the attack. These include:
- UNC Lenoir Health Care
- Avera Health
- CHI Health
- Phelps Health
- Henry County Medical Center
- Jefferson County Health Center
- Indiana University Health
- Newman Regional Health
PFC USA Data Breach Impacts Patients of over 650 Healthcare Providers
PFC is a debt collection services provider – a leader in helping U.S. healthcare providers recover unpaid medical bills, with many clients also in retail, financial services, and government. The PFC data breach was caused by a ransomware attack in February 2022. The company began the process of notifying impacted organizations last week ahead of the July 4th holiday. So far, the full impact of individuals has not been released, but with over 650 healthcare providers impacted, the number is surely to be in line with the other two attacks detailed above.
The sensitive information gathered by the attackers included names, addresses, birth dates, accounts receivable balance and payments information, Social Security numbers, and health insurance and medical treatment information.
Want to stay up to date with other big cyber news events? Check out our weekly news bites segment, updated every Friday with our CISO Bob Maley or Cyber Risk Evangelist Jeffrey Wheatman.