Consider these real-world data breaches and hacks in healthcare a teachable moment.
The healthcare industry—including hospitals, clinics, insurance companies, and medical practices—is a target for hackers. These organizations store highly sensitive patient data within their records, which can turn sizable profits on the dark web.
Adding to the allure of patient health information (PHI), the industry often lacks password protocol. Healthcare organizations sometimes manage logins for more than 500 accounts, with employees having access to over 11 million files. Not to mention that third parties like visiting consultants and contractors also have access to some of these accounts and files. Many of these credentials never expire, meaning that even after an employee or contractor is no longer affiliated with the healthcare organization, they retain access to privileged information.
The risks of security breaches and disruption to patient care soar with the digitization of patient records, and remote care. Whether hackers use ransomware or phishing scams, compromised passwords are at the core of cyber attacks on the industry.
Here are three real-world examples of breaches and hacks in healthcare and how your company can avoid similar attacks with a password manager.
The ransomware attack that drove a private practice out of business
Who was hacked: Wood Ranch Medical in California
The attack: According to HIPAA Journal, hackers deployed a ransomware attack on the medical practice in August of 2019, which led to a system-wide encryption of files affecting 5,835 patients. The hackers permanently damaged the organization’s computer systems and encrypted backup data. As a result, the practice never recovered the files and was ultimately forced to close its doors.
The takeaway: Stolen passwords are the simplest shortcut to deploy a ransomware attack. Without investing in expensive remote desktop access (RDP), hackers can buy employee credentials on the dark web and deploy credential stuffing (essentially, trial and error) until they gain network access.
Investing in a password manager can help prevent ransomware attacks. Dashlane offers Dark Web Monitoring, which alerts users of any leaked credentials. If stolen credentials are spotted, employees and businesses can quickly update to a strong, unique password (often right within the app), preventing hackers from gaining network access.
The phishing scam that cost a New Jersey hospital $672,744
Who was hacked: University Hospital New Jersey (UHNJ)
The attack: Hackers used a phishing scam to gain employee credentials, then accessed UHNJ’s networks and deployed SunCrypt ransomware. In total, the hackers stole 240 GB of data, leaked 48,000 documents, and demanded $1.7 million in ransom. The hospital ended up paying 61.9 bitcoin, equivalent to $672,744.
The takeaway: Phishing scams are extremely common in the healthcare industry. In this survey conducted by Healthcare Information and Management Systems Society (HIMSS), 57% of respondents said they were victims of a phishing attack in 2020.
To prevent such an attack, make sure your employees are well versed in the signs of phishing, such as email addresses and websites cleverly designed to look familiar or trustworthy. Utilize Dashlane’s multifactor authentication to prevent hackers from gaining network access, even if they get a hold of employee passwords.
The email hack that led to a class-action lawsuit
Who was hacked: Aveanna Healthcare in Georgia
The attack: Employees of this pediatric home healthcare provider in Georgia experienced a phishing attack, which compromised their email logins. The attack went undetected for a month and led to a data breach affecting 160,000 patients. More than 100 patients sued the organization over reckless storage of sensitive information.
The takeaway: Dashlane’s Dark Web Monitoring can catch a scam before it slips through the cracks. Turning on alerts for compromised credentials gives employees and organizations a chance to swap out weak or stolen passwords before serious damage is done.