The Worst Healthcare Data Breaches of 2017 (And What We Can Learn From Them)

Every story has a lesson, and every failure is a chance to grow.

In 2017, medical practices experienced a horrific year of failure.

If you’re in the medical field, it’s vital to understand how data breaches affect your company and your patients. It’s also important to know what you can do to prevent issues from occurring or what you should do if they slip through your security.

Here, we’ll explore several of the worst healthcare data breaches of 2017 and discuss the lessons learned from each.

Read on to discover how to avoid them yourself.

A Startling Increase

Mega data breaches alone cost companies an estimated $40 million to $350 million annually.

In 2017, there was a healthcare data breach every day. And more. In fact, the total healthcare data breaches for the year tallied up at 477.

While 2017 saw more total breaches than the previous year, the number of records leaked decreased. So what is causing the increase in cases?

Unfortunately, the very technology used to keep sensitive information safe is also its undoing. Hackers were the cause of about 37% of breaches with insider wrongdoing coming in at an equal percentage.

You’ll notice these factors appear often in our list of 2017’s worst healthcare breaches.

The Worst Healthcare Data Breaches in 2017

Although 2017 may have experienced fewer large leaks, the ones that occurred were massive.

Commonwealth Health Corporation

In March of 2017, Med Center Health filed a report indicating an employee illegally obtained billing information. Estimates of the number of patients affected range from 160,000 to 697,800 individuals.

In a unique twist, the company did not have to report the breach to authorities. According to data breach regulations, the theft of encrypted devices isn’t report-worthy.

Unless, of course, the thief bypasses the encryption or accesses the data once it’s open. This is exactly what reporters suspect occurred.

According to Commonwealth Health Corporation, the parent company, an internal investigation discovered a former employee obtained patient billing information on two occasions. Each time, the employee indicated they needed the information to complete his or her job duties.

The individual planned to use the information in “the development of a computer-based tool for an outside business interest.” This outside interest wasn’t disclosed to the company.

The Takeaway

Med Center Health acted as quickly as the federal investigation allowed to contact patients affected by the breach. Furthermore, the company’s own assessment tipped them off about the theft, a lesson many businesses can learn from. All those assessments do pay off.

However, questions remain about how the individual managed to get information from an encrypted device.

Although the thief was an employee, facilities should have clear regulations about who has access to sensitive data.

Airway Oxygen, Inc.

Shortly after Med Center Health announced their breach, another one occurred at Airway Oxygen, Inc. This company provides home medical equipment.

In March, cyber attackers planted ransomware in the institution’s network, which shut employees out of the system. The breach compromised 500,000 patients’ personal data and over 1,000 employees’ personal data, as well.

Officials say it is unclear if any information was accessed.

After the breach, the business ran an internal scan on its network system, changed all passwords, updated security tools, assessed the firewall and installed monitoring software. In addition, company officials hired a cybersecurity firm to investigate the attack. They formed a plan of defense against future incursions.

The Takeaway

It’s best to be proactive instead of reactive. Airway Oxygen learned from its mistake and sought to minimize future damage. Any business dealing with sensitive information must invest in cybersecurity and maintain it.

Otherwise, they stand to lose a large chunk of profit.

Women’s Health Care Group of PA, LLC

In the previous two incidences, billing information was stolen. In the case concerning Women’s Health Care Group, thieves took pretty much everything you can name. They targeted information about blood types, pregnancy histories, ethnicities and more.

Attackers gained access to the company’s network in January, but the breach was not discovered until May. It took the company an additional two months to notify patients, a period which may have been due to law enforcement requests or in-depth assessments.

The company remained tight-lipped about the incident. Due to backing up all information, services were not interrupted.

The incident affected about 300,000 patients.

The Takeaway

This company received a hoard of complaints about the length of time it took before communicating the issue to patients. The disinclination to provide public comments didn’t help.

In the event of a breach, sharing relevant information recreates the trust a business lost with its consumers. While Med Center Health knew about their breach well in advance, a simple explanation about the reason they didn’t reach out to patients was enough to put their consumers (slightly) at ease.

Urology Austin, PLLC

Health provider Urology Austin alerted over 200,000 patients in March about the possibility of compromised info.

This company was also the victim of a ransomware attack, this time in January of 2017. Hackers encrypted sensitive data and required the business to pay a ransom to access it.

Reports show that Urology Austin officials knew about the threat within minutes and shut down the network that stored the data. An investigation immediately ensued.

The company put scans to determine network safety and enhanced security measures in place to avoid future issues. Additionally, they offered free credit monitoring to those affected and questioned employees.

The Takeaway

This company acted quickly to de-escalate what could have become a larger issue. Urology Austin reached out to the victims, spoke to the public, upped its security and investigated potential inside hazards.

Reporters suspect an infected email caused the virus, bringing us to our final takeaway. While some viruses “hide,” always train employees to be on the lookout for shady emails and to avoid opening personal messages at work.

All Things Didactic

No one likes it when someone tells them what to do, but in the case of healthcare data breaches, a few helpful, proactive hints can’t hurt.

Every case brings a new lesson to the medical sector and a new understanding of the precarious situation professionals and patients alike are in. We must learn from past mistakes to correct future hazards.

For those times, having a HIPAA security breach response team is ideal. Read all about why you need a team in our article and discover how you can protect your patients.

After all, to err is human, but in today’s world, technology complicates those errors tremendously.

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top