Indiana leads the nation in medical data breaches, with more than 80 million records affected since 2009, a new study shows.
Much of that was due to one massive incident involving insurance company Anthem Inc. (now called Elevance Health Inc.) in 2015, when hackers obtained data on 78.8 million members and employees. Anthem later agreed to pay $170 million in settlements to federal and state officials and civil plaintiffs for failing to safeguard its data.
But more than a dozen other Indiana companies over the years—including Indiana University Health, Hancock Health, Eskenazi Health, Schneck Medical Center and Goodman Campbell Brain and Spine—also suffered large data breaches, with some accounting for tens of thousands of patient records.
Indiana accounted for nearly 25% of all breached records during the 13-year period between 2009 and June 2022, due largely to the Anthem breach, according to a report this month by Comparitech, a consumer website focusing on cyber security.
The report is based on data from the U.S. Department of Health and Human Services breach portal, which stores thousands of hacking reports.
All companies holding medical records are required to report data breaches to the federal government if more than 500 records are affected.
Since 2009, medical organizations in the U.S. have suffered nearly 5,000 data breaches, affecting over 342 million medical records.
Health care is likely the juiciest business sector for cyberhackers, according to an IBJ report last month. Cybersecurity experts say health care is a soft target because the sector is a relative latecomer to the digital revolution, and many hospitals and other players have been slow to invest in new software that can stop or slow hackers.
By gaining access to sensitive health data, hackers can profit by selling the information on the dark web—the part of the internet where users can remain anonymous and untraceable.
Much of the hacked medical data includes Social Security numbers, birthdates and addresses, which hackers can use to steal identities and credit information.
According to the Comparitech report, 2020 was the biggest year for medical data breaches, with 803 incidents reported.
Hacking was the most popular method of breaching medical data, accounting for 41% of breaches last year. The next largest category was ransomware, where cyber pirates install malicious software into a database or computer system to block access until a sum of money is paid.
While phishing attacks weren’t listed separately, they might be the method used commonly to initiate hacks and ransomware attacks, the report said. Phishing is the fraudulent practice of sending emails purported to be from legitimate sources, but are actually used to induce people to reveal personal information, such as passwords and credit card numbers.
In 2021 and 2022 (so far), specialist medical clinics accounted for the most data breaches in the U.S. (15%), but hospital systems accounted for the most breached records, with 8.8 million affected, or 16% of total records affected.
The top five states for number of medical records breached between 2009 and June 2022 were Indiana, New York, Florida, California and Texas.
The top five states for the number of incidents reported during this time span were California, Texas, Florida, New York and Illinois.