The healthcare industry is a beloved target of hackers. Medical records start at $250 on the black market and, compared to 5$ credit cards and 1$ social security numbers, the value is huge. Health information can not be changed and hackers can use it in two ways: blackmail someone their entire lives, threatening to share their diagnoses and treatments, or use medical records to get illegal drug prescriptions. The cost of security breaches in healthcare, consequently, raised to $6 trillion in 2020, and some of the biggest breaches affected as much as 78,8 million patients.
Healthtech has become a big part of the healthcare breaches as well since they are usually integrated with medical records. In this post, we are going to highlight 10 cybersecurity breaches in healthtech and see what we can learn from them.
#1 Telehealth App – Babylon
Babylon offers a platform for patients and doctors where all things that can go digital do, in fact, go digital. Patients can chat and have video conferences with doctors, check their medical records, analyze their symptoms, get an ePrescription, or book an appointment.
In 2020, Babylon found a vulnerability that allowed patients to view video conferences of other patients with doctors. The vulnerability appeared because of the new feature that allowed patients to switch from audio to video calls.
The company quickly reacted to the reports from users who were able to view other patients and made security patches. The company does not believe that hackers were able to misuse the vulnerability due to a quick reaction from the healthtech provider.
#2 Software for Emergency Care – Zoll
Zoll is a healthtech company that provides devices and software for emergency care, for example, defibrillation, cardiac monitoring, ventilation, temperature management devices, etc.
In June 2021, they discovered numerous vulnerabilities in their defibrillation dashboard that manages defibrillators remotely. Such security problems as unrestricted file upload, cross-site scripting (XSS), insecure password storage, and a privilege escalation issue were reported to the US Cybersecurity and Infrastructure Agency (CISA) by anonymous users.
These security problems could have led to the upload of malicious files and further leak of sensitive information. Zoll quickly took action and patched the vulnerabilities so no data was leaked.
#3 Lab Test Management App – MyQuest
MyQuest is a mobile app that allows you to easily see lab results, schedule a lab appointment, see your medical history, and even monitor your family’s results if they can not do so on their own.
In 2016, the app experienced a massive data leak of lab results, phone numbers, names, and dates of birth of the users. As a result, 34,000 patients were affected and notified about the leak. The company started reviewing its system immediately but never shared the cause of the breach.
Quest Diagnostics which uses the app faced a massive data breach in 2018 as well where the information of 11,9 million patients got leaked, including their credit card numbers, lab results, names, etc. The problem was a third-party billing company, which highlights how important it is to not only test your systems but review your third-party tools as well.
#4 EHR/EMR App – LibreHealth
LibreHealth focuses on open-source healthcare IT solutions that are easy to implement in any clinical setting.
Their EHR/EHR mobile app has become a target of cybercriminals in 2020. The reason behind the breach is 5 vulnerabilities that are quite common: cross-site scripting, SQL injection, CSRF, vulnerable software, and local file inclusion.
The company was working on security patches for quite a while but they claim that no user data was used with malicious intent so far.
#5 Prescription Management Software – Walgreens
Walgreens is a company that works with numerous pharmacies around the US. It allows users to find nearby pharmacies, manage their prescriptions, shop online, etc.
In March 2020, the official app of the company was breached which led to the leak of customer’s full names, their medication prescriptions, and shipping addresses. The problem was the private message feature that allowed patients to receive notifications about refills, deals, and coupons. As a result, some patients could receive and view messages from other patients.
Around 72,000 customers were affected by the breach. Walgreens was quick to patch the vulnerability after the news broke.
#6 Clinical Trial Software – eResearchTechnology
eResearchTechnology helps to minimize risk in clinical trials by providing clinical trial management software. Their software already supported more than 15,000 trials and 5 million patients.
In 2020, the company was hit by a ransomware attack that affected many trials, some of them related to COVID vaccines. The system was shut down after the attack to conduct the investigation. Numerous trials around the country were forced to go back to pen and paper, some of them not returning to software because of security concerns.
#7 Software for Health Insurance Providers – Newkirk Product
Newkirk Product was a healthcare company that issued healthcare ID cards for numerous medical insurance providers like BlueCross Blue Shield, HealthNow, Capital District Physicians’ Health Plan, Gateway Health Plan, etc. Overall, 13 companies around the US.
Because of their huge coverage, the breach of their services hit as many consumers as possible and became one of the top-10 incidents in the whole healthcare industry. The weakness was in the administrative portal of the 3rd party software on the single isolated server. Hackers used the vulnerability and gained access to the entire system.
3,3 million users were affected by the breach, their names, emails, care providers, date of birth, and premium invoice information leaked. Users got two years of free identity theft protection and restoration services.
#8 Patient Appointment Scheduling App – Luxottica
Luxottica is an Italy-based eyewear manufacturer, their popular brands are Rayban, Persol, and Oakley. Luxottica also partners with eye care providers and has an app for them where patients can schedule appointments with ophthalmologists.
In 2020, their appointment scheduling app was breached. The cause of the breach was a ransomware attack.
As a result, almost 830 thousand patients were affected, their contact details, health insurance policy numbers, appointment notes, credit card information, and Social Security information were leaked. It took the company 4 days to discover the breach which was later patched. The hacking group then posted the data on the Internet and also disclosed information about the human resources of Luxottica.
#9 EHR/EMR Software – Medical Informatics Engineering
Medical Informatics Engineering provides EHR/EMR software and services in the US.
In 2015, hackers obtained compromised login information to enter the database. They did not conduct a risk analysis to find possible threats which later resulted in the breach of protected health information (names, addresses, dates of birth, Social Security numbers, email addresses, clinical information, and health insurance information) of 3,5 million patients.
The company breached HIPAA guidelines in such a way and had to pay $100,000 and start doing risk assessments.
#10 Hospital Administration Software – Dedalus
Dedalus is a France-based healthcare software provider for patient administration, pathology, billing, admission, drugs management, clinical collaboration and information, storage, and traceability.
In 2021, their software faced a breach whereas data from 30 medical labs were leaked. Around 500,000 French people were affected by the breach. After a disagreement, one of the hackers made publically available phone numbers, addresses, blood groups, social security numbers, birth dates, medical treatments, illnesses (including instances of HIV), and health updates. Hackers got access to 5 years’ worth of data.
Healthtech security breaches are expensive, considering the most sensitive information that medical health records include. Many healthtech apps underestimate the importance of cybersecurity efforts until it is too late and they have to pay millions to cover the breach for users and pay penalties from major healthcare data regulations.
To minimize the possibility of a breach, make sure to ensure full adherence to all the HIPAA requirements, constantly conduct security audits and invest in a robust cybersecurity strategy.
At Cyberlands we are committed to help HealthTech organizations maintain compliance and establish effective DevSecOps programs. Contact us to discuss a penetration testing service or DevSecOps as a Service.