Photo courtesy: Northwestern Memorial HealthCare

About 56,000 records hacked at Northwestern Memorial HealthCare system

September 08, 2020
by Valerie Dimond, Contributing Reporter
Northwestern Memorial HealthCare has notified the U.S. Department of Health and Human Services about a data breach, which the provider says was initiated via one of its vendors, Blackbaud.

Blackbaud provides software to manage fundraising databases and said it notified the healthcare provider that in mid-July an unauthorized person hacked the company’s system between Feb. 7 and May 20.

Northwestern Memorial said the breach did not target the health system or involve access to its electronic medical record systems, although five people had their Social Security numbers, financial accounts and payment information exposed.

“The individual may have acquired a backup of the database which includes donor or patient information for whom donations were made, including names, age, gender, dates of birth, medical record number, dates of service, departments of service, treating physicians, and/⁠or limited clinical information,” Christopher N. King, director, media relations & communications, Northwestern Medicine, told HCB News.

According to a recent Protenus Breach Barometer report, healthcare data breaches have tripled across the United States in 2019 over the previous year.

"The increase in total incidents is a result of the healthcare industry's unique challenges that are unlike other industries," Protenus CEO Nick Culbertson told HCB News in February. More than 41 million patient records were breached in 2019. The report revealed a 48.6% jump in reported hacking incidents but also found a 20% decrease in insider-related incidents.

A new study published in a special issue of the open access journal, Healthcare, shows the average cost of a data breach is $6.45 million, up from $3.92 million in 2019. The average cost of a breached record is $150. But in the healthcare industry, the cost of each breached record was $429 in 2019. The average cost of each record increased by 1.35% in 2019 relative to 2018, and the cost of each breached record in the healthcare sector increased by 5.14% in 2019.

UnityPoint Health, an Iowa-based healthcare system, just settled a data breach lawsuit in July that entailed two separate phishing attacks in which dubious emails that appeared to have been sent from an executive within the organization tricked employees into providing their sign-on information, thereby giving the attackers access to their accounts.

Also in July, Lifespan Health System Affiliated Covered Entity (Lifespan ACE), a nonprofit health system based in Rhode Island, agreed to pay $1,040,000 to the Office for Civil Rights at HHS and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act privacy and security rules related to the theft of an unencrypted laptop.

Lifespan ACE reported the theft of an affiliated hospital employee’s laptop, which contained electronic protected health information including, patients’ names, medical record numbers, demographic information, and medication information. The breach affected 20,431 individuals.

Interestingly, and despite the COVID-19 outbreak, data analyzed from HHS in August shows that the number of patient data records breached dramatically declined during the early stages of the pandemic.

“A combination of factors come into play for the numbers declining so precipitously during a global pandemic, including healthcare organizations misunderstanding HIPAA and COVID-19 exceptions issued during the pandemic, healthcare organizations simply being too busy to report, or organizations having been so distracted by the pandemic they are not aware they have already been breached,” said Drex DeFord, Executive Healthcare Strategist, CI Security, which provided the information in its 2020 H1 Healthcare Data Breach Report. “With the likely notion that most healthcare organizations are not accurately reporting attacks and breaches, this draws attention to the fact that there will likely be a dramatic increase in discovery in the next six months.”

Northwestern Memorial Hospital did not respond to a request for more information about its own data breach.

But it did announce that four Northwestern Medicine hospitals were recognized this year by U.S. News & World Report in its 2020-2021 Best Hospitals rankings, with Northwestern Memorial Hospital retaining its position as the No. 1 hospital in Illinois and Chicago.