Top 10: Most Serious Healthcare Cyber Attacks

Healthcare cybersecurity is critical, because breaches can disrupt patient care, expose sensitive information, and cause huge reputational and financial damage. 

At the time of writing, the latest serious healthcare security breach was suffered by three major London hospitals, who were hit by a ransomware cyberattack that wreaked havoc across clinical services.

King’s College Hospital, Guy’s and St Thomas’s are among those affected, and the incident has had a major impact on the delivery of services, especially blood transfusions and test results, the hospitals say.

Cyberattackers target healthcare providers for several reasons: 

• Medical records contain comprehensive personal data useful for identity theft, insurance fraud, and blackmail
• Health information has a higher black market value than credit card details
• Many healthcare systems have outdated security measures due to budget constraints and legacy technology.
• Healthcare providers are more likely to pay ransoms quickly to restore systems and prevent patient harm. 
• The interconnected nature of healthcare networks presents a huge attack surface.

The following are some of the most serious healthcare cyberattacks, in terms of numbers affected and the personal harm caused.

10 PACS System 

Country: India
Year: 2019 

Researchers discovered millions of patient X-rays and medical images exposed online across India. The breach involved Picture Archiving and Communication Systems (PACS), which hospitals use to store and transmit medical images. 

The issue was not a targeted attack but a security misconfiguration, with PACS servers left unsecured and connected directly to the internet. Over 121 million images from more than 16 million scans were accessible without password protection. Exposed data included patient names, birthdates, and examination details. 

09 Medicare

Country: Australia
Year: 2017
Medicare, Australia's universal health insurance scheme administered by the government, faced a data breach that involved the personal information of approximately 2.9 million Australians being offered for sale on the dark web. 

The leaked data included Medicare card numbers, names, and addresses. Unlike typical hacks, this breach resulted from an unauthorised individual accessing the data through a legitimate Medicare access channel, suggesting an insider threat or compromised provider credentials. The breach was discovered when the data was advertised online, prompting a federal police investigation.

08 National Health Service

Country: UK
Year: 2017
Before the most recent cyber breach, the UK's National Health Service (NHS), which provides public healthcare services, suffered a major incident seven year ago that affected 81 out of 236 NHS trusts in England. 

The breach occurred when computers were infected with WannaCry ransomware, exploiting a Windows vulnerability. The attack encrypted data and demanded Bitcoin payments for decryption. It caused widespread disruption, and led to the cancellation of 19,000 appointments and emergency services being diverted. 

07 Community Health Systems

Country: US
Year: 2014
Community Health Systems is a hospital operator, with 206 facilities in 29 states. The attack compromised the personal information of approximately 4.5 million patients, who were referred to or received care at CHS-affiliated hospitals. Leaked data included names, addresses, birthdates, phone numbers, and Social Security numbers. 

The breach was a targeted external cyber attack using the Heartbleed bug, not ransomware. Hackers from China exploited the OpenSSL vulnerability to access CHS's network between April and June 2014. No medical or financial data was reported stolen. No patient data was reported stolen, but systems were inaccessible. The attack was later attributed to North Korea.

06 SingHealth

Country: Singapore
Year: 2018
SingHealth, Singapore's largest group of healthcare institutions, suffered a data breach that compromised personal information and the medical records of 1.5 million patients, including Prime Minister Lee Hsien Loong. Leaked data included names, addresses, birthdates, and outpatient prescriptions. 

The breach was a targeted, sophisticated cyber attack, not ransomware. Hackers exploited a vulnerability in a front-end workstation to gain network access, then used stolen credentials to access the database. Investigators attributed the attack to an unnamed state-sponsored group.

05 LifeLabs

Country: Canada
Year: 2019
LifeLabs, Canada's largest provider of healthcare laboratory testing services, experienced a data breach that exposed the personal and medical information of up to 15 million customers, mostly in Ontario and British Columbia. Leaked data included names, addresses, emails, birthdates, health card numbers, and lab test results. 

LifeLabs confirmed it was a ransomware attack, with hackers demanding payment to prevent data disclosure. The company paid an undisclosed sum to recover the data. The breach affected approximately 40% of Canada's population. LifeLabs faced multiple class-action lawsuits following the incident.

04 Premera Blue Cross

Country: US
Year: 2015
Premera Blue Cross, a major health insurer in the Pacific Northwest, experienced an attack that  compromised personal and medical information of approximately 11 million customers. The leaked data included names, birthdates, Social Security numbers, bank account details, and clinical information. 

The breach was a sophisticated cyberattack where hackers gained unauthorised access to Premera's IT systems. The intrusion began in May 2014 but was not discovered until January 2015. The FBI investigated the incident, and cybersecurity firms suggested it bore hallmarks of Chinese state-sponsored activity, similar to the Anthem breach. 

03 Vastaamo

Country: Finland
Year: 2020
Vastaamo is Finland's largest private psychotherapy centre, and it suffered a severe data breach in 2020. The incident exposed the therapy session notes and personal information of up to 40,000 patients, a significant number in a country of 5.5 million. Leaked data included patient names, contact details, and highly sensitive therapy records. 

The breach was not a ransomware attack. Instead, hackers stole the data and blackmailed individual patients, threatening to publish their therapy notes. 

The intrusion occurred between 2018 and 2019 but was only revealed in October 2020. Vastaamo's inadequate data security practices contributed to the breach.

02 Anthem Inc

Country: US
Year: 2015
Anthem Inc is the second-largest US health insurer. Hackers accessed a database containing the personal information of 78.8 million customers and employees. The leaked data included names, birthdates, Social Security numbers, addresses, and employment details. 

The attack was a targeted external cyberattack using stolen administrator credentials, not ransomware. The breach began in February 2014 but was only discovered in January 2015. Anthem did not disclose how the credentials were obtained or identify the attackers, though some experts attributed it to state-sponsored Chinese hackers.

01 UnitedHealth Group

Country: US
Year: 2023
UnitedHealth Group, the largest US health insurer, experienced a catastrophic data breach that affected Change Healthcare, UnitedHealth's health technology unit, disrupting pharmacy transactions and medical claims nationwide. The incident impacted millions of patients, causing delays in medication access and healthcare payments. The breach was a ransomware attack by ALPHV/BlackCat, a Russian-speaking cybercrime group. UnitedHealth is alleged to have paid the group $22 million.   

The US government, including the FBI and CISA, engaged with UnitedHealth to investigate and mitigate the attack's impact on the healthcare system. An estimated one third of the entire US population is thought to have been affected.