Health care hacks are an increasing problem across the country, especially as health networks and insurance companies continue to consolidate into massive regional and national operations, making them lucrative targets for cyber criminals.
Most recently more than 140 hospitals in the Ascension network, including the St. Vincent system in Indiana, lost access to critical inpatient technology, crippling the workflow and delaying care.
But Ascension is far from the only health care organization in the state that has suffered a major cyber breach. In the last two years, federal regulators have tracked some 20 cyber attacks in Indiana and hundreds more nationwide.
Across the state, digital criminals driven by the lure of large payouts from personal data or ransomware attacks have taken advantage of weaknesses in the security systems of health providers, ranging from using phishing emails to hacking into internal databases.
Here are some of the Indiana health care companies that suffered hacks in 2024 and 2023, according to government data.
Otolaryngology Associates, LLC
Date: Feb. 17, 2024
People affected: 316,802
What happened: A cyber criminal claimed to have stolen data from the health provider serving central Indiana and threatened to release the information publicly. While the hacker didn’t get access to medical records, other private health care information such as billing documents were exposed.
Valley Oaks Health
Date: March 18, 2024
People affected: 50,034
What happened: The mental health and addiction care organization serving counties north of Indianapolis discovered that a hacker gained access to protected health information, including social security numbers, medical treatment records and insurance information. Valley Oaks said at the time that it didn’t have evidence that the information was misused but notified patients affected to take proactive measures to protect their finances.
Northwest Health – La Porte
Date: March 3, 2023
People affected: 10,256
Notice of Data Privacy Incident | Northwest Health – La Porte | La Porte, IN(opens in a new tab)
What happened: Someone broke into a storage facility where medical records were kept, took information and posted them on YouTube. The northwest Indiana hospital could not confirm if the videos were removed entirely even after hospital officials filed a lawsuit against the intruder.
South Suburban Surgical Suites, LLC
Date: April 3, 2023
People affected: 5,340
What happened: A phishing email, which typically looks like it’s coming from a trustworthy source, prompted someone to share access to private information at the northwest Indiana company.
Beacon Health System
Date: Jan. 20, 2023
People affected: 3,117
What happened: An employee was inappropriately accessing patient records. The employee viewed personal information outside of the purview of the job for nearly five years.
Lafayette Regional Rehabilitation Hospital
Date: Feb. 1, 2024
People affected: 2,861
What happened: A hacker gained access to the hospital’s system between mid-January and the start of February and accessed personal information, including medical records.
For a full list visit of recent cyberhacks: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Binghui Huang can be reached at 317-385-1595 or Bhuang@gannett.com