Other attacks followed at Chino Valley Medical Center in Chino, Calif., Desert Valley Hospital in Victorville, The Ottawa Hospital in Ottawa, at MedStar Healthcare in the Washington, D.C. area, and at numerous other healthcare facilities.
"It's all because someone at the billing department at a hospital clicked on an email that had a puppy, a baby or a spearfishing email," Collins said.
In recent months, some clinics and insurers have been targeted by lawsuits from patients who had their records stolen. Even though few patients have come out publicly, they will likely face consequences in the years to come, according to Josh Corman, director of cyber statecraft at The Atlantic Council and a member of a Health and Human Services cybersecurity committee.
"The type of information is a stepping stone to other types of compromise later," Corman said. "It could be your a social security number, city of birth or other things you may use in bank security questions. It's all the stuff around your medical history."
Corman said that hospitals and health insurers have embraced electronic medical records for their convenience and efficiency, but failed to keep up with security.
"This is our four-minute warning," Corman said. "At the moment, people have the expectation that their information is secure."
The next phase of cyberhacking in the health world is medical devices themselves. The Food and Drug Administration recalled an insulin pump earlier this year because it was built with an insecure Wi-Fi connection, leaving it vulnerable to hackers who might want to harm a patient.
"At the moment, people have the expectation that their information is secure," Corman said. "A sober reflection that even with (medical privacy laws) an hi-tech, the adversaries are still succeeding."
RELATED: 30 Years of Cyber Attacks: An Ominous Evolution
In fact, sometimes medical privacy laws work against correcting errors from stolen identity.
Jake Henshaw, a military recruiter from Texas, pleaded with a Colorado hospital to find out about several $3,000 drug detox treatments for which he was billed. Henshaw was stationed in Germany at the time, preparing to deploy to Afghanistan.
"I had to get my commanding officer to write a memorandum stating I was present in Germany when the visits happened," he said. "The Army was trying to get me to change my social security number."
Henshaw said the hospital billing administrator wouldn't budge.
"It was a miserable experience. You just have to just keep trying to have enough kindness and sympathy to actually bend the rules to assist you. That's what I've done multiple times."
Henshaw purchased an identity theft monitoring service from the firm LifeLock, which keep tabs on unauthorized use of his accounts.
In Henshaw's case, the culprit was his drug-dependent younger brother, who used Henshaw's social security number and birthdate for treatment and prescription drugs. What wrankles Henshaw was the lack of adequate checks by the hospital.
"When you rent a car, you have to have a drivers license, a second ID and a credit card," Henshaw said. "In the hospital, they don't do that. They cannot impede treatment to someone who needs it. There has to be something done. Someone needs to figure it out."