data breach

Top 10 Largest Healthcare Data Breaches by Number of Records Stolen

healthcare data breachData breaches impact millions and millions, if not billions, of individuals in today’s data-driven society. The amount of circulating data has increased because of digitalization, and security breaches have risen in tandem as cybercriminals prey on people’s daily data reliance.

Healthcare data breaches have increased in both scale and regularity during the last decade, with the worst breaches affecting up to 80 million people. These breaches frequently leak incredibly sensitive data, ranging from personally identifiable information like names, addresses, and Social Security numbers to personal health information like health insurance information, patients’ past medical history, and Medicaid ID numbers. In this article, we have compiled 10 of the largest data breaches by the number of stolen records.

Top 10 Largest Data Breaches by Number of Stolen Records

10.  Newkirk Products

  • Number of Stolen Records: 3.47 million
  • Date Discovered: July 6, 2016

Newkirk Products, a provider of healthcare ID cards, revealed a data breach in mid-2016 involving approximately 3.47 million individuals. Multiple branches of Blue Cross Blue Shield, one of the major health insurance companies in the United States by enrollment, were among those affected.

The attacker was able to get unauthorized access to information by exploiting a vulnerability in the third-party software’s administrative portal on a single isolated server. Hackers acquired access to sensitive personal information such as names, birthdates, Medicaid ID numbers, group ID numbers, and premium invoice information, and in addition to primary care provider information. There was no financial information, medical records, insurance claim data, or social security numbers on the server.

To date, Newkirk has found no evidence that such information has been misused. Those affected by the data breach were sent letters that included an explanation of the occurrence, an offer of free identity protection services for two years, and advice on other ways to safeguard themselves.

9.  Banner Health

  • Number of Stolen Records: 3.62 Million
  • Date Discovered: late June 2016

Banner Health, a healthcare company based in Arizona, revealed in mid-2016 that 3.62 million patients’ data had been exposed due to a cyber-attack. Banner contracted a cybersecurity expert to investigate after staff saw strange activity on its private servers. The firm identified two intrusions in which hackers acquired patient information and payment system data. Names, birth dates, addresses, Social Security numbers, credit card numbers, internal verification codes, expiration dates, as well as doctors’ names, and medical records, may have been compromised.

A class-action lawsuit was launched by the victims of the data breach shortly after. The judge dismissed several of the first allegations, but the parties negotiated a provisional settlement in December 2020. According to court records, victims of data breaches will be entitled to file claims for reimbursement of expenses spent because of the violation.

The maximum amount that can be compensated per breach victim is $500 for regular expenses and $10,000 for exceptional costs, including out-of-pocket expenses and missed time due to identity theft or fraud. All breach victims will also receive two years of free credit monitoring from Banner Health, which will not duplicate what was supplied at the health system’s original breach notification.

8.  Medical Informatics Engineering

  • Number of Stolen Records: 3.9 million
  • Date Discovered: June 10, 2015

Medical Informatics Engineering (MIE), an electronic medical records software company, reported a data breach in mid-2015 that compromised at least 3.9 million patients. Patients who were affected received notices in the mail informing them of their stolen PII, including their names, birthdates, mailing addresses, phone numbers, diagnoses, Social Security numbers, and other sensitive data.

According to news outlets, cyber hackers accessed the company’s network remotely by using credentials that were not consistently secure. According to an investigation, the organization did not do a thorough risk analysis to analyze the possible threats and hazards to the security, integrity, and accessibility of an individual’s electronic protected health information before the breach occurred. This is a HIPAA-required activity, and MIE’s violation led them to pay $100,000 as settlement.

7.  Advocate Health Care

  • Number of Stolen Records: 4.03 million
  • Date Discovered: August 2013

Advocate Health Care confirmed three different data breaches affecting Advocate Medical Group (AMG), a doctors’ organization with over 1,000 physicians, from July to November 2013. The initial breach happened on July 15 when AMG’s administrative headquarters in Park Ridge, Illinois, was robbed of four desktop computers carrying the records of roughly 4 million patients.

The second breach occurred between June 30 and August 15, 2013, when an unauthorized third party gained unauthorized network access to AMG’s billing service provider, potentially exposing the health records of over 2,000 AMG patients. Then, the last case of stolen PHI involved the theft of a laptop holding the health records of over 2,230 patients from an AMG employee’s car on November 1, 2013.

Advocate settled a lawsuit over the breach in August 2016 for $5.55 million.

6. University of California, Los Angeles Health

  • Number of Stolen Records: 4.5 million
  • Date Discovered: May 5, 2015

In mid-2015, the UCLA Health System revealed that hackers gained access to patient records of approximately 4.5 million individuals. Worse yet, UCLA announced that its patient data was not secured, which brought immediate and scathing criticism from security specialists.

In 2019, UCLA Health negotiated a settlement with the 4.5 million present and past patients affected by the patient data leak in a class-action lawsuit. UCLA Health consented to several resolutions as part of the agreement. All class action participants are eligible to sign up for free two-year identity protection services. The health organization also committed to compensating patients for costs paid in attempting to safeguard themselves from identity theft and expenses incurred because of identity theft or fraud. UCLA Health has also committed to revising its cybersecurity policies and practices.


  • Number of Stolen Records: 4.9 million
  • Date Discovered: September 2011

Science Applications International Corporation (SAIC) reported a data breach in late 2011 that affected about 4.9 million military clinic and hospital patients participating in TRICARE, the military healthcare provider for the federal government. This transpired when records were taken from a SAIC staff’s car.

According to TRICARE authorities, the tapes contain phone numbers, addresses, Social Security numbers, and other sensitive information, including prescriptions, laboratory tests, and clinical notes. They also stated that the records did not contain any financial information, such as bank accounts or credit card numbers.

A federal district judge dismissed most of the combined class action lawsuits brought against TRICARE in 2014.

4.  Community Health Systems

  • Number of Stolen Records: 6.1 million
  • Date Discovered: June 2014

Community Health Systems (CHS), which manages 200+ hospitals across the United States, disclosed a serious healthcare breach affecting 6.1 million patients in mid-2014. Attackers took advantage of a software flaw to gain access to personal information such as phone numbers, physical addresses, birthdates, and Social Security numbers. The breach impacted anybody who has received care from an affiliate hospital in the last five years and anybody who had been recommended to CHS by a physician outside of CHS during that time.

CHS enlisted the help of cybersecurity professionals to investigate the breach. They discovered that the hackers were from China and that the attacks took place between April and June of 2014. The cybercriminals utilized high-end, complex malware to carry out their operations.

Federal authorities and cybersecurity consultants informed the hospital network that the attackers had previously committed industrial espionage and stole valuable medical device information. Instead, the intruders stole patient information this time. They were unable to obtain information about patients’ past medical history, clinical procedures, or credit card details.

The breach cost CHS and its partners $10.4 million in compensation.

3. Excellus Bluecross Blueshield

  • Number of Stolen Records: 10+ million
  • Date Discovered: September 2015

Excellus uncovered a cyber-attack in August 2015 that exposed the personal information of around 10 million members. Following a wave of cyber-attacks in early 2015 that targeted healthcare data, Excellus had its own systems forensically reviewed. What they found ended up being the world’s third-largest healthcare data breach.

Names, phone numbers, mailing addresses, birth dates, Social Security numbers, and various account information, such as claims and payment details, were all exposed in the breach, which dated back to December 2013.

Excellus will pay a $5.1 million fine for violating HIPAA’s privacy and security standards as part of the settlement.

2.  Premera Blue Cross

  • Number of Stolen Records: 11+ million
  • Date Discovered: January 29, 2015

Premera Blue Cross revealed in early 2015 that 11 million customers’ medical information had been compromised due to a cyberattack. Hackers were able to put malware on Premera’s servers using a phishing email, giving them access to the data of its members. The hack disclosed bank account data, birthdates, claims information, and Social Security numbers, among other things. The company found that the first attack took place on May 5, 2014, after working with cybersecurity specialists and the FBI to examine the attack. To resolve suspected HIPAA violations in the security breach, Premera Blue Cross was made to pay $6.85 million and submit a remedial action plan in 2020.

1.  Anthem Blue Cross

  • Number of Stolen Records: 78.8 million
  • Date Discovered: January 29, 2015

Anthem revealed in 2015 that 78.8 million patient information was stolen in the largest healthcare data breach in history. An anonymous hacker gained access to a database holding personal information such as names, birthdates, addresses, social security numbers, email addresses, and information about jobs and income. According to the company, the hack did not expose credit card or medical information.

Anthem agreed to pay $39.5 million in 2020 to resolve a probe by a consortium of state attorneys general. The corporation also consented to pay $115 million to settle the lawsuit, making it the largest data breach settlement ever.

Interested in preventing a data breach? Contact me.

The Latest Cybersecurity Incidents and What You Can Learn from Them

cybersecurity incidentsCybersecurity incidents are on the rise, which isn’t a surprise to most in the industry. Hackers become more sophisticated every day, exploiting vulnerabilities and cyber defense mechanisms. While it’s impossible to prevent every cybersecurity attack, there are lessons and takeaways from these that could help strengthen your framework and enhance your team’s awareness.

In this post, we’ll examine some of the latest cybersecurity incidents and discuss why they happened and what you can learn from them.

Why Are Cybersecurity Incidents Rising?

There’s no one answer to this question. The pandemic definitely played a role. Companies had to transition employees to work from home, which opened up more areas of entry for cybercriminals. Since businesses had to rush to do this, they might haven’t been able to follow best practices or embed the best defense positions.

Since the beginning of the pandemic, the FBI reported an increase of 300% more cybercrimes. The healthcare industry was one of the biggest targets, with cybersecurity incidents increasing by 58% in 2020. COVID-19 and stimulus check scams were attractive to hackers, costing Americans over $97 million.

Remote work, as noted, isn’t a new vulnerability. According to IBM, it increased the average cost of a data breach to $137,000. Further, remote workers caused a security breach in 20% of organizations.

All these stats can seem defeating for cybersecurity professionals. Hackers got smarter, opportunities became available because of the pandemic, and those protecting data and networks felt under pressure. It’s a perfect storm for risk and challenges.

However, with each devastating breach or occurrence, there is the chance to perform an evaluation and take something from it to make the future different. Let’s look at some recent events that illustrate these possibilities.

Zoom Accounts Compromised, Sold on Dark Web

The use of Zoom accelerated once the country began to lock down and work from home. It’s so prevalent that Zoom became a part of the cultural vernacular. While the video conferencing platform enabled companies to stay connected and continue work, security issues weren’t always perfect.

There was a massive credential stuffing attack, allowing hackers account access. Such an attack includes hackers targeting a site and analyzing site login sequences and processes. With this knowledge, they can then write an automated script to test stolen credentials.

The company wasn’t checking registered usernames and passwords against lists of known breached account credentials. Those accounts, ranging from users at large banks to universities, were then found on sale on the dark web. The value to cybercriminals is they can impersonate the actual user, eavesdropping on calls, accessing previous meetings, or sending malware files to others.


  • Zoom did begin to check usernames and passwords of new accounts against breached credentials, prompting new passwords. Organizations that use these platforms or any cloud-based application should also have robust password criteria and consider cybersecurity education on password usage to employees.
  • Two-factor authentication is another option to thwart credential stuffing. Companies should seek this out for the solutions they deploy.
  • Requiring a meeting password should also be part of cybersecurity best practices for users.

Molson Coors Experiences Hack, Disrupts Brewing Operations

In March, Molson Coors reported a cybersecurity incident that disrupted its operations in a regulatory filing. An investigation immediately occurred, and the company hired a leading forensic IT firm for help.

Several sources suggested it was ransomware and that taking operations offline was a defensive move to stop the spread. Ransomware attacks have been steadily rising, as hackers attempt to extort businesses by requesting payments to release their files.


  • Cyber attacks are expanding to include areas beyond breaching data and consumer personal information. They can also impact operational practices. These types of disruptions create new risk, as IoT (internet of things) devices become more common in manufacturing. It expands infrastructure as well as endpoints to exploit. Cybersecurity professionals will need to consider all these threats moving forward.

Verkada Breach, Hackers Access Live-Camera Feeds

Video surveillance has been a part of public and private spaces for some time. It’s obviously become much more sophisticated. Much of these systems were on-premises, and the cloud-enabled them to be more accessible. Verkada, a security-camera startup, was hit with a massive hack, exposing over 150,000 live-camera feeds. Infiltrating the system allowed the hackers to post videos from schools, prisons, hospitals, and even manufacturers like Tesla. Those cybercriminals were able to view live feeds and archived videos.

The U.S. Department of Justice (DOJ) announced an indictment of Tillie Kottmann as being responsible for the hack and many others. Kottman’s response, per a statement provided to Bloomberg News, was that they were “motivated to expose the scope of private surveillance practices.”

It’s unknown if their motive was purely altruistic. But whatever their reason, other hackers can certainly see the value in having this information and access. That’s because it’s much more than just looking at the content. It can be an easy way for initial access to the larger network. This incident wasn’t the first of its kind and won’t be the last, as most people are bombarded by widespread surveillance by the tech they use.

Verkada’s response was to say they’d be making security, privacy, and trust their top priority. One might question why it wasn’t already. As regulators and litigation play out in this area, certain companies could be open to fines from the Federal Trade Commission (FTC).


  • Private companies and government entities will continue to use surveillance systems and likely expand them, but they need to consider the entire ecosystem when they do. Is such a system a good candidate for private cloud usage? That’s a possibility.
  • The risk around these hacks is rising, and those organizations that don’t invest in cybersecurity standards to limit it will continue to be vulnerable.
  • Users of technology platforms can’t be solely dependent on the developers for robust security controls. Vendors are often a weak link in cybersecurity incidents, so vet them well, install updates as soon as available, and protect it as an entry point.

Microsoft Email Hack Impacts Over 30,000 U.S. Organizations

Flaws in Microsoft Exchange Server software allowed a Chinese cyber-espionage unit to hack email accounts. They were able to steal emails from users and take complete control of the systems. The type of accounts compromised was internet-facing Microsoft Outlook Web Access (OWA), not the cloud-hosted version.

Microsoft responded by releasing an emergency security update to plug four security gaps for versions 2013 to 2019. However, those that didn’t install the patches continued to be a target. Hackers left web shells, which are password-protected hacking tools. They can use these to gain administrative access and could still be present even for those patched systems.


  • Patch everything and always, no matter the level of confidence in the software. Those patches must be enterprise-wide, no matter where the user is. You can’t rely on individual users to manage this.
  • Cloud-hosted email exchange is likely the best configuration. Microsoft, like any other software provider, is going to nudge people to the cloud. This incident demonstrates some software providers may be less inclined to keep older systems updated.

Hospital Breach Exposes 34,000 Patients

hospital in New Hampshire reported a breach affecting over 34,000 patients. The announcement came in March, and the attack occurred in July 2020. Patient names, demographics, and Social Security numbers were part of the breach. The organization said it was also no longer using the network system involved. The forensics revealed hackers had access to a file for a “short period,” and the third-party firm performing the analysis was unsure if they copied it.

The hospital assured patients that they had new safeguards in place and agreed to offer complimentary credit monitoring and identify theft protection services to impacted individuals.


  • Healthcare organizations are ideal targets for hackers. They understand that healthcare data is valuable and know there are lots of challenges that health IT faces around compliance, data exchange, and interoperability.
  • Lack of standardization in this industry is a risk. Healthcare entities can protect themselves by adopting the cloud, using simple yet impactful cybersecurity frameworks, and always monitoring every application that lives on their network.

Protecting Against Cybersecurity Incidents

Having the right processes and systems in place is critical to defending against cybersecurity attacks. But those aren’t the only things that matter. The right team does as well, which means a high-performing cybersecurity team with technical and soft skills. To improve on the latter, you can learn from my book, The Smartest Person in the Room. It’s a revolutionary approach to cybersecurity. Get your copy today.