Top 10 Largest Healthcare Data Breaches by Number of Records Stolen

healthcare data breachData breaches impact millions and millions, if not billions, of individuals in today’s data-driven society. The amount of circulating data has increased because of digitalization, and security breaches have risen in tandem as cybercriminals prey on people’s daily data reliance.

Healthcare data breaches have increased in both scale and regularity during the last decade, with the worst breaches affecting up to 80 million people. These breaches frequently leak incredibly sensitive data, ranging from personally identifiable information like names, addresses, and Social Security numbers to personal health information like health insurance information, patients’ past medical history, and Medicaid ID numbers. In this article, we have compiled 10 of the largest data breaches by the number of stolen records.

Top 10 Largest Data Breaches by Number of Stolen Records

10.  Newkirk Products

  • Number of Stolen Records: 3.47 million
  • Date Discovered: July 6, 2016

Newkirk Products, a provider of healthcare ID cards, revealed a data breach in mid-2016 involving approximately 3.47 million individuals. Multiple branches of Blue Cross Blue Shield, one of the major health insurance companies in the United States by enrollment, were among those affected.

The attacker was able to get unauthorized access to information by exploiting a vulnerability in the third-party software’s administrative portal on a single isolated server. Hackers acquired access to sensitive personal information such as names, birthdates, Medicaid ID numbers, group ID numbers, and premium invoice information, and in addition to primary care provider information. There was no financial information, medical records, insurance claim data, or social security numbers on the server.

To date, Newkirk has found no evidence that such information has been misused. Those affected by the data breach were sent letters that included an explanation of the occurrence, an offer of free identity protection services for two years, and advice on other ways to safeguard themselves.

9.  Banner Health

  • Number of Stolen Records: 3.62 Million
  • Date Discovered: late June 2016

Banner Health, a healthcare company based in Arizona, revealed in mid-2016 that 3.62 million patients’ data had been exposed due to a cyber-attack. Banner contracted a cybersecurity expert to investigate after staff saw strange activity on its private servers. The firm identified two intrusions in which hackers acquired patient information and payment system data. Names, birth dates, addresses, Social Security numbers, credit card numbers, internal verification codes, expiration dates, as well as doctors’ names, and medical records, may have been compromised.

A class-action lawsuit was launched by the victims of the data breach shortly after. The judge dismissed several of the first allegations, but the parties negotiated a provisional settlement in December 2020. According to court records, victims of data breaches will be entitled to file claims for reimbursement of expenses spent because of the violation.

The maximum amount that can be compensated per breach victim is $500 for regular expenses and $10,000 for exceptional costs, including out-of-pocket expenses and missed time due to identity theft or fraud. All breach victims will also receive two years of free credit monitoring from Banner Health, which will not duplicate what was supplied at the health system’s original breach notification.

8.  Medical Informatics Engineering

  • Number of Stolen Records: 3.9 million
  • Date Discovered: June 10, 2015

Medical Informatics Engineering (MIE), an electronic medical records software company, reported a data breach in mid-2015 that compromised at least 3.9 million patients. Patients who were affected received notices in the mail informing them of their stolen PII, including their names, birthdates, mailing addresses, phone numbers, diagnoses, Social Security numbers, and other sensitive data.

According to news outlets, cyber hackers accessed the company’s network remotely by using credentials that were not consistently secure. According to an investigation, the organization did not do a thorough risk analysis to analyze the possible threats and hazards to the security, integrity, and accessibility of an individual’s electronic protected health information before the breach occurred. This is a HIPAA-required activity, and MIE’s violation led them to pay $100,000 as settlement.

7.  Advocate Health Care

  • Number of Stolen Records: 4.03 million
  • Date Discovered: August 2013

Advocate Health Care confirmed three different data breaches affecting Advocate Medical Group (AMG), a doctors’ organization with over 1,000 physicians, from July to November 2013. The initial breach happened on July 15 when AMG’s administrative headquarters in Park Ridge, Illinois, was robbed of four desktop computers carrying the records of roughly 4 million patients.

The second breach occurred between June 30 and August 15, 2013, when an unauthorized third party gained unauthorized network access to AMG’s billing service provider, potentially exposing the health records of over 2,000 AMG patients. Then, the last case of stolen PHI involved the theft of a laptop holding the health records of over 2,230 patients from an AMG employee’s car on November 1, 2013.

Advocate settled a lawsuit over the breach in August 2016 for $5.55 million.

6. University of California, Los Angeles Health

  • Number of Stolen Records: 4.5 million
  • Date Discovered: May 5, 2015

In mid-2015, the UCLA Health System revealed that hackers gained access to patient records of approximately 4.5 million individuals. Worse yet, UCLA announced that its patient data was not secured, which brought immediate and scathing criticism from security specialists.

In 2019, UCLA Health negotiated a settlement with the 4.5 million present and past patients affected by the patient data leak in a class-action lawsuit. UCLA Health consented to several resolutions as part of the agreement. All class action participants are eligible to sign up for free two-year identity protection services. The health organization also committed to compensating patients for costs paid in attempting to safeguard themselves from identity theft and expenses incurred because of identity theft or fraud. UCLA Health has also committed to revising its cybersecurity policies and practices.


  • Number of Stolen Records: 4.9 million
  • Date Discovered: September 2011

Science Applications International Corporation (SAIC) reported a data breach in late 2011 that affected about 4.9 million military clinic and hospital patients participating in TRICARE, the military healthcare provider for the federal government. This transpired when records were taken from a SAIC staff’s car.

According to TRICARE authorities, the tapes contain phone numbers, addresses, Social Security numbers, and other sensitive information, including prescriptions, laboratory tests, and clinical notes. They also stated that the records did not contain any financial information, such as bank accounts or credit card numbers.

A federal district judge dismissed most of the combined class action lawsuits brought against TRICARE in 2014.

4.  Community Health Systems

  • Number of Stolen Records: 6.1 million
  • Date Discovered: June 2014

Community Health Systems (CHS), which manages 200+ hospitals across the United States, disclosed a serious healthcare breach affecting 6.1 million patients in mid-2014. Attackers took advantage of a software flaw to gain access to personal information such as phone numbers, physical addresses, birthdates, and Social Security numbers. The breach impacted anybody who has received care from an affiliate hospital in the last five years and anybody who had been recommended to CHS by a physician outside of CHS during that time.

CHS enlisted the help of cybersecurity professionals to investigate the breach. They discovered that the hackers were from China and that the attacks took place between April and June of 2014. The cybercriminals utilized high-end, complex malware to carry out their operations.

Federal authorities and cybersecurity consultants informed the hospital network that the attackers had previously committed industrial espionage and stole valuable medical device information. Instead, the intruders stole patient information this time. They were unable to obtain information about patients’ past medical history, clinical procedures, or credit card details.

The breach cost CHS and its partners $10.4 million in compensation.

3. Excellus Bluecross Blueshield

  • Number of Stolen Records: 10+ million
  • Date Discovered: September 2015

Excellus uncovered a cyber-attack in August 2015 that exposed the personal information of around 10 million members. Following a wave of cyber-attacks in early 2015 that targeted healthcare data, Excellus had its own systems forensically reviewed. What they found ended up being the world’s third-largest healthcare data breach.

Names, phone numbers, mailing addresses, birth dates, Social Security numbers, and various account information, such as claims and payment details, were all exposed in the breach, which dated back to December 2013.

Excellus will pay a $5.1 million fine for violating HIPAA’s privacy and security standards as part of the settlement.

2.  Premera Blue Cross

  • Number of Stolen Records: 11+ million
  • Date Discovered: January 29, 2015

Premera Blue Cross revealed in early 2015 that 11 million customers’ medical information had been compromised due to a cyberattack. Hackers were able to put malware on Premera’s servers using a phishing email, giving them access to the data of its members. The hack disclosed bank account data, birthdates, claims information, and Social Security numbers, among other things. The company found that the first attack took place on May 5, 2014, after working with cybersecurity specialists and the FBI to examine the attack. To resolve suspected HIPAA violations in the security breach, Premera Blue Cross was made to pay $6.85 million and submit a remedial action plan in 2020.

1.  Anthem Blue Cross

  • Number of Stolen Records: 78.8 million
  • Date Discovered: January 29, 2015

Anthem revealed in 2015 that 78.8 million patient information was stolen in the largest healthcare data breach in history. An anonymous hacker gained access to a database holding personal information such as names, birthdates, addresses, social security numbers, email addresses, and information about jobs and income. According to the company, the hack did not expose credit card or medical information.

Anthem agreed to pay $39.5 million in 2020 to resolve a probe by a consortium of state attorneys general. The corporation also consented to pay $115 million to settle the lawsuit, making it the largest data breach settlement ever.

Interested in preventing a data breach? Contact me.

Ransomware – Should You Pay?

cybersecurity certificationsLast night I watched an episode of Chicago Med (Season 2, Episode 19). It happened to be about ransomware. Chicago Med was infected with ransomware, rendering all computer systems (doctor’s tablets, MRI machines, patient history systems, diagnostic systems, etc.) useless. The staff of Chicago Med had to resort to “manually” doing everything – filling out paper lab requests, using a whiteboard for patient status, using old school methods to diagnose patients, etc.

A debate ensued about whether Chicago Med should just pay the ransom, which was around $30k. The staff had differing opinions in the episode.

This is a debate worth discussing, as I do not see a clear answer to the question “should I pay the ransom”, other than “it depends”.

Ransomware Attack - Manual method

The reliance on medical technology makes manually processes like this prone to mistakes

I tend to look at everything from a risk perspective. Sure, it’s easy to say “our policy is we do not pay the ransom”, but at what cost? Many people have polarizing opinions on just about everything, including this topic. It’s easy to make recommendations from afar. What if your spouse was in a hospital and needed immediate emergency treatment, but treatment was delayed because of ransomware? Every second in this delay increased the risk that your spouse might die. Would you still support the policy “we do not pay the ransom”, even if it meant your spouse may die? Is $30k worth more than your spouse?

Also, the rationale for the “we do not pay the ransom” policy goes something like this – “if the hackers know we do not pay the ransom, they won’t attack us”. This is flawed logic because many cybercriminals release ransomware into the “wild”, non-directed, to spread to as many systems as possible, so they can maximize odds of success and returns.

The Chicago Med hospital administrator was adamant about not paying the ransom, but one of the doctors paid the ransom himself. After the ransom was paid, all the systems came back online and everything went back to “normal”. The doctor that paid the ransom simply stated that the risk was too great and that he had calculated the ROI and it was an easy decision.

But, wait…what if you pay the ransom and the hackers just take your money and don’t decrypt your systems? 

This is certainly a possibility, although it is almost never the case. Most cybercriminals are in the business of making money, so their business models support this objective. Cybercriminals probably analyze risk in greater depth than most IT Staff of Cybersecurity Staff.

Risk is a real issue that is almost always overlooked. Sure, screw paying the ransom if:

  • Your IT/Cybersecurity Staff has an up-to-date and rehearsed Incident Response Plan
  • Your IT/Cybersecurity Staff has current, up-to-date backups that can be restored quickly
  • Your IT/Cybersecurity Staff can source the ransomware infection and prevent it from occurring again after the backup restoration
  • Your IT/Cybersecurity Staff knows which vulnerability the ransomware exploited
  • Your IT/Cybersecurity Staff knows the extent of the infection – did the infection hit the backup systems?

In the Chicago Med episode, they had to end up diverting patients to other hospitals because of the ransomware. The Chicago Med IT Staff seemingly did not have a plan, at least a timely one, to restore the hospital systems.

I’m certainly not advocating people pay the ransom, but blindly making blanket policies without understanding risk is a huge problem, especially at places where time is of the essence, such as hospitals.

So, what can you do to help with RANSOMWARE? I recommend 3 things to start:

  1. Perform a risk assessment against your environment – identify your critical assets (data and systems). Not everything is critical. Narrowing your focus to what is critical, then prioritizing accordingly allows you to better protect these systems and restore them in a prioritized manner. Too many organizations try to equally protect everything. This is a huge mistake, as everything is half-ass protected, which doesn’t cut it. It’s better to protect your 10 critical assets 100% and leave the 90 noncritical assets at 50%. This is better than all 100 assets being protected at 60%, which is a common mistake.

  2. Once you know your critical systems, make sure those systems (and the applications installed on them) are patched routinely and that they are backed up (the system itself as well as the data on the system) as frequently as needed.

  3. Critical system backups security and testing. Make sure the backup system is secure. If the ransomware hits the backup system, the backups are no good. Also, make sure you know how to restore from backups. This seems simple, yet it is often overlooked. I’ve seen many organizations back up their data routinely and religiously and never once test the restoration procedures. During an incident, they found out that the restoration procedures did not work at all or only partially worked.

If you’re unclear on how to perform the risk assessment or need help with a cybersecurity plan, Alpine Security can help you with our CISO-as-a-Service.