Data breaches impact millions and millions, if not billions, of individuals in today’s data-driven society. The amount of circulating data has increased because of digitalization, and security breaches have risen in tandem as cybercriminals prey on people’s daily data reliance.
Healthcare data breaches have increased in both scale and regularity during the last decade, with the worst breaches affecting up to 80 million people. These breaches frequently leak incredibly sensitive data, ranging from personally identifiable information like names, addresses, and Social Security numbers to personal health information like health insurance information, patients’ past medical history, and Medicaid ID numbers. In this article, we have compiled 10 of the largest data breaches by the number of stolen records.
Top 10 Largest Data Breaches by Number of Stolen Records
10. Newkirk Products
- Number of Stolen Records: 3.47 million
- Date Discovered: July 6, 2016
Newkirk Products, a provider of healthcare ID cards, revealed a data breach in mid-2016 involving approximately 3.47 million individuals. Multiple branches of Blue Cross Blue Shield, one of the major health insurance companies in the United States by enrollment, were among those affected.
The attacker was able to get unauthorized access to information by exploiting a vulnerability in the third-party software’s administrative portal on a single isolated server. Hackers acquired access to sensitive personal information such as names, birthdates, Medicaid ID numbers, group ID numbers, and premium invoice information, and in addition to primary care provider information. There was no financial information, medical records, insurance claim data, or social security numbers on the server.
To date, Newkirk has found no evidence that such information has been misused. Those affected by the data breach were sent letters that included an explanation of the occurrence, an offer of free identity protection services for two years, and advice on other ways to safeguard themselves.
9. Banner Health
- Number of Stolen Records: 3.62 Million
- Date Discovered: late June 2016
Banner Health, a healthcare company based in Arizona, revealed in mid-2016 that 3.62 million patients’ data had been exposed due to a cyber-attack. Banner contracted a cybersecurity expert to investigate after staff saw strange activity on its private servers. The firm identified two intrusions in which hackers acquired patient information and payment system data. Names, birth dates, addresses, Social Security numbers, credit card numbers, internal verification codes, expiration dates, as well as doctors’ names, and medical records, may have been compromised.
A class-action lawsuit was launched by the victims of the data breach shortly after. The judge dismissed several of the first allegations, but the parties negotiated a provisional settlement in December 2020. According to court records, victims of data breaches will be entitled to file claims for reimbursement of expenses spent because of the violation.
The maximum amount that can be compensated per breach victim is $500 for regular expenses and $10,000 for exceptional costs, including out-of-pocket expenses and missed time due to identity theft or fraud. All breach victims will also receive two years of free credit monitoring from Banner Health, which will not duplicate what was supplied at the health system’s original breach notification.
8. Medical Informatics Engineering
- Number of Stolen Records: 3.9 million
- Date Discovered: June 10, 2015
Medical Informatics Engineering (MIE), an electronic medical records software company, reported a data breach in mid-2015 that compromised at least 3.9 million patients. Patients who were affected received notices in the mail informing them of their stolen PII, including their names, birthdates, mailing addresses, phone numbers, diagnoses, Social Security numbers, and other sensitive data.
According to news outlets, cyber hackers accessed the company’s network remotely by using credentials that were not consistently secure. According to an investigation, the organization did not do a thorough risk analysis to analyze the possible threats and hazards to the security, integrity, and accessibility of an individual’s electronic protected health information before the breach occurred. This is a HIPAA-required activity, and MIE’s violation led them to pay $100,000 as settlement.
7. Advocate Health Care
- Number of Stolen Records: 4.03 million
- Date Discovered: August 2013
Advocate Health Care confirmed three different data breaches affecting Advocate Medical Group (AMG), a doctors’ organization with over 1,000 physicians, from July to November 2013. The initial breach happened on July 15 when AMG’s administrative headquarters in Park Ridge, Illinois, was robbed of four desktop computers carrying the records of roughly 4 million patients.
The second breach occurred between June 30 and August 15, 2013, when an unauthorized third party gained unauthorized network access to AMG’s billing service provider, potentially exposing the health records of over 2,000 AMG patients. Then, the last case of stolen PHI involved the theft of a laptop holding the health records of over 2,230 patients from an AMG employee’s car on November 1, 2013.
Advocate settled a lawsuit over the breach in August 2016 for $5.55 million.
6. University of California, Los Angeles Health
- Number of Stolen Records: 4.5 million
- Date Discovered: May 5, 2015
In mid-2015, the UCLA Health System revealed that hackers gained access to patient records of approximately 4.5 million individuals. Worse yet, UCLA announced that its patient data was not secured, which brought immediate and scathing criticism from security specialists.
In 2019, UCLA Health negotiated a settlement with the 4.5 million present and past patients affected by the patient data leak in a class-action lawsuit. UCLA Health consented to several resolutions as part of the agreement. All class action participants are eligible to sign up for free two-year identity protection services. The health organization also committed to compensating patients for costs paid in attempting to safeguard themselves from identity theft and expenses incurred because of identity theft or fraud. UCLA Health has also committed to revising its cybersecurity policies and practices.
- Number of Stolen Records: 4.9 million
- Date Discovered: September 2011
Science Applications International Corporation (SAIC) reported a data breach in late 2011 that affected about 4.9 million military clinic and hospital patients participating in TRICARE, the military healthcare provider for the federal government. This transpired when records were taken from a SAIC staff’s car.
According to TRICARE authorities, the tapes contain phone numbers, addresses, Social Security numbers, and other sensitive information, including prescriptions, laboratory tests, and clinical notes. They also stated that the records did not contain any financial information, such as bank accounts or credit card numbers.
A federal district judge dismissed most of the combined class action lawsuits brought against TRICARE in 2014.
4. Community Health Systems
- Number of Stolen Records: 6.1 million
- Date Discovered: June 2014
Community Health Systems (CHS), which manages 200+ hospitals across the United States, disclosed a serious healthcare breach affecting 6.1 million patients in mid-2014. Attackers took advantage of a software flaw to gain access to personal information such as phone numbers, physical addresses, birthdates, and Social Security numbers. The breach impacted anybody who has received care from an affiliate hospital in the last five years and anybody who had been recommended to CHS by a physician outside of CHS during that time.
CHS enlisted the help of cybersecurity professionals to investigate the breach. They discovered that the hackers were from China and that the attacks took place between April and June of 2014. The cybercriminals utilized high-end, complex malware to carry out their operations.
Federal authorities and cybersecurity consultants informed the hospital network that the attackers had previously committed industrial espionage and stole valuable medical device information. Instead, the intruders stole patient information this time. They were unable to obtain information about patients’ past medical history, clinical procedures, or credit card details.
The breach cost CHS and its partners $10.4 million in compensation.
3. Excellus Bluecross Blueshield
- Number of Stolen Records: 10+ million
- Date Discovered: September 2015
Excellus uncovered a cyber-attack in August 2015 that exposed the personal information of around 10 million members. Following a wave of cyber-attacks in early 2015 that targeted healthcare data, Excellus had its own systems forensically reviewed. What they found ended up being the world’s third-largest healthcare data breach.
Names, phone numbers, mailing addresses, birth dates, Social Security numbers, and various account information, such as claims and payment details, were all exposed in the breach, which dated back to December 2013.
Excellus will pay a $5.1 million fine for violating HIPAA’s privacy and security standards as part of the settlement.
2. Premera Blue Cross
- Number of Stolen Records: 11+ million
- Date Discovered: January 29, 2015
Premera Blue Cross revealed in early 2015 that 11 million customers’ medical information had been compromised due to a cyberattack. Hackers were able to put malware on Premera’s servers using a phishing email, giving them access to the data of its members. The hack disclosed bank account data, birthdates, claims information, and Social Security numbers, among other things. The company found that the first attack took place on May 5, 2014, after working with cybersecurity specialists and the FBI to examine the attack. To resolve suspected HIPAA violations in the security breach, Premera Blue Cross was made to pay $6.85 million and submit a remedial action plan in 2020.
1. Anthem Blue Cross
- Number of Stolen Records: 78.8 million
- Date Discovered: January 29, 2015
Anthem revealed in 2015 that 78.8 million patient information was stolen in the largest healthcare data breach in history. An anonymous hacker gained access to a database holding personal information such as names, birthdates, addresses, social security numbers, email addresses, and information about jobs and income. According to the company, the hack did not expose credit card or medical information.
Anthem agreed to pay $39.5 million in 2020 to resolve a probe by a consortium of state attorneys general. The corporation also consented to pay $115 million to settle the lawsuit, making it the largest data breach settlement ever.
Interested in preventing a data breach? Contact me.