The 10 Worst Healthcare Data Breaches of All Time (U.S)

There have been a slew of healthcare organizations that have experienced data breaches over the past decade. Some of those are mundane: misprinted and mismailed information or a phone call to the incorrect recipient. However, as healthcare organizations become increasingly sophisticated and use more technology more often to support operations, errors or attacks against that infrastructure have a greater impact.

Fortunately for security researchers, the Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) Office for Civil Rights (OCR) monitors for breaches and investigates data breaches reported involving more than 500 records. You can find the list of 6052 breaches here. It’s great to have such a robust information resource on healthcare sector data breaches.

This article will provide a survey and summary of the top 10 worst healthcare data breaches. I picked breaches by volume of records breached since that was a uniform and easily-measurable data point. I think that also accounts for the egregiousness of circumstances surrounding the data breach, though that’s certainly more of a subjective measure.

One theme that appears in almost every one of these breaches: an underestimation of cyber threats, inability to identify security vulnerabilities, and persistent access to computer systems allowing data theft. Also: attacks on third-party vendors in the healthcare sector led to significant data breaches.

Key Takeaways

Looking at healthcare breach data up to 2022, the most standout points are:

• Two of the worst healthcare data breaches of all time happened in this most recent year, 2022.
• The worst healthcare data breach of all time, Anthem Health Plan’s breach of 2014 has dwarfed all others since by records compromised, at a staggering 78,800,000 records.
• The worst healthcare data breach of 2022 was OneTouch-Point Inc, where 4,112,892 records were compromised. Being so recent, the total damage from this breach in dollar terms is yet unknown.

Here’s the full breakdown of each breach, what happened, and what we can learn.

#1: Anthem Health Plan

The Anthem, Inc. attack occurred between December 2, 2014 and January 27, 2015. It was and still is the most prolific healthcare data breach reported in the United States. Anthem is a large U.S.-based health insurance provider.

The Anthem attack occurred due to a phishing email, according to CMS OCR. From there cyber criminals were able to gain a foothold in their computer network and steal almost 79 million records, including all patient records and health insurance information. Those patient records included patient names, medical record numbers, dates of birth, addresses, social security numbers, and other protected health information (PHI) elements.

CMS OCR also highlighted that this attack was able to occur because of a lax credential management policy and a lack of a risk management program. CMS OCR also noted forensic evidence of unnoticed attacks on Anthem systems as early as February, 2014. It highlighted the unique threats to the healthcare sector and how problematic it was Anthem couldn’t detect the attack.

As a result of the attacks and subsequent data breach, Anthem was fined $16 million by CMS OCR. It also paid $39 million to States’ Attorneys General across the U.S. Anthem also reached a $115 million settlement in a class action suit for the data breach. That’s a whopping $1.46 per affected person, if ignoring attorneys’ fees, for having their entire identity stolen due to reportedly egregiously lacking controls.

Records: 78,800,000

Damage: $170 million to Anthem, recorded. Unknown damages to people whose identities were stolen.

Resolution: The Anthem incident was resolved with the then-largest HIPAA fine ever issued by the Department of Health and Human Services Centers for Medicare and Medicaid Services Office for Civil Rights. As highlighted above, Anthem was also involved in a class-action lawsuit and settled on a per-person basis for an insultingly paltry amount.

#2: Quest Diagnostics/Optum360 and LabCorp

I’m combining two in one here because they both used a Business Associate, American Medical Collection Agency (AMCA), to conduct lab tests and data aggregation on their behalf. AMCA was the victim of a cyberattack and lost tens of millions of records. Still fewer in aggregate than Anthem, but it was the largest data breach of 2019.

AMCA was infiltrated by persistent cyber criminals between August 1, 2018 and March 30, 2019. That attacker was able to exfiltrate medical treatment information involved in testing and payment card information. In part, this was determined to have occurred because of the lack of a cybersecurity program. Creating one was a condition of its settlement agreement with 41 States’ Attorneys General.

In all, 24,430,601 identified records were exfiltrated. 19,600,000 belonged to Optum360 and LabCorp.

Both Optum360 and LabCorp terminated their affiliations with AMCA. AMCA was fined $21 million and was required to provide two years of credit monitoring to all impacted individuals. As a result, AMCA filed for bankruptcy in 2020.

This data breach really highlights the risks posed by insecure third-party vendors who don’t take their role as business associates or the risk of data compromise seriously.

Records: 19,600,000

Damage: $21 million

Resolution: AMCA was fined and settled with 41 States’ Attorneys General due to an ongoing bankruptcy resulting from data breach remediation efforts.

#3: Premera Blue Cross

Premera Blue Cross is one of the largest health plans in the Pacific Northwest. They were attacked by a phishing email in the Spring of 2014 and discovered the data breach in January 2015.

As with the prior two attacks, a persistent threat actor gained access to Premera Blue Cross’ network, circumvented its network security measures, and absconded with 11 million electronic health records. Also similar to the prior aforementioned attacks, CMS OCR’s investigation determined a lack of appropriate risk management allowed threat actors to gain unauthorized access to patient information and claims information.

Premera Blue Cross paid a CMS fine of $6.85 million. It was also sued and settled class action litigation for $146 million. Finally, it paid a fine of $10.4 million to 30 States’ Attorneys General as a result of the data breach.

Records: 11,000,000

Damage: $163.25 million in fines and lawsuit settlement.

Resolution: Premera Blue Cross was fined and settled a class action suit. If they abided by their settlement agreement–and there’s no reason to suspect they didn’t–they invested roughly $42 million into their security protocols and infrastructure.

#4: Excellus Health Plan, Inc.

Excellus Health Plan, Inc. is a New York health insurance provider that provided coverage to around 1.5 million people at the time of the data breach. Excellus was infiltrated by threat actors on December 23, 2013. An investigation determined that the attack concluded on May 11, 2015, a full year and a half after it began.

The Excellus Health Plan data breach involved the unauthorized disclosure and exfiltration of medical information, patient information, and health insurance information.

The Health and Human Services Office of Civil Rights levied a $5.1 million fine on Exellus Health Plan. They cited the unique threats to the healthcare industry and the impropriety of failing to address those.

Exellus Health Plan also settled a class action suit for $4.35 million, which didn’t foreclose the potential for private suits for damages, which is atypical. Perhaps that reflects the egregiousness of lacking sufficient controls to identify a threat actor’s presence for over a year.

Records: 9,358,891

Damage: Largely financial at a current tally of $9.45 million in fines and settlements.

Resolution: Excellus Health Plan was fined by the HHS Office of Civil Rights and settled a lawsuit for damages.

#5: Community Health Systems Professional Services Corporations

Community Health Systems Professional Services Corporations (CHSPSC) is the professional services arm of a health system in Tennessee that, at the time of the attack, operated 206 hospitals. A threat actor used malware to infiltrate CHSPSC’s systems between April 2014 and June 2014.

Attackers exfiltrated names, social security numbers, addresses, and other PHI. They did not exfiltrate medical data, patient IDs, or other electronic medical records.

CMS OCR found egregious security control failures that allowed an unauthorized party to access CHSPSC systems. In this case, CHSPSC was also apparently notified by the FBI of an attack and failed to address it. For that conduct, CMS OCR fined CHSPSC $2.3 million.

CHSPSC also settled a class action suit for $3.1 million in February 2019 and an action brought by 28 States’ Attorneys General for $5 million.

Records: 6,121,158

Damage: $10.4 million in damages and fines.

Resolution: Community Health Systems Professional Services Corporations was fined and sued. It settled its fines and class action suits. While the size of the health system has declined by over half since the data breach, that’s unlikely associated with the data breach.

#6: Science Applications International Corporation

Science Applications International Corporation, or SAIC, was one of Tricare’s Business Associates at the time of the data breach and provided data management services for military veterans provided health insurance by Tricare. At the time this data breach was disclosed in 2011, it was the largest data breach to date.

The SAIC data breach involved the compromise of physical security: the theft of backup tapes from a car used to transport the tapes between facilities. Data encryption would have obviated the data breach report due to the inaccessibility of information, but that wasn’t in place.

There’s no indication of an HHS OCR fine. A class action suit was also filed against SAIC but was largely dismissed. Even though the data was lost, there was no proven misuse of that data. The data breach certainly didn’t slow SAIC’s government contracting and two weeks after disclosing the data breach it won a $15 million contract to provide IT support for HHS programs.

Records: 4,900,000

Damage: None.

Resolution: This was resolved with a dismissal of impacted individuals’ lawsuits and a contract award from HHS.

#7: University of California, Los Angeles Health

University of California, Los Angeles (UCLA) Health is a health system which, at the time, consisted of four hospitals: The Ronald Reagan UCLA Medical Center, UCLA Medical Center, Santa Monica, Mattel Children’s Hospital & Resnick Neuropsychiatric Hospital.

Threat actors infiltrated a UCLA Health network server and absconded with a database containing patient information and medical information, but no financial information.

UCLA Health reached a settlement with impacted patients for $7.5 million, of which $2 million went to impacted patients. It does not appear CMS OCR issued a fine for the data breach.

Records: 4,500,000.

Damage: $7.5 million, of which $2 million went to impacted patients and $5.5 million was invested into UCLA Health’s cybersecurity program.

Resolution: The UCLA Health data breach was resolved via a settlement for a class action suit.

#8: 20/20 Eye Care Network, Inc.

20/20 Eye Care Network, Inc. is an optometry health system whose Amazon Web Services (AWS) account was compromised. Consequently, over 4 million records were stolen.

Notably, this was reported as a data breach with a business associate, but it’s unclear why that is.

20/20 Eye Care Network was named in a class action lawsuit, which was settled for $3 million.

Records: 4,142,440

Damage: $3 million.

Resolution: The 20/20 Eye Care Network data breach was resolved via a settled class action lawsuit.

#9: OneTouchPoint, Inc.

OneTouchPoint, Inc. was a printing vendor and business associate for numerous healthcare systems and healthcare providers. It was impacted by ransomware on April 27, 2022, during which data was exfiltrated and its files encrypted.

The exfiltrated information included medical record information, patient data (including name, dates of birth, social security numbers, and other information), and employee data.

OneTouchPoint is currently facing a class action lawsuit. The results of that are pending.

Records: 4,112,892

Damage: TBD.

Resolution: A class action lawsuit is presently ongoing.

#10: Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group

Advocate Medical Group rounds out the list of the ten worst data breaches of all time. At the time of the breach, they were a community health network in Chicago. They also had the largest CMS OCR fines of all time–$5.55 million–when they were fined for three separate breaches reported in 2013.

CMS OCR noted a pattern of failing to protect patient data (such as ePHI) by implementing HIPAA Security Rule controls. In one instance, three computers were stolen from a location, all of which were unencrypted. Those computers contained patient data, including name, dates of birth, diagnoses, and other sensitive private information.

Records: 4,029,530

Damage: $5.55 million in fines.

Resolution: This was resolved via a fine by CMS OCR.

The Worst Healthcare Data Breaches of 2022

2022 was a banner year for healthcare cyberattacks with all-time highs for the volume of organizations impacted and the average cost of data breaches. Let’s cover the top 3 worst healthcare data breaches of 2022.

#1 Worst Healthcare Breach of 2022: OneTouchPoint, Inc.

OneTouchPoint isn’t only the worst healthcare data breach of 2022, it’s the ninth most prolific of all time.

The compromise of access credentials highlights the need for robust threat management. Things like multi-factor authentication, behavioral monitoring, log aggregation and alerting, and solid network security can go a long way toward mitigating data breaches. In my opinion, that’s a bare minimum nowadays to ensure an unauthorized party doesn’t access patient data inappropriately.

It also highlights how significant the impact is to the healthcare sector of third-party vendors failing to adequately secure patient information.

Records: 4,112,892

Damage: TBD.

Resolution: A class action lawsuit is presently ongoing.

#2 Worst Healthcare Breach of 2022: Advocate Aurora Health

Advocate Medical Group, which was highlighted as the tenth most prolific healthcare data breach of all time, later became Advocate Aurora Health. Now significantly expanded from its community health network roots, Advocate Aurora Health has been in the news recently for a class action suit related to the deployment of Meta Pixel tracking tools on its public website and patient portals.

Records: 3,000,000

Damage: TBD.

Resolution: A class action lawsuit is presently ongoing.

#3 Worst Healthcare Breach of 2022: Connexin Software, Inc.

Connexin Software provides practice management, electronic medical records, and billing management software for pediatric practices nationally. The threat actor that hacked Connexin Software was also able to retrieve data from offline backups.

While no pediatric practice was directly impacted, millions of minors’ patient data and insurance information were stolen. That included demographic information, social security numbers, and treatment information.

Records: 2,216,365

Damage: TBD.

Resolution: Attorneys are currently investigating for the purpose of filing a class action suit.

How Many Data Breaches Per Year in Healthcare?

Since 2009 there’s been a steady increase in healthcare data breaches involving more than 500 records per year. 2021 had more data breaches than any other year with 715 reported data breaches. 2022 saw 707 reported data breaches.

What’s the Most Common Cause of Healthcare Data Breaches?

As can be seen from the CMS OCR healthcare data breach information, 52.6% of all 6051 recorded breaches involving more than 500 records, or 3180 data breaches, resulted from a cybersecurity breach. So more data breaches resulted from cybersecurity events than any other source–and all other sources combined.

A “cybersecurity” event typically includes some kind of “hack” where a threat actor gains access to an information system, finds data, and absconds with it. Threat actors typically gain access to systems via a phishing email or malware deployment.

More recently, attacks are capped off with ransomware: deployment of malware that informs the end-users that their data has been stolen and they can avoid the exposure with payment. Typically, that also includes encrypting the organization’s copy of the data so that they must pay to recover it.

Some examples, as identified above, are data exfiltration events involving the theft of physical devices. Where the information on those devices is stored unencrypted and the thief can gain access to the information, those thefts can result in significant damages.

What Happens to Stolen Healthcare Data?

Stolen healthcare data is sold. It’s worth up to $250 per record on the dark web. A complete medical record has all of a person’s personal identifying information. That information can be used to sign up for services, lines of credit, and other truly destructive things. Incomplete medical records can be aggregated with other stolen information to create that complete individual identity profile.

How do You Handle a Data Breach in Healthcare?

NIST SP 800-61r2: Computer Security Incident Handling Guide provides the best outline for how to handle a data breach in healthcare or otherwise. It outlines an interactive process to drive improvement within an organization and make it more responsive to cyber threats.

Key to incident handling is 1) developing processes and 2) drilling on them. In 2022, it seems like most organizations have either been hacked or will be soon. It really is a matter of when and not if. So being able to mitigate the impacts of an incident as robustly as possible is the best thing healthcare organizations can do to mitigate data breaches.

How to Prevent Data Breaches in Healthcare

There are many ways healthcare organizations can prevent data breaches:

• Have an incident management plan and drill on it
• Harden credential management and access controls
• Implement robust network security measures including removing vulnerable devices from a production network
• Log every event, aggregate those logs, and alert intelligently on them
• Validate security controls with penetration testing (more important in Healthcare than ever)
• Develop and implement a Third Party Risk Management (TPRM) program.
• Invest in a cyber risk management department.