Once again in 2022, the theft of Americans’ data through cyberattacks was consistent. And the moments when the highest number of citizens are at risk, are after corporate data breaches. These incidents that expose thousands – in some cases millions – of people’s personal data to criminals, cannot be studied in enough detail.
Are data breaches more prevalent in some states than others? Are residents of those states at greater risk of having their personal data stolen in an attack? Which states are investing the most to reduce the incidence of cyberattacks against their corporations?
These are some of the questions we set out to answer with this data study.
In the report below, we break down the 10 states in the U.S. that suffer the most data breaches, both historically and in 2022. We look at high-profile breaches that comprise the data for each state. We compare the number of data breaches to each state’s number of registered businesses, to obtain a value for “breaches per entity”, and more. We also compare breach data to each state government’s investment in cybersecurity initiatives.
The theme you’ll see throughout is that federal and state governments and companies need to do better to protect people’s digital privacy. Current digital privacy laws and safeguards are woefully inadequate to protect sensitive data.
We begin with a discussion of the methodology.
Methodology
Accurate reporting on data breaches is notoriously hard to come by. U.S. states and companies are largely not transparent about data breach information. Some states don’t even require reporting until more than 10,000 people are impacted.
To compare U.S. states we had to create our own formulation based on the following sources of data:
- PrivacyRights.org maintains a list of data breaches sourced from the State Attorneys General as well as HHS. This list offers state-level reporting. It contains 9,016 data breaches across all industries, from 2005 to 2020. Unfortunately, this data omits 1,108 data breaches tracked during 2020, 1,862 data breaches tracked in 2021, and 1,802 data breaches tracked in 2022, more on which below.
- The Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) Office of Civil Rights’ (OCR) have tracked 6,052 data breaches of healthcare organizations alone (one of the most breached industries) spanning the last decade. This data does include breaches from 2022.
- The IDTheftCenter, which tracked 1,108 data breaches in 2020, 1,862 data breaches in 2021, and 1,802 data breaches tracked in 2022. Unfortunately, there is not yet state-level reporting for this data, except for:
- The top 10 worst breaches of 2022 reported by the IDTheftCenter, which does provide the states of the breached organizations.
While gaps in the data make accurate reporting a challenge, we were able to create meaningful comparisons between states by cross-referencing these sources and adding two additional data points.
It shouldn’t be surprising that, to a large extent, there are more data breaches in states where there are more companies. More targets = more attacks.
So to provide context, we used data from Statista.com to look at the number of registered healthcare entities per state, and compare it to the number of healthcare breaches per state in 2022. This led to interesting findings such as, for example, that:
The state of New York, despite having far fewer data breaches than California, had more than double the number of healthcare data breaches per 1000 registered healthcare entities.
Finally, we considered how the number of data breaches in a state might be affected by that state government’s investment in cybersecurity. The quoted figures have been sourced from publicly available reporting and linked in the article below.
The so-called worst states on our list were those that had the most prolific volume of breaches across these sources and with consideration to the density of registered business entities.
Let’s dive in.
Key Findings
The most revealing insights from this study were:
- 3 of the worst 10 data breaches of 2022 were against companies in California. 2 of those 3 data breaches were against the same company: Twitter.
- Despite being the nation’s worst state for data breaches, the state government of California spends less on Cybersecurity than New York, Texas, Florida, and even Maryland.
- In 2022, Florida had more than 4 times the number of healthcare data breaches per 1000 registered healthcare entities than any other state in the country. It recorded 4.73 breaches per 1000 healthcare entities, compared to New York’s 1.15.
- Texas was the 3rd worst state in the country for data breaches despite having the highest state government budget for cybersecurity endeavors, at $800 million dollars.
- Despite having a population of just 6 million people, the state of Maryland ranked the 5th worst state for data breaches, having more incidents than Illinois, Pennsylvania, Ohio and Massachusetts.
- Maryland, at $200 million, is investing more in cybersecurity efforts, relative to the number of their data breaches, than any other state.
- Despite being the best state in the country for data breaches, North Dakota saw the same number of breaches per 1000 registered healthcare entities as the worst state, California.
#1 Worst State for Data Breaches: California
California was at the top of the US states on both the CMS OCR breach list for 2022 and PrivacyRights.org’s list for 2019. California experienced 1338 breaches, recorded by PrivacyRights.org. That accounts for 14% of recorded breaches and is the highest number on this list by double. Only nine of those happened in 2019, however.
CMS OCR records 513 healthcare breaches, with 52 reported in 2022. According to the California Attorney General’s website, there were 269 recorded breaches in 2022.
For comparison, the 2020 US Census identified 979,803 total California businesses, with 119,630 in healthcare and human services.
Additionally, per the Identity Theft Resource Center, California was home to three of the top-ten worst compromises of 2022: Twitter, Neopets, and CashApp Investing, LLC.
Given the high volume of at-risk businesses, I’d expect significant governmental investment in cybersecurity programs, but California only spends $38.8 million on cybersecurity. Compared to other states on the list, that’s a small number.
States tend to take one of two directions with cybersecurity: 1) manage state cybersecurity only or 2) manage state cybersecurity but also invest in cybersecurity programs that help businesses and residents. I can only speculate that California’s approach is the former and not the latter.
Two High-Profile California Data Breaches in 2022
Neopets
JumpStart Games, Inc., headquartered in California, suffered the largest data breach in California in 2022. On July 21, 2022, Neopets, an online game owned by JumpStart Games was reported to be hacked, like most data breaches on this list. The attack resulted in leaked game source code and the theft of 69 million people’s email accounts and passwords.
Starting in July 2022, over 400 million Twitter users’ account information was publicly disclosed on numerous forums used to trade personal information. This information can be used to dox, or reveal, the true identities of users using a nom de plume. It can also be used in aggregate with other information to gain improper access to accounts.
Interestingly, California security and privacy laws ostensibly require companies to report when an email and password combination is exfiltrated. Similar to HIPAA, public notice must be provided when the number of records impacted exceeds 500 people. The record of the Neopets report can be found here. There is no report available on the California Attorney General’s site for Twitter’s breach.
#2 Worst State for Data Breaches: New York
New York has the second most recorded data breaches, with 618 records in the PrivacyRights.org database, which has zero recorded breaches in 2019. In aggregate, that’s less than half the number of California, but still a large number of reported breaches.
For comparison, the 2020 US Census identified 536,326 total New York businesses–a little more than half of California’s business count–with 58,767 being in health and human services. CMS OCR lists 329 New York healthcare breaches as of 2022, with 68 of those reported in 2022.
Unlike California, New York doesn’t seem to have a public record of its required breach reporting. That lack of transparency and easy access to information hinders security research and remediation efforts, forcing researchers to either find other less accurate sources or go through the arduous process of requesting records from the government that may not be disclosed.
It also harms state residents. If there aren’t transparent records of security incidents or data breaches supported by state laws, then there’s no straightforward way for individuals to be certain they haven’t been impacted by a breach. Most data breach statutes contemplate mailed notice which is insufficient given the transience of modern society and the digitization of most communication modalities.
New York is paying special attention to financial information, however, and currently has proposed data security regulations that would require companies to achieve a high-security baseline with a formal data security program. That bolsters other significant data privacy protection laws.
New York is also investing substantially in cybersecurity and will raise its cybersecurity budget to $61.9 million this year. That includes services to help critical infrastructure.
Two High-Profile New York Data Breaches in 2022
NY Department of Education
One of the most prolific incidents in New York in 2022 was a breach of almost 900,000 students’ information as a result of an attack on the student records management company: Illumate Education. The breach resulted in the exfiltration of students’ private information including names, gender, ethnicity, special education status, and other information.
Practice Resources, LLC
Another significant incident in New York in 2022 was a ransomware attack on Practice Resources, LLC which resulted in the compromise of 924,138 patient records. That included social security numbers, names, dates of birth, treatment information, and other PHI elements.
#3 Worst State for Data Breaches: Texas
Third on PrivacyRights.org’s list is Texas, which suffered a recorded 581 breaches, five of those occurring in 2019. Texas is home to a high volume of financial, software, and professional services companies spread across many large cities. Per the 2020 US Census, Texas boasts 617,208 businesses, with 73,036 in health and human services. CMS OCR lists a total of 426 HIPAA breaches, with 53 reported in 2022.
Per the Identity Theft Resource Center, Texas was home to one of the top-ten worst compromises of 2022: a hack of AT&T Data.
Texas is also one of the new tranches of US states that seems to be taking cybersecurity very seriously. They’ve arguably done the most of any US state to bolster and support cybersecurity efforts from a state level.
As of December 2022, Texas has TX-RAMP, a data security certification program geared toward cloud services. TX-RAMP is a lot like FedRAMP, but with more state branding. It’s not superfluous, however. Companies operating in Texas that fall under the defined TX-RAMP requirements are mandated to comply with those requirements. FedRamp is optional.
Per a 2021 report, Texas spent a staggering $800 million on cybersecurity. Texas has numerous public-private information-sharing and partnership organizations.
Texas also has an excellent breach reporting system, as of 2021. Unlike California’s breached company list, which just lists the name of the company and dates impacted, the Texas breach reporting system records additional information, like the type of information impacted and the number of Texans affected.
That amount of record-level detail is fantastic for security researchers who want to measure breach and cyber attack trends. It lists 355 breaches impacting Texas residents in 2022.
Two High-Profile Texas Data Breaches in 2022
Texas Department of Insurance
The worst 2022 data breach occurred on January 4, 2022 when the Texas Department of Insurance identified and halted a cyberattack. With 1.8 million records compromised, it’s not only the highest number of records impacted in 2022, but the highest number of records impacted since Texas formally began recording data breaches. It’s also one of the largest data breaches on this list.
According to the notice, significant amounts of sensitive personal data were stolen, including names, social security numbers, phone numbers, insurance claim details, and other forms of identifying information. It was an unfortunately large compromise of digital privacy.
Baptist Medical Center
San Antonio-based Baptist Medical Center breached 1,201,648 records when it succumbed to a Business Email Compromise (BEC) attack and misdirected information to a threat actor. Also caught up in that attack were Resolute Health Hospital (52,887 records), Valley Baptist Medical Center (17,160 records), and The Hospitals of Providence – Memorial Campus (461 records).
#4 Worst State for Data Breaches: Florida
Next up is Florida, which has a significant number of companies and healthcare entities scattered throughout the state in major commercial centers. Florida makes #4 on this list because of its place on the PrivacyRights.org breach list with 458 recorded breaches, six of which occurred in 2019.
CMS OCR shows 310 recorded HIPAA breaches, with 38 reported in 2022. For comparison, the 2020 US Census lists 590,175 Florida businesses, with 65,544 in the health and human services industry.
Additionally, per the Identity Theft Resource Center, Florida was home to one of the top-ten worst compromises of 2022: the compromise of the Beetle Eye online marketing tool.
As with other US states on this list, Florida has robust breach reporting laws. Despite those breach reporting laws, there’s no apparent canonical list maintained by the Florida government of data breaches.
Similar to New York, this mandates guessing or requesting the records, which are exempt from the public records sections of the State Constitution. So it’s impossible to accurately determine when a breach occurred, how notice was provided, how many individual records were compromised, or other key research information.
Florida’s cybersecurity budget for 2022-2023 is about $110 million. That is primarily focused on bolstering state and local government cybersecurity, but also includes grant commitments to improve cybersecurity across the state.
Two High-Profile Florida Data Breaches in 2022
South Walton Fire District
One of the worst of the 2022 Florida data breaches appears to be a ransomware attack suffered by the South Walton Fire District. A threat actor gained unauthorized access to data and records containing the protected health information of 25,331 people. That’s dwarfed by other states’ breaches, but is still a substantial number of records.
FoundCare, Inc.
Another significant incident that occurred in Florida in 2022 was the FoundCare, Inc. breach. As a result of a threat actor’s unauthorized access to FoundCare’s systems, the data of 14,194 individuals was stolen. That incident, as with many other healthcare incidents, involved the exfiltration of a significant amount of information about each of the 14,194 patients.
#5: Worst State for Data Breaches: Maryland
Maryland is featured on PrivacyRights.org as rounding out the top half of the list for worst data breaches. In 2022, Maryland recorded 946 breaches. PrivacyRights.org and CMS both track state-based origination for breaches and recorded 343 and 112 breaches, respectively. PrivacyRights.org reported 2 breaches in 2019 and CMS 16 HIPAA breaches in 2022. The 2020 US Census lists 139,472 Maryland businesses, for comparison, with 17448 being health and human services organizations.
On the CMS OCR list, Michigan is featured instead of Maryland. Consistent with other entries, I’ll prioritize the PrivacyRights.org list, but wanted to highlight the difference.
Maryland has robust data privacy laws and keeps an excellent database of notices for security breaches. Additionally, Maryland recently put into effect a $200 million cybersecurity budget. The targets of that investment appear to be state and local governments plus critical infrastructure.
Two High-Profile Maryland Data Breaches in 2022
Elephant Insurance Services, LLC
Elephant Insurance Services, LLC suffered the worst data breach in Maryland in 2022. On April 25, 2022, Elephant Insurance Services discovered an attack had happened in late March. That attack impacted the personal data of 233,500 people in Maryland, including names and driver’s license numbers. Nationally, the breach topped 2.7 million people’s records compromised.
Nelnet Servicing, LLC
The second worst breach to happen to Maryland residents in 2022 was a breach of the Oklahoma Student Loan Authority, discovered on July 22, 2022. Over 2.5 million individuals were impacted nationally, but only 39,077 Maryland residents were impacted. That breach included personal data, including social security numbers.
#6: Worst State for Data Breaches: Illinois
PrivacyRights.org identified 343 breaches originating in Illinois. CMS OCR identified 230. Those numbers earned Illinois the #6 spot on this list. PrivacyRights.org identified two breaches in 2019 and CMS OCR 22 HIPAA breaches in 2022. As a frame of reference, the 2020 US Census lists 318,403 registered Illinois businesses, with 34,817 in the health and human services industry.
Illinois mandates the reporting of data breaches but fails to provide access to a canonical list of data breaches that have been reported. As I’ve highlighted above and will reiterate here, I see that practice having a chilling effect by the government on the enforcement of data privacy laws by removing reporting about: 1) major data breaches and 2) what was done to address those.
Government entities enforcing privacy laws must outline the number of records lost, key findings from investigations, and financial losses or cost as a result of the event (including the cost to an organization from legal action). That kind of information acts as a data loss prevention system and drives respect for the rule of law, specifically data privacy laws.
Illinois data about cybersecurity investments for 2022 and 2023 was not forthcoming. Illinois did, however, introduce a five-year plan to improve Illinois cybersecurity.
Two High-Profile Illinois Data Breaches in 2022
Advocate Aurora
The worst incident for Illinois in 2022 appears to be the Advocate Aurora breach, which impacted more than 3 million patients. Advocate Aurora implemented cookie-tracking software on their public-facing websites that provided data like IP addresses to Meta via Facebook tracking. It’s a lot like biometric data in that way: while it seems unrelated to medical treatment, it is an identifier and can be used to associate a person with treatment.
IP addresses are defined as a PHI element in HIPAA. That makes sense: if someone visits a site and someone else can derive the treatment received, then that’s identifiable health information. While not a stolen record, per se, patients may not have provided consent for that data to be collected.
CommonSpirit Health
CommonSpirit Health, headquartered in Chicago, is reportedly the second-largest non-profit health system in the US. It suffered a ransomware attack in 2022 that crippled operations nationally and resulted in the exfiltration of 623,774 patients’ records.
#7: Worst State for Data Breaches: Pennsylvania
Pennsylvania earned the #7 spot on this list with 279 recorded breaches by PrivacyRights.org, which recorded 6 in 2019. CMS OCR identified 221 HIPAA breaches overall, with 38 reported in 2022. Pennsylvania has 301,759 registered businesses per the 2020 US Census, with 38,113 in health and human services.
Pennsylvania may be the seventh most prolific US state for data breaches, but like other US states on this list, it recently amended its data breach reporting laws to become more expansive. The information collected under the new laws could be invaluable for security researchers, if only it was exposed. Like other states on this list, Pennsylvania doesn’t provide an online list of data breaches.
Pennsylvania’s state cybersecurity budget is not carved out of the department in which the CISO’s office sits, the Office of General Administration. The total budget for that office is $11,170,000, so it’s some amount less than that. If there is other cybersecurity spending, that is not transparent.
Two High-Profile Pennsylvania Data Breaches in 2022
Connexin Software, Inc.
Pennsylvania was hit with a spate of large data breaches in 2020 and 2021. 2022 was a more reserved year for Pennsylvania. The worst apparent breach in Pennsylvania was an attack on Connexin Software, Inc. Like most data breaches on this list, that attack involved improper access to pediatric medical support services and the exfiltration of more than 2.2 million children’s records.
Keystone Health
Keystone Health suffered an infiltration of its information systems in the Summer of 2022. That resulted in the compromise of the medical records of 235,237 then-present and past patients, including their names, treatment information, and social security numbers.
#8: Worst State for Data Breaches: Ohio
Ohio snagged the #8 spot because of a recorded 266 breaches by PrivacyRights.org and 181 breaches reported to CMS OCR. Those sources record 2 breaches in 2019 and 23 in 2022, respectively. For comparison, the 2020 US Census shows that Ohio has 249,832 registered businesses. 29,859 of those were in the health and human services industry.
Per the Identity Theft Resource Center, Ohio was home to one of the top-ten worst compromises of 2022: Flexbooker’s compromise via an insecure AWS server.
Ohio laws have accounted for data breach reporting for over a decade. Like some other US states on this list, however, the Ohio government isn’t transparent with that information and doesn’t provide easy access to it. Awareness of many data breaches seems to be lost because of opaque reporting and a lack of canonical official breach lists.
As with other states, the lack of transparency required the use of unofficial sources to determine Ohio’s placement on this list. Additionally, Ohio’s cybersecurity budget does not appear to be readily publicly available.
Two High-Profile Ohio Data Breaches in 2022
Parker-Hannifin Corporation Group Health Plans
The worst Ohio-based data incident seems to be the Parker-Hannifin Corporation Group Health Plans breach. Like most data breaches on this list, the Parker-Hannifin breach was caused by unauthorized access to information systems. That access resulted in the breach of 119.513 records.
Allwell Behavioral Health Services
Allwell Behavioral Health Services was impacted by a cyberattack in March 2022. That cyberattack resulted in the improper disclosure of 29,972 patient records. These records were copied by the threat actors and likely sold.
#9: Worst State for Data Breaches: Georgia
Georgia fails to publish breach notifications online. In lieu of that official source, Georgia is ranked at #9 on this list because of its place on the PrivacyRights.org list at 255 recorded breaches, with 4 in 2019. CMS OCR lists 156 HIPAA breaches, with 26 reported in 2022. Georgia has 244,061 registered businesses per the 2020 US Census and 26,867 of those are in health and human services.
Like most other US states on this list, Georgia has data breach notification laws. Unlike other states on this list, those laws don’t take effect until over 10,000 Georgia residents’ information is implicated. Consequently, those laws are useless to compel public reporting for most data breaches, which is why data breach laws exist in the first place.
Two High-Profile Georgia Data Breaches in 2022
Cytometry Specialists, Inc.
The worst Georgia incident in 2022 appears to be a compromise of a Cytometry Specialists, Inc. employee’s email account. 244,850 patients’ information was compromised as a result.
This breach occurred as the result of human error due to a social engineering attack, typically referred to as Business Email Compromise (BEC). The theft of the email account was to fool other companies into redirecting invoices and payments to a third party, who is not the legitimate recipient.
Georgia doesn’t provide a dedicated cybersecurity budget, but it does provide the IT budget for the state, which was over $715 million in fiscal year 2021.
State Bar of Georgia
In April 2022, the State Bar of Georgia suffered a ransomware attack that impacted the more than 50,000 attorneys licensed to practice law in Georgia. While attacking an attorney registry may seem innocuous at first blush, the attack compromised names, home addresses, driver’s license numbers, social security numbers, and bank account information.
#10: Worst State for Data Breaches: Massachusetts
Rounding out the list of the worst-hit states is Massachusetts. PrivacyRights.org highlights that Massachusetts suffered 248 breaches, with three of those reported in 2019. CMS OCR highlighted that Massachusetts suffered 137 HIPAA breaches, with 16 in 2022. Massachusetts is listed as supporting 178,911 registered businesses and 19,758 of those are in healthcare and human services.
Massachusetts has robust data privacy and breach reporting laws but joins states that fail to provide easily retrievable detailed information about data breaches. It does provide aggregate information a year in arrears and mandates a public records request for additional information.
The Office of Consumer Affairs and Business Regulation publishes annual breach reports and 2022’s can be found here. They can be converted to a sortable spreadsheet format and lists 2118 breaches reported in 2022. That includes all data compromise events involving greater than 500 people impacting Massachusetts residents.
The fiscal year 2023 budget for the Executive Office of Technology Services and Security was $163.3 million. That encompasses all centralized state technology expenditures but does not cover all state cybersecurity expenditures.
Two High-Profile Massachusetts Data Breaches in 2022
Shields Health Care Group, Inc.
The worst Massachusetts data incident in 2022 was the Shields Health Care Group, Inc. breach. In that breach, like the others on the list, Shields was impacted by a threat actor who gained improper access to their network. As a result, 2.2 million patients’ records were compromised. Patients in Massachusetts, New Hampshire, Vermont, Maine, and elsewhere in the US Northeast were impacted.
Commstar LLC
The second worst Massachusets incident in 2022 was the Comstar LLC breach. Comstar LLC is an ambulance billing service that suffered a cyberattack that compromised over 70,000 people’s records.
How About The Best?
Now that we’ve covered the so-called worst U.S. states for data incidents, let’s take a look at the best. These states are the ones with the lowest reported number of data breaches. There was some disagreement between the PrivacyRights.org database and the CMS OCR database. I’ll highlight those differences.
#1 Best State For Data Breaches: North Dakota
Total Breaches Per PrivacyRights.org Database: 10
2022 Breaches in Healthcare, per HMS OCR: 1
2022 Breaches Per Registered Healthcare Entity: 0.000464
2022 Breaches Per State Govt Database: 38
Current State Govt Investment in Cybersecurity: $15 million
North Dakota is the “safest” US state for data breaches. PrivacyRights.org highlights that North Dakota suffered 10 breaches, with zero reported in 2019. CMS OCR highlighted that North Dakota suffered one HIPAA breach, which coincidentally was reported in 2022. North Dakota is listed as supporting 24,510 registered businesses and 2,157 of those are in healthcare and human services.
Looking at the breach notices that North Dakota publishes results in a substantially higher count of 38, but those include breaches that happened out-of-state that impacted North Dakotans.
That makes sense. It’s not that North Dakota is somehow super adept to protect information systems, it’s the least populous US state. However, as with other states, North Dakota has breach notification laws. It also committed $15 million to cybersecurity safeguards in 2022.
#2 Best State For Data Breaches: South Dakota
Total Breaches Per PrivacyRights.org Database: 13
2022 Breaches in Healthcare, per HMS OCR: 3
2022 Breaches Per Registered Healthcare Entity: 0.00116
2022 Breaches Per State Govt Database: N/A
Current State Govt Investment in Cybersecurity: N/A
South Dakota is the second least-breached state according to the PrivacyRights.org list with a total of 13 recorded breaches, but none occurring in 2019. The #2 spot on the CMS OCR database is Idaho, but South Dakota accounted for three HIPAA breaches in 2022. South Dakota is home to 27,236 businesses with 2,587 in health and human services.
Again, the low numbers are explained not by measures designed to protect, but by low technology-facilitated commercial density. South Dakota’s strikingly gaudy website only posts a how-to to address identity theft. South Dakota has breach notification laws, but they’re relatively new.
#3 Best State For Data Breaches: Wyoming
Total Breaches Per PrivacyRights.org Database: 15
2022 Breaches in Healthcare, per HMS OCR: 1
2022 Breaches Per Registered Healthcare Entity: 0.000492
2022 Breaches Per State Govt Database: N/A
Current State Govt Investment in Cybersecurity: $7.2 Million
Wyoming rounds out the list for the third least-breached state according to the PrivacyRights.org list with a total of 15 recorded breaches and one occurring in 2019. The #3 spot on the CMS OCR database is Vermont, but Wyoming accounted for one HIPAA breach in 2022. Wyoming is home to 21,770 businesses with 2,033 in health and human services.
As with other states on the list of least-breached states, this can almost entirely be explained by technology-facilitated commercial density. Wyoming has data breach reporting laws but does not make the list of reported breaches publicly available. Wyoming committed $7.2 million to cybersecurity spending in 2022.