In the past five years, we’ve seen healthcare data breaches grow in both size and frequency, with the largest breaches impacting as many as 80 million people. Healthcare data breaches often expose highly sensitive information, from personally identifiable information such as Social Security numbers, names, and addresses to sensitive health data such as Medicaid ID numbers, health insurance information, and patients’ medical histories.
The motives behind cyber attacks on healthcare companies are clear: hospitals, urgent care clinics, pharmacies, health insurance companies, and other healthcare providers keep records of very valuable information – more “juicy details” that can be used for identity theft than almost any other industry. What’s more, the healthcare industry is widely regarded as having rather weak security; a recent report from SecurityScorecard ranks healthcare 9th out of all industries in terms of overall security rating.
This is not a small problem. A February 2017 survey from Accenture reveals that healthcare data breaches have affected 26% of U.S. consumers, or more than one in every four Americans. Additionally, the survey also found that 50% of breach victims eventually suffered medical identity theft, with an average of $2,500 out-of-pocket costs. Even worse, half of the survey respondents reported that they learned of the breach themselves – as opposed to an official company or law enforcement notification – after they had been alerted to an error on their benefits explanation, credit card statement, or similar documents.
These are sobering facts, especially when you consider the broad reach of the healthcare industry; nearly everyone has healthcare records somewhere within the healthcare system. So what are the largest healthcare data breaches, and what kind of information did they expose?
Below are the top 10 biggest healthcare data breaches, according to the U.S. Department of Health and Human Services Office for Civil Rights (listed by size, from the smallest to the largest in terms of the number of individuals affected):
- 10. NewKirk Products: 3.47 Million Affected (August 2016)
- 9. Banner Health: 3.62 Million Affected (August 2016)
- 8. Medical Informatics Engineering: 3.9 Million Affected (July 2015)
- 7. Advocate Health Care: 4.03 Million Affected (August 2013)
- 6. Community Health Systems: 4.5 Million Affected (April-June 2014)
- 5. University of California, Los Angeles Health: 4.5 Million (July 2015)
- 4. TRICARE: 4.9 Million Affected (September 2011)
- 3. Excellus BlueCross BlueShield: 10+ Million Affected (September 2015)
- 2. Premera Blue Cross: 11+ Million Affected (January 2015)
- 1. Anthem Blue Cross: 78.8 Million Affected (January 2015)
Let’s take a closer look at the circumstances surrounding each of these major healthcare data breaches.
10. NewKirk Products: 3.47 Million Affected (August 2016)
Image via WKBW.
In mid-2016, healthcare ID card-issuer NewKirk Products announced a data breach that victimized an estimated 3.47 million patients. Among those impacted were several branches of the insurer Blue Cross Blue Shield, which is one of the largest health insurance providers by enrollment in the United States. Hackers reportedly gained access not only to primary care provider information, but also to sensitive personal information including Medicaid ID numbers, names (including those of dependents), dates of birth, premium invoice information, and group ID numbers.
9. Banner Health: 3.62 Million Affected (August 2016)
Image via Clark/Sullivan.
Again in mid-2016, Banner Health, an Arizona-based healthcare provider, disclosed a cyber attack that had compromised the records of 3.62 million patients. The discovery came after staff detected unusual activity on Banner’s private servers; subsequently, Banner hired a cybersecurity firm to investigate and discovered two attacks in which hackers accessed patient records and payment systems data. Compromised data may have included names, credit card numbers, expiration dates, and internal verification codes, addresses, birth dates, Social Security numbers, doctors’ names, and healthcare information.
8. Medical Informatics Engineering: 3.9 Million Affected (July 2015)
Image via MIE.
In mid-2015 – a banner year for healthcare data breaches – Medical Informatics Engineering, a company that creates electronic medical records software, announced a data breach that affected at least 11 healthcare providers and 3.9 million patients. Affected patients received a notice in the mail, that their personal information – names, Social Security numbers, phone numbers, mailing addresses, dates of birth, diagnoses, and other sensitive info – had been stolen.
7. Advocate Health Care: 4.03 Million Affected (August 2013)
Image via Cisco.
Advocate Health Care divulged in mid-2013 that several data breaches, including at least two involving computer theft, had revealed personal information and unencrypted medical records of 4.03 million patients. News of the massive breach came just four years after the company reported a theft of unencrypted data; encryption protocols were enacted after that 2009 incident, but had not yet been deployed at the offices affected in 2013. In August 2016, Advocate agreed to pay $5.55 million to settle a lawsuit related to the breach.
6. Community Health Systems: 4.5 Million Affected (April-June 2014)
Image via Healthcare Finance News.
In mid-2014, Community Health Systems, which operates 200+ hospitals throughout the U.S., announced a major healthcare breach that affected 4.5 million patients. Attackers exploited a software vulnerability to access Social Security numbers, dates of birth, phone numbers, and physical addresses. The breach affected anyone who had received treatment at one of CHS’s network-owned hospitals in the past five years as well as any individuals who had been referred to CHS by an outside doctor during that period.
5. University of California, Los Angeles Health: 4.5 Million (July 2015)
Image via CareersInfoSecurity.
The UCLA Health System was another healthcare organization to disclose a data breach in 2015. Mid-year, the university’s Health System announced that hackers had accessed the records of 4.5 million patients. Even worse, UCLA admitted it hadn’t encrypted its patient data – an admission that drew swift and harsh criticism from security experts.
4. TRICARE: 4.9 Million Affected (September 2011)
Image via liveClinic.
In late 2011, Science Applications International Corporation (SAIC) announced a data breach that affected approximately 4.9 million military clinic and hospital patients who were enrolled in TRICARE, the federal government’s military healthcare provider (SAIC oversaw TRICARE’s data security). The data had been stolen from an SAIC employee’s car, and the victims included active and retired military personnel as well as their families. No financial data was involved, but sensitive information exposed included Social Security numbers, phone numbers, home addresses, and other personal data.
3. Excellus BlueCross BlueShield: 10+ Million Affected (September 2015)
Image via Mike Greenlar.
In August 2015, Excellus discovered a cyber attack that had claimed the private information of approximately 10 million members. After a rash of cyber attacks targeting healthcare data in early 2015 (including the Premera and Anthem data breaches described below), Excellus ordered a forensic review of its own systems; what they discovered turned out to be the third-largest healthcare data theft in history. The breach extended to as early as December 2013 and involved medical data, Social Security numbers, and financial information.
2. Premera Blue Cross: 11+ Million Affected (January 2015)
Image via Kim Crompton/Spokane Journal.
In early 2015, Premera Blue Cross announced a cyberattack that had exposed the medical information of 11 million customers. Among other information, the attack had exposed bank account numbers, Social Security numbers, dates of birth, and claims information. Premera’s announcement of the second-largest healthcare breach ever came just six weeks after the disclosure of the largest healthcare data breach ever, which brings us to…
1. Anthem Blue Cross: 78.8 Million Affected (January 2015)
January 2015 was a historically bad month for healthcare data. In the biggest healthcare breach to date (and, hopefully, ever), Anthem disclosed on January 29, 2015 that 78.8 million patient records had been stolen. The cyber attack claimed highly sensitive data, including names, Social Security numbers, home addresses, and dates of birth. The victims were largely Anthem health plan members, although some were nonmembers, as Anthem also managed paperwork for several independent insurance companies.