In the past five years, we’ve seen healthcare data breaches grow in both size and frequency, with the largest breaches impacting as many as 80 million people. Healthcare data breaches often expose highly sensitive information, from personally identifiable information such as Social Security numbers, names, and addresses to sensitive health data such as Medicaid ID numbers, health insurance information, and patients’ medical histories.

The motives behind cyber attacks on healthcare companies are clear: hospitals, urgent care clinics, pharmacies, health insurance companies, and other healthcare providers keep records of very valuable information – more “juicy details” that can be used for identity theft than almost any other industry. What’s more, the healthcare industry is widely regarded as having rather weak security; a recent report from SecurityScorecard ranks healthcare 9th out of all industries in terms of overall security rating.

This is not a small problem. A February 2017 survey from Accenture reveals that healthcare data breaches have affected 26% of U.S. consumers, or more than one in every four Americans. Additionally, the survey also found that 50% of breach victims eventually suffered medical identity theft, with an average of $2,500 out-of-pocket costs. Even worse, half of the survey respondents reported that they learned of the breach themselves – as opposed to an official company or law enforcement notification – after they had been alerted to an error on their benefits explanation, credit card statement, or similar documents.

These are sobering facts, especially when you consider the broad reach of the healthcare industry; nearly everyone has healthcare records somewhere within the healthcare system. So what are the largest healthcare data breaches, and what kind of information did they expose?

Below are the top 10 biggest healthcare data breaches, according to the U.S. Department of Health and Human Services Office for Civil Rights (listed by size, from the smallest to the largest in terms of the number of individuals affected):

• 10. NewKirk Products: 3.47 Million Affected (August 2016)
• 9. Banner Health: 3.62 Million Affected (August 2016)
• 8. Medical Informatics Engineering: 3.9 Million Affected (July 2015)
• 7. Advocate Health Care: 4.03 Million Affected (August 2013)
• 6. Community Health Systems: 4.5 Million Affected (April-June 2014)
• 5. University of California, Los Angeles Health: 4.5 Million (July 2015)
• 4. TRICARE: 4.9 Million Affected (September 2011)
• 3. Excellus BlueCross BlueShield: 10+ Million Affected (September 2015)
• 2. Premera Blue Cross: 11+ Million Affected (January 2015)
• 1. Anthem Blue Cross: 78.8 Million Affected (January 2015)

Let’s take a closer look at the circumstances surrounding each of these major healthcare data breaches.

10. NewKirk Products: 3.47 Million Affected (August 2016)

Image via WKBW.

In mid-2016, healthcare ID card-issuer NewKirk Products announced a data breach that victimized an estimated 3.47 million patients. Among those impacted were several branches of the insurer Blue Cross Blue Shield, which is one of the largest health insurance providers by enrollment in the United States. Hackers reportedly gained access not only to primary care provider information, but also to sensitive personal information including Medicaid ID numbers, names (including those of dependents), dates of birth, premium invoice information, and group ID numbers.

9. Banner Health: 3.62 Million Affected (August 2016)

Image via Clark/Sullivan.

Again in mid-2016, Banner Health, an Arizona-based healthcare provider, disclosed a cyber attack that had compromised the records of 3.62 million patients. The discovery came after staff detected unusual activity on Banner’s private servers; subsequently, Banner hired a cybersecurity firm to investigate and discovered two attacks in which hackers accessed patient records and payment systems data. Compromised data may have included names, credit card numbers, expiration dates, and internal verification codes, addresses, birth dates, Social Security numbers, doctors’ names, and healthcare information.

8. Medical Informatics Engineering: 3.9 Million Affected (July 2015)

Image via MIE.

In mid-2015 – a banner year for healthcare data breaches – Medical Informatics Engineering, a company that creates electronic medical records software, announced a data breach that affected at least 11 healthcare providers and 3.9 million patients. Affected patients received a notice in the mail, that their personal information – names, Social Security numbers, phone numbers, mailing addresses, dates of birth, diagnoses, and other sensitive info – had been stolen.

7. Advocate Health Care: 4.03 Million Affected (August 2013)

Image via Cisco.

Advocate Health Care divulged in mid-2013 that several data breaches, including at least two involving computer theft, had revealed personal information and unencrypted medical records of 4.03 million patients. News of the massive breach came just four years after the company reported a theft of unencrypted data; encryption protocols were enacted after that 2009 incident, but had not yet been deployed at the offices affected in 2013. In August 2016, Advocate agreed to pay $5.55 million to settle a lawsuit related to the breach.

6. Community Health Systems: 4.5 Million Affected (April-June 2014)

Image via Healthcare Finance News.

In mid-2014, Community Health Systems, which operates 200+ hospitals throughout the U.S., announced a major healthcare breach that affected 4.5 million patients. Attackers exploited a software vulnerability to access Social Security numbers, dates of birth, phone numbers, and physical addresses. The breach affected anyone who had received treatment at one of CHS’s network-owned hospitals in the past five years as well as any individuals who had been referred to CHS by an outside doctor during that period.