Since 2009, medical organizations in the US have suffered nearly 5,000 data breaches, affecting over 342 million medical records.
Our team of researchers analyzed data from 2009 to June 2022 to find out which US states suffer the most medical breaches and how many records have been affected each year. We also took an in-depth look at breaches from January 2021 to June 2022 to find the biggest cause of these breaches and the most-affected healthcare organizations.
Our study covered breaches that have crippled healthcare facilities, many of which led to the exploitation of personal medical data, putting patients’ health and, in some cases, lives, at risk. Breaches can often lead to healthcare systems going offline, meaning medical workers are left without critical information. Threat actors may also gain access to Social Security numbers, health insurance information, prescription information, medical history, and even financial data linked with medical billing.
2020 alone accounts for nearly one-fifth of all breaches since 2009, with 803 breaches and 46.6 million records affected. 2021 saw a minor decline of 11 percent (from 803 breaches to 711). So far, 2022 has only recorded 151 breaches and nearly 8 million records affected–a much smaller amount compared to previous years. However, with many breaches reported several months after they occurred, it is likely these figures will rise in the coming months.
- 4,746 medical breaches recorded from 2009 to June 2022
- 342,017,215 individual records were affected as a result of these breaches
- 2020 was the biggest year for medical breaches with 803 reported (the second-highest was 2021 with 711)
- 2015 saw the highest number of records affected with over 112 million in total
- In 2021 and 2022 (so far), specialist clinics (clinics that specialize in a certain field of medicine–e.g. cardiology or radiology, etc.) account for the most data breaches (15 percent) with 130 breached entities in total, but hospital networks account for the most breached records with 8.8 million affected in total (16 percent of the overall records affected)
- In 2021 and 2022 (so far), hacking was the most common type of breach, accounting for 40 percent of breaches (353 out of 862)
All 50 states are required to report medical breaches to the U.S. Department of Health and Human Services (HHS), with individual breaches filed if they affected over 500 records (those with fewer may be filed under a yearly report). Due to the tool only listing breaches that affect 500 or more patients, it is likely our figures underestimate the true scale of the problem.
The top 5 worst-hit states for medical data breaches and records impacted since 2009
If we look at the number of breaches by US states, we can see that California had the most by far, accounting for 474 (around 10 percent) of the 4,746 data breaches.
Texas (383), Florida (288), New York (287), and Illinois (217) are the other four worst-hit states. However, as all of these are among some of the most populous states in the US, this perhaps isn’t much of a surprise.
When it comes to the number of records affected, the picture changes slightly with Indiana making its way into the top.
Indiana recorded the highest number of records affected, with nearly 87.2 million records (more than 25 percent of all breached records). This is significantly higher than second-place New York with 25 million records affected. However, Indiana’s high figure stems primarily from one breach on Anthem, Inc. (reported in 2015) when 78.8 million records were affected.
The states that closely followed NY were Florida (23.1 million), California (19 million), and Texas (16.3 million).
South Dakota reported the lowest figures with just eight data breaches reported since 2009 and 36,900 medical records breached. However, it is important to note that data breaches that occur in medical institutions may affect residents in other states, particularly if the organization is located in more than one state.
When looking at the number of medical records affected per 100,000 people of each state’s population, the chart does change quite drastically with the exception of Indiana. Indiana comes out on top with 1.28 million records affected per 100,000 people in the population. However, as noted above, this is due to Anthem, Inc.’s breach, which would have affected residents from outside state lines, too.
Minnesota records the second-highest number of breached records per 100,000 people with 235,259 records. This is followed by Washington (210,632 records affected per 100,000 people), Tennessee (210,371 records affected per 100,000 people), and Iowa (175,848 records affected per 100,000 people).
As well as the above, there were eight more states listed as having more than 100,000 records per 100,000 people affected by medical breaches (MT, PR, NC, NY, NM, VA, AZ, and FL).
South Dakota reported just 4,121 records affected per 100,000 people of the population. Idaho (9,825 per 100,000) and Mississippi (9,843 per 100,000) were the only other two states to have less than 10,000 records per 100,000 people affected.
The top 5 medical data breaches with the most records affected since 2009
The top five biggest medical data breaches for the number of records affected are as follows:
- Anthem Inc. = 78.8 million records affected: Reported in 2015, the OCR suggests this data breach is the largest US health data breach in history. An employee opened a malicious spear phishing email that in turn resulted in Anthem Inc.’s IT systems being accessed and the data of nearly 79 million people being extracted. Anthem agreed to pay $16 million to the OCR in order to settle potential violations.
- Optum360, LLC = 11.5 million records affected: The private personal and financial information of 11.5 million lab patients at the American Medical Collection Agency were accessed by hackers from August 2018 to March 2019. Those who had overdue laboratory service bills were affected in the breach.
- Premera Blue Cross = 11 million records affected: Premera Blue Cross was forced to pay $6.85 million to the OCR after it suffered a data breach whereby hackers used a phishing email to install malware that gave them access to its IT system. The hackers’ entry into the system went unnoticed from May 2014 until January 2015.
- Laboratory Corporation of America Holdings dba LabCorp = 10.2 million records affected: In 2019, LabCorp reported an intruder accessed the payment website of a third party it used, the American Medical Collection Agency. The breach exposed the personal, financial, and medical data of more than 10.2 million people. LabCorp terminated its business relationship with the collection agency soon after the breach.
- Excellus Health Plan, Inc. = 9.3 million records affected: Hackers gained unauthorized access to Excellus Health Plan Inc.’s IT systems from December 2013 until May 2015. Malware was installed that led to the disclosure of 9.3 million records of personal data.
The top-ranking medical breaches come from several years ago. So although we are seeing an uptick in the number of records affected on a yearly basis, this is due to a higher volume of attacks rather than larger, less frequent breaches. For example, the first time we see 2021 enter the top is in 16th place with the 20/20 Eye Care Network, Inc. It reported a hacking incident that affected 3.3 million individuals. Only one other breach for 2021 (Forefront Dermatology’s breach of 2.4 million records) enters the top 20, while the first entry for 2022 (Shields Health Care Group, Inc. breach of 2 million records in March 2022) comes in 22nd place.
The biggest years for medical data breaches
According to the chart below, 2020 was the biggest year for medical data breaches with 803 in total. 2021 also recorded a high number of breaches with 711, closely followed by 2019 with 520. This shows that in the last 3 full years, medical data breaches have grown exponentially.
2015 reported an extraordinarily high number of records affected compared to all other years with 112 million records breached. However, as we have already commented, this stems from the Anthem, Inc. breach.
If we analyze the median number of records affected for each year, between 2009 and 2018, the median number of records affected per breach remains around 2,000. From 2018 to 2019 there was a sharp increase (rising by 70 percent from 2,284 to 3,893). This continued into 2020 (with an increase of 26 percent from 3,893 to 4,916) and from 2020 to 2021 (rising by 4 percent up to 5,122).
What was the most common medical data breach type in 2021?
Hacking proved to be the most popular method of breaching medical organizations, accounting for 288 out of 711 breaches (41 percent) in 2021. The next largest category (excluding unknowns) was ransomware with 161 attacks (23 percent) recorded.
Breach definitions: Card (debit/credit card not via hacking, e.g. skimming), Hack (outside party or malware), Insd (insider–employee, third-party, or customer), Phys (paper documents), Port (portable devices, e.g. laptops, memory sticks, and hard drives), Rans (ransomware), Stat (stationary computer), Disc (unintended disclosure, e.g. sensitive information posted publicly), Unkn (unknown). While phishing attacks aren’t listed separately here, they may be the method used to initiate hacks and ransomware attacks.
The breach type that is least likely to occur for medical breaches is the use of credit or debit card skimming. This method only happened once in the TGH Urgent Care data breach in which an employee took pictures of patients’ credit cards and drivers’ licenses in order to steal information.
What was the most-affected medical organization type in 2021?
In order to see which organization suffered the most medical data breaches, we arranged all breaches into 23 categories of healthcare facilities types (please see the methodology for definitions).
The type of organization that suffered the highest number of breaches in 2021 was specialist clinics with 106 medical breaches, impacting 3 million records. As mentioned previously, specialist clinics are those that focus on a specific area of healthcare, e.g. cardiology or radiology. The other most affected organizations in 2021 by number of breaches were:
- Clinic Networks (an organization consisting of several clinics offering general healthcare from multiple locations): 87 breached entities affecting 4.1 million records
- Health Insurance Companies: 78 breaches affecting 2.4 million records
- Hospitals: 72 breached entities affecting 3.2 million records
- Clinics: 51 breached entities affecting 3 million records
When it comes to the number of records, hospital networks and clinic networks are the most affected with 6.8 million and 4.1 million records affected respectively. As both of these are “networks” of healthcare facilities, this isn’t too much of a surprise as they will likely have more records on file.
So far for 2022, health insurance companies are the most-affected type of organization with 26 breached entities affecting 1.2 million records. Specialist clinics closely follow with 24 breaches affecting nearly 620,000 records. Hospital networks and clinic networks have had the most records affected again (2 million and 1.9 million respectively).
What is 2022 looking like for medical data breaches?
During the first six months of 2022, there have been 151 reported medical data breaches with 7,997,739 records affected. While these figures may appear small now, it is likely that figures will rise in the coming months. Nevertheless, across our financial data breach and ransomware reports, we are noticing a dip in 2022. This is perhaps due to more targeted attacks being carried out. We can see this with the data breach on MCG Health. On June 10 of this year, the software company disclosed that there had been unauthorized access on its systems. So far, at least eight organizations affected by the breach on MCG Health have come forward and have submitted breach reports that affect nearly 800,000 records.
In order to gather as much information as possible on medical data breaches, we collated a list of breaches from 2009 to June 2022 as reported on the OCR portal. To deep dive into the types of breaches and most-affected organizations, our team searched through industry resources, state data breach notification tools, and news sources to gather further data on breaches that occurred from 2021 to June 2022.
Where possible, the breach is assigned to the specific date it occurred. For example, a breach may have occurred in 2021 but may have only been disclosed in 2022. We would, therefore, allocate this to 2021’s figures, as this is when the breach happened.
Each breach was categorized into one of 23 medical organization types, which are defined as follows:
- Academic hospital
- Business: a general business (e.g. a marketing provider) that works solely with healthcare companies
- Clinic: a clinic offering all-around healthcare services
- Clinic network: a system of clinics operating from more than one location to offer all-around healthcare services
- Dental: a practice offering dental healthcare services
- Department of health: a government department of health
- Education: a school/university that’s involved in a health-related data breach
- Government: a general government department/entity that’s involved in a health-related data breach, e.g. the department of human services or a county government
- Health insurance
- Home/senior care
- Hospital network: a system of hospitals operating from more than one location to offer all-around healthcare services
- Laboratory: a health-based laboratory business
- Medical billing: a company that specializes primarily in medical billing solutions
- Medical equipment: a company that specializes primarily in medical equipment
- Medical technology: a company that specializes primarily in technology solutions for healthcare companies
- Medical transport: a company that specializes primarily in transport solutions for healthcare companies
- Optometry: a practice offering optical healthcare service
- Other: any organization that has a health-related breach but isn’t a healthcare-based company
- Pharmacy: an organization/network specializing in pharmaceuticals
- Social services
- Specialist clinic: a clinic that operates under a certain area of healthcare, e.g. physicians or rehabilitation centers
- Specialist clinic network: as above but operating from multiple clinics/locations
Puerto Rico was included in this study, however, isn’t included in any maps.
Data Researcher: Charlotte Bond
Data breaches as reported to: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Further sources for breaches in 2021 and 2022 can be found here.