Medical breaches accounted for 422.7 million leaked records

Since 2009, medical organizations in the US have suffered 5,478 data breaches, affecting nearly 423 million medical records. Based on the average cost per breached record (as reported by IBM each year), we estimate these breaches have cost healthcare organizations over $39 billion from 2017 to July 2023 alone.

Our team of researchers analyzed data from 2009 to July 2023 to find out which US states suffer the most medical breaches and how many records have been affected each year. We also took an in-depth look at breaches from January 2021 to July 2023 to find the most significant cause of these breaches and the most-affected healthcare organizations.

Our study covered breaches that have crippled healthcare facilities, many of which led to the exploitation of personal medical data, putting patients’ health and, in some cases, lives, at risk. Breaches can lead to healthcare systems going offline, meaning medical workers are left without critical information. Threat actors may also gain access to Social Security numbers, health insurance information, prescription information, medical history, and even financial data linked with medical billing.

2020 saw the highest number of medical breaches since 2009, with 821 breaches and 47 million records affected. The number of breaches declined in 2021 (to 757) and even further in 2022 (to 562), but the number of records impacted in 2022 remained high (47.6 million breached in 2022 compared to 49.5 million in 2021). This highlights the growing trend of fewer attacks but greater amounts of data being stolen per attack. This trend looks set to continue in 2023, too. Despite there only being 259 breaches reported, 39.2 million records have been affected already this year, suggesting that figures are likely to exceed those seen in 2022.

Key findings:

  • 5,478 medical breaches recorded from 2009 to July 2023
  • 422,694,451 individual records were affected as a result of these breaches
  • The estimated cost of breaches from 2017 to July 2023 was $39 billion
  • 2020 was the biggest year for medical breaches with 821 reported (the second-highest was 2021 with 757)
  • 2015 saw the highest number of records affected with nearly 112.5 million in total. The majority of these (78.8m) stem from the attack on Anthem, Inc.
  • Specialist Clinics (clinics that specialize in a certain field of medicine–e.g. cardiology or radiology, etc.) have seen the most data breaches (from 2021 onwards) with 278 breaches (17.6 percent) in total, but clinic networks accounted for the highest breached records with 16.5 million affected in total (12 percent of the overall records affected)
  • From 2021 onwards, hacking was the most common type of breach, accounting for one-third of breaches (508 out of 1,578)

All 50 states are required to report medical breaches to the U.S. Department of Health and Human Services (HHS), with individual breaches filed if they affected over 500 records (those with fewer may be filed under a yearly report). Due to the tool only listing breaches that affect 500 or more patients, it is likely our figures underestimate the true scale of the problem.

The top 5 worst-hit states for medical data breaches and records impacted since 2009

As we will see below, the most affected states by number of breaches and records affected are often the most populous, which isn’t too surprising. However, when looking at the number of medical records affected per 100,000 people of each state’s population, the chart does change quite drastically with the exception of Indiana. Indiana comes out on top with 1.3 million records affected per 100,000 people in the population. However, Indiana’s high figure stems primarily from one breach on Anthem, Inc. (reported in 2015) when 78.8 million records were affected. This would have affected residents from outside state lines, too.

Delaware records the second-highest number of breached records per 100,000 people with 387,345 records. This is followed by Minnesota (257,744 records affected per 100,000 people), Washington (213,020 records affected per 100,000 people), and Florida (193,818 records affected per 100,000 people).

As well as the above, 12 states were listed as having more than 100,000 records per 100,000 people affected by medical breaches (WI, TN, KY, NC, MT, NY, PR, NM, VA, AZ, MA, and MD).

South Dakota reported just 5,232 records affected per 100,000 people of the population.

If we look at the number of breaches by US states, we can see that California had the most by far, accounting for 545 (10 percent) of the 5,478 data breaches.

Texas (451), New York (341), Florida (329), and Illinois (240) are the other four worst-hit states.

When it comes to the number of records affected, the picture changes slightly with Indiana making its way into the top.

Indiana recorded the highest number of records affected, with more than 91 million records (more than 21 percent of all breached records). This is significantly higher than second-place Florida with 41.7 million records affected. However, as noted above, this is due to Anthem, Inc.’s breach.

The states that closely followed Florida were New York (29.8 million), California (24.9 million), and Texas (20.9 million).

South Dakota reported the lowest figures with just 13 data breaches reported since 2009 and 46,387 medical records breached. However, it is important to reiterate that data breaches that occur in medical institutions may affect residents in other states, particularly if the organization is located in more than one state.

The top 10 medical data breaches with the most records affected since 2009

While the majority of the top 10 dates from 2011 to 2019, two have entered the list from 2023. These are the ransomware attacks on Managed Care of North America (MCNA) Dental and PharMerica Corporation which have affected 14.7 million records in total.

  1. 2015 – Anthem Inc. = 78.8 million records affected: The largest US health data breach in history. An employee opened a malicious spear phishing email that in turn resulted in the systems being accessed and the data of nearly 79 million people being extracted. Anthem paid $16 million to the OCR in order to settle potential violations.
  2. 2019 – Optum360, LLC = 11.5 million records affected: 11.5 million lab patients who had overdue bills with Optum360, were affected when hackers accessed records via the American Medical Collection Agency.
  3. 2015 – Premera Blue Cross = 11 million records affected: Premera Blue Cross was forced to pay $6.85 million to the OCR after it suffered a data breach via a phishing email. Hackers went unnoticed from May 2014 until January 2015.
  4. 2019 – Laboratory Corporation of America Holdings dba LabCorp = 10.3 million records affected: LabCorp was also affected by the hack on the American Medical Collection Agency.
  5. 2015 – Excellus Health Plan, Inc. = 9.4 million records affected: Hackers gained unauthorized access to systems from December 2013 until May 2015, leading to the disclosure of 9.4 million records.
  6. 2023 – Managed Care of North America (MCNA) Dental = 8.9 million records affected: Ransomware group LockBit accessed MCNA’s systems before demanding a $10 million ransom for the 700GB of sensitive data it had exfiltrated. The company refused to pay and reported a breach of nearly 9 million records.
  7. 2014 – Community Health Systems Professional Services Corporations = 6.1 million records affected: Despite being warned by the FBI in April 2014 that hackers had threatened the organization’s systems, the hackers continued to access data until August 2014. The company agreed to a $2.3 million settlement with the OCR for the breach.
  8. 2023 – PharMerica Corporation = 5.8 million records affected: In March 2023, PharMerica suffered a cyber attack in which nearly 6 million of its pharmacy clients’ data was stolen. The hack was later claimed by ransomware group, Money Message.
  9. 2011 – Science Applications International Corporation = 4.9 million records affected: Backup tapes were stolen from the corporation, impacting an estimated 4.9 million patients from the hospitals and military clinics.
  10. 2015 – University of California, Los Angeles Health = 4.5 million records affected: Hackers accessed clinical and demographic information after accessing part of the university’s network.

The estimated cost of medical data breaches by year

A report by IBM this year has highlighted the average cost per record within a data breach in 2023 at $165–a very slight increase on the amount seen in 2022 ($164). Over the last seven years, IBM’s cost per record has steadily been increasing year on year, starting from $141 back in 2017.

Using IBM’s yearly data on the cost per breached records, we’ve been able to estimate how much these breaches have cost medical facilities.

From the start of 2017 to July 2023, we estimate data breaches have cost US medical organizations over $39 billion.

While this figure may seem high for 3,651 medical breaches, the true cost is likely much higher. This is not just because of all of the other costs involved in a data breach (e.g. recovery costs and ransom payments) but because some figures are unavailable for the number of records involved in these breaches.

For example, IBM reports that, for the last 13 years, the healthcare industry has suffered the highest recovery costs after a data breach. This is largely due to the sensitive data involved. In 2023, medical breaches cost an average of $10.93 million (an 8.2 percent increase from 2022–$10.10 million).

The biggest years for medical data breaches

According to the chart below, 2020 was the biggest year for medical data breaches with 821 in total. 2021 also recorded a high number of breaches with 757. In 2022, figures dropped significantly to 562. So far this year, 259 medical data breaches have been reported. Despite this decline in the number of breaches in recent years, the amount of records affected as a result has remained high.

2015 reported an extraordinarily high number of records affected compared to all other years with 112.5 million records breached. However, as we have already commented, this stems from the Anthem, Inc. breach.

If we analyze the median number of records affected for each year, the median has seen an increase over the last few years. From 2009 to 2018, figures remained around the 2,000 mark. In 2019, the median rose to just over 3,940 before increasing even further in 2020 (to 4,950) and 2021 (5,381). The median remained similar in 2022 (5,264) and has decreased slightly so far this year (3,690). This further highlights the growing trend of more targeted attacks that aim to steal greater volumes of data.

What was the most common medical data breach type in 2022?

Hacking proved to be the most popular method of breaching medical organizations, accounting for 187 out of 562 breaches in 2022. The next largest category (excluding unknowns) was ransomware with 91 attacks, closely followed by breaches via third parties with 88 attacks.

While phishing attacks aren’t listed separately here, they may be the method used to initiate hacks and ransomware attacks.

This time around, we have included third-party breaches as a separate category (they were previously grouped under “insider”). We made this change due to the growing number of large-scale attacks on these types of entities–often via ransomware.

For example, the April 2022 attack on OneTouchPoint affected over 4.1 million medical records across over 35 of its clients. And the December 2021 attack on Eye Care Leaders affected over 3.6 million patient records from over 40 eye care providers. More recently, we have witnessed the Fortra GoAnywhere attack and the MOVEit hack, which are still ongoing and with many reports still to come through.

What was the most-affected medical organization type in 2022?

In order to see which organization suffered the most medical data breaches, we arranged all breaches into 22 categories of healthcare facilities types (please see the methodology for definitions).

The type of organization that suffered the highest number of breaches in 2022 was specialist clinics with 104 medical breaches, impacting 2.6 million records. As mentioned previously, specialist clinics are those that focus on a specific area of healthcare, e.g. cardiology or radiology. The other most affected organizations in 2022 by number of breaches were:

  • Health insurance companies: 74 breaches affecting 2.7 million records
  • Clinic networks (an organization consisting of several clinics offering general healthcare from multiple locations): 56 breached entities affecting 8.4 million records
  • Specialist clinic networks: 54 breached entities affecting 5.8 million records
  • Hospitals: 46 breached entities affecting 2.9 million records

When it comes to the number of records, clinic networks and businesses (recognized as a general business that may work outside of the medical sector but still deals with medical records in some way, e.g. a company offering employees a health plan) are the most affected with 8.4 million and 7.5 million records affected respectively.

So far, for 2023, specialist clinics remain the most-affected type of organization with 59 breached entities affecting 5.3 million records. Health insurance companies are next with 25 recorded breaches so far this year and over 546,000 breached records. Dental practices and pharmacies have reported the highest number of records breached so far this year: 9 million and 5.9 million, respectively.

What is 2023 looking like for medical data breaches?

Between January and July this year, 259 reported medical data breaches were reported, with 39,221,784 records affected. During the same period of 2022, we noted 356 breaches. While this is significantly higher, we expect many more reports for the first half of 2023 to come through, particularly as we are starting to see a high number of breach reports due to the MOVEit vulnerability hack.

That said, the seven months of 2022 saw just over 28 million records breach, which indicates that 2023 is seeing vastly higher figures for the number of patient records involved in these breaches. This is mirrored in the confirmed ransomware attacks we have logged via our US ransomware tracker. From January to July 2022 we saw 62 attacks on healthcare-based organizations, affecting over 8 million records. Over the same period this year, we have seen 51 attacks affecting 22.6 million records.

All of this data suggests hackers are increasingly seeking out organizations with large volumes of high-value data, e.g. medical records. This, alongside breaches via accidental disclosure (which account for around 10 percent of breaches), mean the volume of data involved in medical breaches remain at worryingly high levels.

Methodology

In order to gather as much information as possible on medical data breaches, we collated a list of breaches from 2009 to July 2023 as reported on the OCR portal. To deep dive into the types of breaches and most-affected organizations, our team searched through industry resources, state data breach notification tools, and news sources to gather further data on breaches that occurred from 2021 to July 2023.

Where possible, the breach is assigned to the specific date it occurred. For example, a breach may have occurred in 2021 but may have only been disclosed in 2022. We would, therefore, allocate this to 2021’s figures, as this is when the breach happened. On a few occasions, it wasn’t possible to gather this information, so the month that the breach was reported was used instead.

Each breach was categorized into one of 22 medical organization types, which are defined as follows:

  • Academic hospital: an academic institute that has a public medical facility on site for medical research
  • Ambulance Service: covering ambulance authorities and other medical transport systems
  • Business: a general business that may work outside of the medical sector
  • Clinic: a clinic offering all-around healthcare services
  • Clinic network: a system of clinics operating from more than one location to offer all-around healthcare services
  • Dental: a practice offering dental healthcare services
  • Department of Health: a government department of health
  • Education: a school/university that’s involved in a health-related data breach
  • Government: a general government department/entity that’s involved in a health-related data breach, e.g. the department of human services or a county government
  • Health insurance
  • Home/senior care
  • Hospital
  • Hospital network: a system of hospitals operating from more than one location to offer all-around healthcare services
  • Laboratory: a health-based laboratory business
  • Medical equipment: a company that specializes primarily in medical equipment
  • Medical Management: a company that specializes primarily in the management of medical planning and organization
  • Medical technology: a company that specializes primarily in technology solutions for healthcare companies
  • Optometry: a practice offering optical healthcare service
  • Pharmacy: an organization/network specializing in pharmaceuticals
  • Social services
  • Specialist clinic: a clinic that operates under a certain area of healthcare, e.g. physicians or rehabilitation centers
  • Specialist clinic network: as above but operating from multiple clinics/locations

Puerto Rico was included in this study, but isn’t included in any maps.

Data Researcher: Charlotte Bond

Sources

Data breaches as reported to: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

2023 IBM Report: https://www.ibm.com/downloads/cas/E3G5JMBP