The biggest medical data breaches in history

In April 2019, healthcare data breaches reached a record high. And for the past four years, the healthcare field has had the second highest number of breaches as compared to other industries. In total, almost 10 million records were exposed in US healthcare breaches in 2018 alone. The prevalence and size of medical data breaches is highly concerning, especially when you consider that much of the breached information can be valuable to criminals.

In particular, armed with someone’s medical information, thieves can easily commit medical identity theft to receive treatment, get drug prescriptions, or make false claims under the victim’s name. The effects of medical insurance fraud on victims include large financial losses, poor credit rating, and limited access to urgent healthcare. What’s more, medical data often comes packaged with personal information, including Social Security numbers (SSNs), as well as financial information. These pieces of data can be sold on the black market or used in a range of crimes, including credit card fraud and full-blown identity theft.

In this post, we reveal the biggest medical data breaches in history. Breaches in which 1.5 million records or more were exposed made it to the list. We’ve listed the incidents in chronological order, starting with the most recent.

1. Quest Diagnostics (2019)

Breach size: 11.9 M

American Medical Collection Agency (AMCA) is a medical billing service provider that works with Quest Diagnostics. In June 2019, AMCA discovered that an unauthorized user was able to access its systems and potentially steal Quest patient data. The information comprised almost 12 million customer records including medical information, SSNs, and financial data.

2. MedicareSupplement.com (2019)

Breach size: 5 M

In May, 2019, Comparitech worked with security researcher Bob Diachenko to uncover an exposed database apparently belonging to MedicareSupplement.com. This US insurance marketing company offers quotes on supplemental medical insurance.

The database — which appeared to contain marketing lead data — was left open and accessible online, and was indexed by search engine BinaryEdge. Information in each record included first and last name, full address, IP address, email address, date of birth, gender, and marketing-related information. Over 200,000 records also contained information about the insurance interest area of the user, for example, cancer insurance.

We notified the company of the exposure and the database has since been secured. It’s unknown if it was accessed by any malicious parties while it was left open.

3. Vardguiden (2019)

Breach size: 2.7 M

Another large 2019 breach occurred in Sweden, involving healthcare hotline Vardguiden. Swedish tech publication, Computer Sweden, revealed that the audio recordings of millions of calls to the hotline were exposed online for anyone to obtain. The recordings were residing on an open web server that had no encryption or authentication requirements. Although this breach was discovered in February 2019, the calls date back to 2013 and may have been exposed the whole time in between

The breach affected 2.7 million calls that amounted to 170,000 hours of sensitive audio. The types of information divulged differed from call to call, but most included medical data such as medical history, ailments, and medication as related to the caller or their children. In some cases, callers provided their SSNs, and many of the recording files had phone numbers associated with them.

It’s currently unclear who is to blame for the breach. Thailand-based subcontractor Medicall, reportedly responsible for the blunder, denies it happened.

4. Inmediata Health Group (2019)

Breach size: 1.57 M

Inmediata Health Group is a Puerto Rican health administrator providing clearinghouse service, software, and outsourcing tools to various health institutions and practitioners. In January 2019, the company realized that a glitch in their systems meant that internal webpages were being indexed by search engines.

More than 1.5 million patients were affected by the breach, and leaked information included names, addresses, gender, dates of birth, medical claims data, and in some cases, SSNs.

5. AccuDoc Solutions (2018)

Breach size: 2.65 M

AccuDoc Solutions Inc. provides healthcare billing services and was the subject of a large data breach in September 2018. The company is responsible for operating the online payment system of Atrium Health. This is a network of over 40 hospitals spanning North and South Carolina and Georgia.

Atrium Health’s database (held by AccuDoc Solutions) was breached by hackers who were able to view patient information, including names, addresses, health insurance information, dates of services, and more. In some cases (around 700,000), SSNs were also exposed.

6. Health South East (2018)

Breach size: 2.9 M

Health South East RHF is a healthcare organization managing many of Norway’s hospitals. In January 2018, the organization disclosed a breach that affected the data of more than half of Norway’s population. The leak was a result of a hacking attempt, but it’s unclear exactly what information the hackers accessed.

7. Banner Health (2016)

Breach size: 3.62 M

Banner Health, a Phoenix-based healthcare system, was at the center of a June 2016 hack. The breach initially appeared to only involve the financial data of people who made purchases at food and beverage kiosks in select Banner locations. However, it was later discovered that the hackers may have had access to patient information, including names, addresses, physicians‘ names, claim information, health insurance information, SSNs, and more. Up to 3.7 million people may have been affected.

8. Newkirk Products (2016)

Breach size: 3.47 M

Newkirk Products Inc. provides healthcare ID cards for various health insurance plan providers. In May 2016, a hacker exploited an administrative portal weakness, gaining access to a server that stored a trove of patient information. The data included names, addresses, ID numbers, dependent names, dates of birth, and Medicaid ID numbers. Newkirk had to notify around 3.3 million people of the breach.

9. 21st Century Oncology (2015)

Breach size: 2.2 M

21st Century Oncology (21CO), a Florida-based healthcare provider, suffered a large breach in October 2015. The company, which at the time operated almost 200 cancer treatment centers, was notified by the FBI that an intruder had accessed patient information. This included names, SSNs, medical information, and insurance data. The breach affected around 2.2 million patients.

21CO offered to provide a year of identity protection services to patients for free. However, the company was fined $2.3 million by the Department of Health and Human Services and was sued by many patients. It has been through bankruptcy (mostly due to other financial problems), but as of 2019, lawsuits against the company related to the 2015 breach are ongoing.

10. Excellus BlueCross BlueShield (2015)

Breach size: 10.5 M

An attack against Excellus BlueCross BlueShield actually started in 2013, although it wasn’t discovered until August 2015. The breach was revealed after multiple health insurers suffered major breaches and Excellus hired forensic investigators to assess the company’s IT systems.

The data was encrypted, but hackers managed to gain administrative controls, making the encryption useless. The personal data belonging to 10.5 million people was involved in the breach. Information obtained by hackers included names, addresses, dates of birth, SSNs, health plan numbers, financial information, and claims information.

11. University of California, Los Angeles Health System (2015)

Breach size: 4.5 M

The computer network of University of California, Los Angeles (UCLA) Health System was attacked by hackers as early as September 2014, although the breach wasn’t discovered until July 2015. The hackers managed to access sensitive information on up to 4.5 million people. The breached data may have included names, birthdates, SSNs, Medicare or other health plan numbers, and medical history information.

The organization came under criticism as the data should have been encrypted to avoid unauthorized access. Indeed, there was a class-action lawsuit filed on behalf of victims and UCLA Health System had to pay out a $7.5 million settlement.

12. Medical Informatics Engineering (2015)

Breach size: 3.5 M

Indiana-based Medical Informatics Engineering provides electronic medical record software and services. In 2015, the company’s NoMoreClipboard subsidiary suffered a major breach when hackers accessed the health information of 3.5 million people. The company recently settled a HIPAA violation case related to the breach and had to pay $100,000.

13. Anthem Blue Cross (2015)

Breach size: 78.8 M

Another company hit by a penalty (although this one was much larger) was Anthem Blue Cross. Discovered in January 2015, a cyberattack on the organization — which may have started as early as 2014 — exposed the health information of almost 79 million people.

The leaked data included names, birthdates, street addresses, email addresses, medical IDs, SSNs, and employment and income information

The company had to shell out a $115 million settlement in 2017, and in 2018, was hit with a $16 million fine.

14. Premera Blue Cross (2015)

Breach size: 11 M

In January 2015, Premera Blue Cross discovered a breach that actually occurred in May 2014. The scope of the breach was broad as patient-related data going back as far as thirteen years may have been exposed. In all, as many as 11 million customers may have been affected.

Breached data included medical records, SSNs, birthdates, and bank account information. There is an ongoing class-action lawsuit against the organization in which plaintiffs recently accused Premera of destroying evidence that was crucial to the case.

15. Advocate Health Care (2013)

Breach size: 4.03 M

Advocate Medical Group operates 12 hospitals and over 200 other treatment centers. In August 2014, the Illinois-based organization started alerting patients that it had been the subject of a data breach a month earlier. This breach occurred as a result of the physical theft of four password-protected computers from an administrative office.

Although the computers were password-protected, they were not encrypted. Leaked information included names, addresses, dates of birth, and SSNs. It also included a trove of medical data such as treating physician, medical record numbers, and health insurance information. There was even detailed information about physicians themselves, including SSNs, National Provider Identifiers (NPIs), and license numbers.

The organization was subsequently ordered to pay a settlement of $5.55 million, which was the largest of its kind at the time.

16. Sutter Medical Foundation (2011)

Breach size: 4.24 M

Sutter Medical Foundation is a Northern Californian not-for-profit health system. It suffered a data breach involving information on 4.24 million patients when a desktop computer was stolen from a medical office in Sacramento.

Similar to the Advocate breach, the computer was protected by a password but it wasn’t encrypted. Data included personal and medical information, but not SSNs or health plan numbers.

The organization was sued in a class-action lawsuit for more than $1 billion, but this was later dismissed.

17. TRICARE (2011)

Breach size: 4.9 M

TRICARE is the Defense Department’s healthcare program. In 2011, backup tapes containing electronic health records were stolen from the car of a program employee. They contained data on 4.9 million patients, including names, SSNs, addresses, phone numbers, clinical notes, and prescription information.

18. UK National Health Service (2011)

Breach size: 8.63 M

In June 2011, UK newspapers reported a massive National Health Service (NHS) breach. 20 laptops apparently disappeared from a storeroom in an NHS medical research organization. One of the computers contained data on 8.63 million patients and was password-protected but unencrypted. The information didn’t include names, but it did include postal codes, ethnic origin, age, and hospital visit information.

19. Health Net (2011)

Breach size: 1.9 M

In March 2011, nine servers went missing from Health Net’s IBM-operated data center in California. 1.9 million existing and past customers of the insurance provider are believed to have been affected. Information stored on the servers included names, addresses, SSNs, financial information, and health information.

20. New York City Health and Hospitals Corporation (2010)

Breach size: 1.7 M

In December 2010, unencrypted tapes belonging to the New York City Health and Hospitals Corporation were stolen from a truck that was transporting the tapes to a secure storage location. They contained details on up to 1.7 million patients, including names, addresses, SSNs, and medical histories. At the time, this was the largest reported breach under the Health Information Technology for Economic and Clinical Health (HITECH) Act breach notification rule, which had been in effect since September 2009.

21. Health Net (2009)

Breach size: 1.5 M

Health Net’s 2011 breach mentioned above wasn’t its first major breach. In November 2009, it announced it had been the subject of a major breach back in May of that year. A hard drive went missing which contained data on 1.5 million customers, including financial and medical information.

22. Virginia Department of Health (2009)

Breach size: 8.26 M

An agency involved with the Virginia Department of Health was at the center of a massive breach in May 2009. The agency was in charge of an online prescription database that was held to ransom by hackers who demanded $10 million for its return. The database held more than 8 million patient records which may have included personal information (including SSNs) and prescription information.

23. University of Utah Hospitals and Clinics (2008)

Breach size: 2.2 M

The University of Utah Hospitals and Clinics suffered a breach of data stored on physical tapes when they were stolen in June 2008. The tapes contained billing information, medical records, and SSNs of 2.2 million patients. They were returned just a few days later and two people were charged in the crime. However, the university still ended up spending more than $3 million as a result of the breach.

Image credit: “Technology” by Gerd Altmann licensed under CC BY 2.0