Data breaches in healthcare can cause widespread damage, including the loss of medical records, financial losses for the organization, identity theft and fraud, lawsuits, and a loss of patient trust. Now the industry is more at risk of severe cyberattacks than ever before.
These are the biggest data breaches ever reported in healthcare, according to Pulse Headlines:
1. Anthem
The payer discovered the largest healthcare data breach ever seen in 2015. Over 78.8 million Anthem members and members of independent payers contracted with Anthem had their Social Security numbers, home addresses and dates of birth stolen. The company settled with state attorneys general for $39.5 million in 2020.
Six weeks after the 2015 Anthem breach, Premera Blue Cross alerted members of a data breach that occurred nine months earlier in 2014. Hackers stole the information of over 10.4 million members, including names, addresses, dates of birth, email addresses, Social Security numbers, bank account numbers and health plan information. The payer settled a $74 million class action for the breach in 2019.
3. Excellus BlueCross BlueShield
As other payers discovered major data breaches in 2015, Excellus inspected its systems and found a breach of at least 10 million members. Social Security numbers and medical and financial information were stolen. In 2021, The company paid the federal government $5.1 million in HIPAA violation fines over the breach.
4. Tricare
In 2011, the military healthcare system reported a data breach affecting over 4.9 million people. Electronic health record data was stolen from the car of a Science Applications International Corp. employee, which managed Tricare's data security. Stolen data included names of active and retired military personnel and their families, their Social Security numbers, phone numbers and addresses. A class-action lawsuit against the two companies was mostly dismissed in 2014.
5. University of California Los Angeles Health System
In 2015, the UCLA Health System said 4.5 million people's personal information had been compromised. The hackers accessed parts of UCLA's network containing protected health information, including names, addresses, birthdates, Social Security numbers, medical record numbers, health plan number, Medicare numbers and some medical information. The system won a $1.25 million lawsuit over the breach that same year.
Over 200 hospitals owned or leased by Franklin, Tenn.-based Community Health Systems were the victims of a data breach in 2014 that affected over 6.1 million patients. Patient information exposed as a result of the incident included names, Social Security numbers, birthdates and addresses. The company settled with 28 states over the breach for $5 million in 2020.
In 2013, burglars stole four laptops containing sensitive information from Downers Grove, Ill.-based Advocate Medical Group's administrative offices. Stolen information included names, addresses, Social Security numbers and birthdates. No medical records or financial information was included. The company was cleared of a class-action lawsuit over the breach in 2015, but agreed to pay $5.55 million to HHS' Office for Civil Rights in 2016 to settle claims that it violated HIPAA.
8. Medical Informatics Engineering
The medical software company reported a data breach in 2015 of many of its clients, including 11 providers and 44 radiology centers. The compromised information included Social Security numbers, lab results, medical conditions and health plan information.
Phoenix-based Banner Health reported a data breach in 2016 that affected 3.62 million people. Hackers were able to access information from patients, providers and staff, including patient records, credit card numbers and expiration dates, verification codes, patient addresses, birthdates, Social Security numbers and physician names. The company agreed to pay $6 million to patients over a class-action lawsuit in 2019.
10. Newkirk Products
Newkirk, a producer of ID cards for payers and providers, reported a data breach in 2016 affecting over 3.47 million people. Hackers were able to obtain medical ID numbers, group IDs, patient names, provider names, dependent names, dates of birth and premium invoice details.