Data breaches in healthcare are becoming a more common occurrence, and each one reported appears more severe and far-reaching than the last.
Between 2010 and 2013, healthcare organizations reported 949 security breaches compromising approximately 29 million patient records, according to an International Business Times report. Additionally, data from the Kaiser Permanente Division of Research indicate the rate of breaches is on the rise. In 2010, 214 breaches were reported. That number climbed to 265 in 2013.
Healthcare organizations that experience a data breach affecting more than 500 individuals are required by the HITECH Act to report the breach to HHS' Office for Civil Rights. The HITECH Act required organizations to start reporting this information in 2009.
Here are the 50 hospital, health system or health plan data breaches that compromised the most number of individual patient records, as reported to the OCR.
1. Anthem (Indianapolis)
- Individuals affected: 78.8 million
- Type of breach: Hacked network server
- Date reported: March 13, 2015
2. Premera Blue Cross (Mountlake Terrace, Wash.)
- Individuals affected: 11 million
- Type of breach: Hacked network server
- Date reported: March 17, 2015
3. Community Health Systems (Brentwood, Tenn.)
- Individuals affected: 4.5 million
- Type of breach: Theft from network server
- Date reported: Aug. 20, 2014
4. Advocate Health and Hospitals Corp. (Downers Grove, Ill.)
- Individuals affected: 4 million
- Type of breach: Theft of desktop computer
- Date reported: Aug. 23, 2013
5. AvMed (Miami)
- Individuals affected: 1.2 million
- Type of breach: Theft of laptop
- Date reported: June 3, 2010
6. CareFirst BlueCross BlueShield (Baltimore)
- Individuals affected: 1.1 million
- Type of breach: Hacked network server
- Date reported: May 20, 2015
7. Montana Department of Public Health and Human Services
- Individuals affected: 1.06 million
- Type of breach: Hacked network server
- Date reported: July 7, 2014
8. The Nemours Foundation (Jacksonville, Fla.)
- Individuals affected: 1.05 million
- Type of breach: Theft of backup tapes
- Date reported: Oct. 7, 2011
9. BlueCross BlueShield of Tennessee
- Individuals affected: 1.02 million
- Type of breach: Theft of hard drives
- Date reported: Nov. 1, 2010
10. Sutter Medical Foundation (Sacramento, Calif.)
- Individuals affected: 943,000
- Type of breach: Theft of desktop computer
- Date reported: Nov. 17, 2011
11. AHMC Healthcare (Los Angeles)
- Individuals affected: 729,000
- Type of breach: Theft of laptop
- Date reported: Oct. 25, 2013
12. Virginia Department of Medical Assistance Services
- Individuals affected: 698,000
- Type of breach: Hacked network server
- Date reported: March 12, 2015
13. Georgia Department of Community Health
- Individuals Affected: 558,000
- Type of breach: Hacked network server
- Date reported: March 2, 2015
14. Eisenhower Medical Center (Rancho Mirage, Calif.)
- Individuals affected: 514,000
- Type of breach: Theft of desktop computer
- Date reported: March 30, 2011
15. St. Joseph Health System (Bryan, Texas)
- Individuals affected: 405,000
- Type of breach: Hacked network server
- Date reported: Feb. 5, 2014
16. Georgia Department of Community Health (separate from No. 13)
- Individuals affected: 355,000
- Type of breach: Hacked network server
- Date reported: March 2, 2015
17. Affinity Health Plan (Bronx, N.Y.)
- Individuals affected: 345,000
- Type of breach: Other
- Date reported: April 14, 2010
18. Emory Healthcare (Atlanta)
- Individuals affected: 315,000
- Type of breach: Missing storage disks
- Date reported: April 18, 2012
19. Touchstone Medical Imaging (Brentwood, Tenn.)
- Individuals affected: 308,000
- Type of breach: Unauthorized access
- Date reported: Oct. 3, 2014
20. Beacon Health System (South Bend, Ind.)
- Individuals Affected: 307,000
- Type of breach: Hacked email
- Date reported: May 22, 2015
21. Seacoast Radiology (Rochester, N.H.)
- Individuals affected: 231,000
- Type of breach: Hacked network server
- Date reported: Jan. 10, 2011
22. South Carolina Department of Health and Human Services
- Individuals affected: 228,000
- Type of breach: Unauthorized access
- Date reported: April 24, 2012
23. Indian Health Service (Rockville, Md.)
- Individuals affected: 214,000
- Type of breach: Unauthorized access
- Date reported: April 1, 2014
24. Walgreens (Deerfield, Ill.)
- Individuals affected: 160,000
- Type of breach: Stolen records and hardware
- Date reported: Dec. 15, 2014
25. Ankle + Foot Center of Tampa Bay (Fla.)
- Individuals affected: 156,000
- Type of breach: Hacked network server
- Date reported: Jan. 3, 2011
26. Advantage Consolidated (Redmond, Ore.)
- Individuals affected: 152,000
- Type of breach: Hacked network server
- Date reported: March 18, 2015
27. Oklahoma State Department of Health
- Individuals affected: 133,000
- Type of breach: Laptop theft
- Date reported: April 11, 2011
28. Alere Home Monitoring (Livermore, Calif.)
- Individuals affected: 117,000
- Type of breach: Laptop theft
- Date reported: Oct. 18, 2012
29. Crescent Health (Anaheim, Calif.)
- Individuals affected: 109,000
- Type of breach: Desktop computer theft
- Date reported: Feb. 22, 2013
30. Memorial Healthcare System (Hollywood, Fla.)
- Individuals affected:106,000
- Type of breach: Record theft
- Date reported: August 16, 2012
31. NRAD Medical Associates (Garden City, N.Y.)
- Individuals affected: 97,000
- Type of breach: Hacked computer
- Date reported: June 20, 2014
32. Hartford (Conn.) Hospital
- Individuals affected: 93,500
- Type of breach: Information theft
- Date reported: April 5, 2011
33. Jacobi Medical Center (Bronx, N.Y.)
- Individuals affected: 90,000
- Type of breach: Unauthorized access to email
- Date reported: April 28, 2015
34. Patient Care Services at Saint Francis (Tulsa, Okla.)
- Individuals affected: 84,000
- Type of breach: Desktop computer theft
- Date reported: April 6, 2011
35. Providence Hospital (Southfield, Mich.)
- Individuals affected: 83,945
- Type of breach: Missing hard drive
- Date reported: April 5, 2010
36. City of Philadelphia Fire Department EMS Unit
- Individuals affected: 81,463
- Type of breach: Unauthorized access
- Date reported: April 2, 2015
37. Tennessee Rural Health Improvement Association
- Individuals affected: 79,000
- Type of breach: Unauthorized access
- Date reported: Jan. 13, 2015
38. Central Dermatology Center (Chapel Hill, N.C.)
- Individuals affected: 76,258
- Type of breach: Malware attack
- Date reported: Nov. 7, 2014
39. UW Medicine (Seattle)
- Individuals affected: 76,183
- Type of breach: Hacked computer
- Date reported: Nov. 27, 2013
40. Visionworks, subsidiary of Highmark (Pittsburgh)
- Individuals affected: 75,000
- Type of breach: Missing computer server
- Date reported: Nov. 10, 2014
41. University of Miami
- Individuals affected: 64,846
- Type of breach: Unauthorized access
- Date reported: Sept. 7, 2012
42. The Neurological Institute of Savannah (Ga.) & Center for Spine
- Individuals affected: 63,425
- Type of breach: Hard drive theft
- Date reported: Aug. 15, 2011
43. St. Vincent Hospital and Health Care Center (Indianapolis)
- Individuals affected: 63,325
- Type of breach: Unauthorized access
- Date reported: Feb. 27, 2015
44. Cincinnati Children's Hospital Medical Center
- Individuals affected: 61,000
- Type of breach: Laptop theft
- Date reported: June 1, 2010
45. Los Angeles Gay and Lesbian Center
- Individuals affected: 59,000
- Type of breach: Hacked network server
- Date reported: Dec. 10, 2013
46. Boston Baskin Cancer Foundation
- Individuals affected: 56,694
- Type of breach: Hard drive theft
- Date reported: Feb. 2, 2015
47. Banner Health (Phoenix)
- Individuals affected: 55,207
- Type of breach: Exposed information
- Date reported: March 5, 2014
48. Lebanon (Pa.) Internal Medicine Associates
- Individuals affected: 55,000
- Type of breach: Improper disposal
- Date reported: Nov. 2, 2011
49. Cancer Care Group (Indianapolis)
- Individuals affected: 55,000
- Type of breach: Stolen hardware
- Date reported: Aug. 28, 2012
50. North Carolina Department of Health and Human Services
- Individuals affected: 48,752
- Type of breach: Unauthorized access
- Date reported: Jan. 6, 2014
More articles on data braeches:
Patient data security: 4 ways to protect your organization from a data breach
50k records stolen from pharmaceutical company Akorn offered to highest bidder
Could HealthCare.gov's data warehouse be the target of the next big breach?: 5 things to know