50 biggest data breaches in healthcare

Staff - Updated

Data breaches in healthcare are becoming a more common occurrence, and each one reported appears more severe and far-reaching than the last.

 

Between 2010 and 2013, healthcare organizations reported 949 security breaches compromising approximately 29 million patient records, according to an International Business Times report. Additionally, data from the Kaiser Permanente Division of Research indicate the rate of breaches is on the rise. In 2010, 214 breaches were reported. That number climbed to 265 in 2013.

Healthcare organizations that experience a data breach affecting more than 500 individuals are required by the HITECH Act to report the breach to HHS' Office for Civil Rights. The HITECH Act required organizations to start reporting this information in 2009.

Here are the 50 hospital, health system or health plan data breaches that compromised the most number of individual patient records, as reported to the OCR.

1. Anthem (Indianapolis)

  • Individuals affected: 78.8 million
  • Type of breach: Hacked network server
  • Date reported: March 13, 2015

2. Premera Blue Cross (Mountlake Terrace, Wash.)

  • Individuals affected: 11 million
  • Type of breach: Hacked network server
  • Date reported: March 17, 2015

3. Community Health Systems (Brentwood, Tenn.)

  • Individuals affected: 4.5 million
  • Type of breach: Theft from network server
  • Date reported: Aug. 20, 2014

4. Advocate Health and Hospitals Corp. (Downers Grove, Ill.)

  • Individuals affected: 4 million
  • Type of breach: Theft of desktop computer
  • Date reported: Aug. 23, 2013

5. AvMed (Miami)

  • Individuals affected: 1.2 million
  • Type of breach: Theft of laptop
  • Date reported: June 3, 2010

6. CareFirst BlueCross BlueShield (Baltimore)

  • Individuals affected: 1.1 million
  • Type of breach: Hacked network server
  • Date reported: May 20, 2015

7. Montana Department of Public Health and Human Services

  • Individuals affected: 1.06 million
  • Type of breach: Hacked network server
  • Date reported: July 7, 2014

8. The Nemours Foundation (Jacksonville, Fla.)

  • Individuals affected: 1.05 million
  • Type of breach: Theft of backup tapes
  • Date reported: Oct. 7, 2011

9. BlueCross BlueShield of Tennessee

  • Individuals affected: 1.02 million
  • Type of breach: Theft of hard drives
  • Date reported: Nov. 1, 2010

10. Sutter Medical Foundation (Sacramento, Calif.)

  • Individuals affected: 943,000
  • Type of breach: Theft of desktop computer
  • Date reported: Nov. 17, 2011

11. AHMC Healthcare (Los Angeles)

  • Individuals affected: 729,000
  • Type of breach: Theft of laptop
  • Date reported: Oct. 25, 2013

12. Virginia Department of Medical Assistance Services

  • Individuals affected: 698,000
  • Type of breach: Hacked network server
  • Date reported: March 12, 2015

13. Georgia Department of Community Health

  • Individuals Affected: 558,000
  • Type of breach: Hacked network server
  • Date reported: March 2, 2015

14. Eisenhower Medical Center (Rancho Mirage, Calif.)

  • Individuals affected: 514,000
  • Type of breach: Theft of desktop computer
  • Date reported: March 30, 2011

15. St. Joseph Health System (Bryan, Texas)

  • Individuals affected: 405,000
  • Type of breach: Hacked network server
  • Date reported: Feb. 5, 2014

16. Georgia Department of Community Health (separate from No. 13)

  • Individuals affected: 355,000
  • Type of breach: Hacked network server
  • Date reported: March 2, 2015

17. Affinity Health Plan (Bronx, N.Y.)

  • Individuals affected: 345,000
  • Type of breach: Other
  • Date reported: April 14, 2010

18. Emory Healthcare (Atlanta)

  • Individuals affected: 315,000
  • Type of breach: Missing storage disks
  • Date reported: April 18, 2012

19. Touchstone Medical Imaging (Brentwood, Tenn.)

  • Individuals affected: 308,000
  • Type of breach: Unauthorized access
  • Date reported: Oct. 3, 2014

20. Beacon Health System (South Bend, Ind.)

  • Individuals Affected: 307,000
  • Type of breach: Hacked email
  • Date reported: May 22, 2015

21. Seacoast Radiology (Rochester, N.H.)

  • Individuals affected: 231,000
  • Type of breach: Hacked network server
  • Date reported: Jan. 10, 2011

22. South Carolina Department of Health and Human Services

  • Individuals affected: 228,000
  • Type of breach: Unauthorized access
  • Date reported: April 24, 2012

23. Indian Health Service (Rockville, Md.)

  • Individuals affected: 214,000
  • Type of breach: Unauthorized access
  • Date reported: April 1, 2014

24. Walgreens (Deerfield, Ill.)

  • Individuals affected: 160,000
  • Type of breach: Stolen records and hardware
  • Date reported: Dec. 15, 2014

25. Ankle + Foot Center of Tampa Bay (Fla.)

  • Individuals affected: 156,000
  • Type of breach: Hacked network server
  • Date reported: Jan. 3, 2011

26. Advantage Consolidated (Redmond, Ore.)

  • Individuals affected: 152,000
  • Type of breach: Hacked network server
  • Date reported: March 18, 2015

27. Oklahoma State Department of Health

  • Individuals affected: 133,000
  • Type of breach: Laptop theft
  • Date reported: April 11, 2011

28. Alere Home Monitoring (Livermore, Calif.)

  • Individuals affected: 117,000
  • Type of breach: Laptop theft
  • Date reported: Oct. 18, 2012

29. Crescent Health (Anaheim, Calif.)

  • Individuals affected: 109,000
  • Type of breach: Desktop computer theft
  • Date reported: Feb. 22, 2013

30. Memorial Healthcare System (Hollywood, Fla.)

  • Individuals affected:106,000
  • Type of breach: Record theft
  • Date reported: August 16, 2012

31. NRAD Medical Associates (Garden City, N.Y.)

  • Individuals affected: 97,000
  • Type of breach: Hacked computer
  • Date reported: June 20, 2014

32. Hartford (Conn.) Hospital

  • Individuals affected: 93,500
  • Type of breach: Information theft
  • Date reported: April 5, 2011

33. Jacobi Medical Center (Bronx, N.Y.)

  • Individuals affected: 90,000
  • Type of breach: Unauthorized access to email
  • Date reported: April 28, 2015

34. Patient Care Services at Saint Francis (Tulsa, Okla.)

  • Individuals affected: 84,000
  • Type of breach: Desktop computer theft
  • Date reported: April 6, 2011

35. Providence Hospital (Southfield, Mich.)

  • Individuals affected: 83,945
  • Type of breach: Missing hard drive
  • Date reported: April 5, 2010

36. City of Philadelphia Fire Department EMS Unit

  • Individuals affected: 81,463
  • Type of breach: Unauthorized access
  • Date reported: April 2, 2015

37. Tennessee Rural Health Improvement Association

  • Individuals affected: 79,000
  • Type of breach: Unauthorized access
  • Date reported: Jan. 13, 2015

38. Central Dermatology Center (Chapel Hill, N.C.)

  • Individuals affected: 76,258
  • Type of breach: Malware attack
  • Date reported: Nov. 7, 2014

39. UW Medicine (Seattle)

  • Individuals affected: 76,183
  • Type of breach: Hacked computer
  • Date reported: Nov. 27, 2013

40. Visionworks, subsidiary of Highmark (Pittsburgh)

  • Individuals affected: 75,000
  • Type of breach: Missing computer server
  • Date reported: Nov. 10, 2014

41. University of Miami

  • Individuals affected: 64,846
  • Type of breach: Unauthorized access
  • Date reported: Sept. 7, 2012

42. The Neurological Institute of Savannah (Ga.) & Center for Spine

  • Individuals affected: 63,425
  • Type of breach: Hard drive theft
  • Date reported: Aug. 15, 2011

43. St. Vincent Hospital and Health Care Center (Indianapolis)

  • Individuals affected: 63,325
  • Type of breach: Unauthorized access
  • Date reported: Feb. 27, 2015

44. Cincinnati Children's Hospital Medical Center

  • Individuals affected: 61,000
  • Type of breach: Laptop theft
  • Date reported: June 1, 2010

45. Los Angeles Gay and Lesbian Center

  • Individuals affected: 59,000
  • Type of breach: Hacked network server
  • Date reported: Dec. 10, 2013

46. Boston Baskin Cancer Foundation

  • Individuals affected: 56,694
  • Type of breach: Hard drive theft
  • Date reported: Feb. 2, 2015

47. Banner Health (Phoenix)

  • Individuals affected: 55,207
  • Type of breach: Exposed information
  • Date reported: March 5, 2014

48. Lebanon (Pa.) Internal Medicine Associates

  • Individuals affected: 55,000
  • Type of breach: Improper disposal
  • Date reported: Nov. 2, 2011

49. Cancer Care Group (Indianapolis)

  • Individuals affected: 55,000
  • Type of breach: Stolen hardware
  • Date reported: Aug. 28, 2012

50. North Carolina Department of Health and Human Services

  • Individuals affected: 48,752
  • Type of breach: Unauthorized access
  • Date reported: Jan. 6, 2014

More articles on data braeches:

Patient data security: 4 ways to protect your organization from a data breach
50k records stolen from pharmaceutical company Akorn offered to highest bidder
Could HealthCare.gov's data warehouse be the target of the next big breach?: 5 things to know

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.

 

Featured Learning Opportunities

Featured Whitepapers

Featured Webinars