Insider Data Breaches: Causes, Real-life Examples and Prevention
Internal threats cause the majority of data breaches The situation is really that bad. As mentioned, the total number of …
FACT: A single patient record can fetch up to $1,000 on the dark web.
Healthcare records are far more valuable than stolen credit card data which sells for just a few dollars
The healthcare industry now faces a perfect storm of circumstances that have made them prime targets for cybercriminals
Aging infrastructure, legacy systems with unpatched vulnerabilities, and complex networks of third-party vendors have significantly expanded the attack surface.
In this post, we’ll cover the 15 largest healthcare data breaches in history, their impact, and what you can do to prevent your organization from becoming the next victim.
But first, let’s define what a healthcare data breach means.
Contents
Understanding healthcare data breaches
A healthcare related data breach is when patient information, also known as Protected Health Information (PHI), is accessed, stolen, or disclosed without authorization.
These breaches have become increasingly common because patient records are predominantly stored and transmitted electronically.
A healthcare data breach can include various types of information, including:
- Medical histories and diagnoses
- Social Security numbers
- Insurance information
- Billing and payment details
- Prescription records
- Lab results and test reports
- Contact information and demographic data
There are several reasons why the healthcare sector has become a prime target for hackers.
First, medical records contain personal information that can sell for up to $1,000 per record on the dark web. This is significantly higher than credit card information, which typically sells for $1-$5.
Second, healthcare organizations often use legacy systems and medical devices that have outdated security controls, often with unpatched vulnerabilities that attackers can exploit.
Additionally, most healthcare providers work with a large number of third-party vendors. This creates multiple potential entry points for attackers.
Telehealth and remote patient monitoring has further expanded the attack surface as well.
Now that we’ve defined what a healthcare data breach is, let’s discuss the biggest healthcare data breaches of all time.
The 15 biggest healthcare data breaches in history
Here’s a list of the most significant healthcare data breaches in history, their impact, and the lessons learned.
1. UnitedHealth Change Healthcare (2024) - 100 Million Records
A massive data breach hit Change Healthcare in February 2024. The attack forced the company to take its systems offline, disrupting healthcare operations across the U.S. The attack, attributed to the ALPHV/BlackCat ransomware group, affected payment processing, prescriptions, and medical claims across thousands of healthcare providers. This was the largest healthcare data breach of all time. This is true both in terms of the records lost as well as the amount of disruption it caused. The breach is a great example of the cascading effects a cybersecurity incident can have in an industry. This was primarily due to the number of healthcare providers that relied on Change Healthcare’s systems and were unable to provide care to their patients.
2. Anthem Blue Cross (2015) - 78.8 Million Records
The second largest healthcare breach to date affected Anthem, one of America’s largest health insurance companies. Attackers used a phishing campaign to steal credentials and access Anthem’s system. Once in, they were able to access names, birth dates, Social Security numbers, and employment information of their users. Due to the fact that the database didn’t contain any medical information, Anthem was not required to encrypt the data. The breach went undetected for weeks before discovery in January 2015. As a result, approximately 100 private class action lawsuits were filed against Anthem which were settled in 2017 costing the company $115 million.
3. Welltok (2023) - 14.7 Million Records
In May 2023, Welltok discovered unauthorized access to their systems that exposed sensitive personal information. The incident was part of a global cyberattack by the Cl0p group. The attack exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution. The exploit ultimately affected more than 2,600 companies worldwide. The breach leaked highly sensitive data including Social Security numbers, health insurance information, medical condition details, and demographic information of members across multiple healthcare organizations.
4. Kaiser Foundation Health Plan (2024) - 13.4 Million Records
In September 2024, Kaiser Permanente discovered that an attacker gained access to two employee email accounts. Through these accounts, the attacker accessed sensitive information, including client names, dates of birth, medical record numbers, and medical information.
5. Quest Diagnostics (2019) - 11.9 Million Records
In June 2019, American Medical Collection Agency (AMCA), a third-party billing company, experienced a data breach. As part of that breach, Quest Diagnostics customers had their medical and financial information stolen. The leaked data included names, addresses, dates of birth, Social Security Numbers, financial and medical information. This breach is a great example of why vendor risk management is so important.
6. HCA Healthcare (2023) - 11.2 Million Records
In July 2023, a threat actor began selling HCA Healthcare data on a hacker forum and began to leak data online. The attack was made possible due to unauthorized access to an external storage location that contained sensitive patient information. The leaked data included patient names, dates of birth, Social Security numbers, and medical information. The threat actor claimed that the stolen data was made up of patient records created between 2021 - 2023.
7. Premera Blue Cross (2015) - 11 Million Records
In March 2014, hackers used a phishing email to trick employees into installing malware on their systems. The malware gave the attackers access to Premera customer claims data. The leaked data included clinical information, bank details, Social Security numbers, phone numbers, email addresses, and birth dates. The attackers maintained access to Premera’s systems for nearly nine months before they were detected.
8. Excellus BlueCross BlueShield (2015) - 10.5 Million Records
In December 2013, attackers gained unauthorized access to Excellus’s systems. They maintained this access for nearly two years before Mandiant discovered the breach during a forensic investigation. The breach exposed medical claims data, financial account information, and Social Security numbers of members. Excellus agreed to pay $5.1 Million to the Office for Civil Rights to settle the data breach.
9. Labcorp (2019) - 10.2 Million Records
In June 2019, Laboratory Corporation of America Holdings, also known as Labcorp, announced that they were also affected by the AMCA data breach (see #5 above). The breach leaked names, birth dates, addresses, phone numbers, dates of service, and account balances. The breach also exposed credit card and bank details belonging to roughly 200,000 accounts.
10. Perry Johnson & Associates (2023) - 8.9 Million Records
In March 2023, attackers breached the medical transcription firm Perry Johnson & Associates (PJ&A). The attackers gained access to a wide range of sensitive patient information, including medical histories, treatment records, test results, insurance details, and Social Security numbers. What made this breach particularly bad was that PJ&A served as a vendor to numerous healthcare organizations. As a result, the breach impacted patients in multiple healthcare systems and facilities across the U.S. Major healthcare providers affected included Northwell Health (over 3.8 million patients), Baycare (over 2.5 million patients), and Memorial Hermann Health System (approximately 1 million patients).
11. Maximus (2023) - 9.1 Million Records
In May 2023, Maximus Federal Services, a contractor to the Medicare program, was yet another victim of the MOVEit exploit. The breach occurred when the Clop ransomware group exploited a zero-day vulnerability in the MOVEit file transfer software between July 12 and July 21, 2023. This gave the threat actors access to sensitive personal and health information including names, Social Security numbers, dates of birth, Medicaid ID numbers, and medical claims data.
12. Managed Care of North America (2023) - 8.6 Million Records
Managed Care of North America (MCNA) is one of the largest dental insurers in the U.S. for government-sponsored Medicaid programs. In February 2023, the ransomware gang, LockBit, stole 700 gigabytes of data. After initially demanding a $10 million ransom, the LockBit published all of the files after the ransom was not paid. MCNA said the breach included names, birth dates, addresses, phone numbers, email addresses, Social Security numbers, driver’s license numbers, government-issued identification numbers, health insurance details, like the name of the plan, insurer or government payor, and information regarding dental and orthodontic care.
13. Community Health Systems (2014) - 6.2 Million Records
Community Health Systems (CHS) was the target of a data breach in April 2014. A Chinese threat actor used compromised administrative credentials to access CHS’s information system through its VPN. Once inside, the attackers stole patient data belonging to 6.2 million people. The stolen data included names, Social Security numbers, physical addresses, birth dates, and telephone numbers.
14. PharMerica Corporation (2023) - 5.8 Million Records
PharMerica is one of the largest providers of pharmacy services in the United States. In March 2023, the Money Message ransomware gang exfiltrated 4.7 terabytes of data from PharMerica’s systems. The stolen data included names, addresses, birth dates, Social Security numbers, medication information, and health insurance details.
15. Ascension Health (2024) - 5.5 Million Records
In May 2024, Ascension experienced a ransomware attack. The leaked data included medical information, insurance data, government identification and payment information. Dozens of hospitals run by Ascension had to cancel non-emergency procedures, turn away ambulances, and revert to paper records due to the attack. While the Black Basta ransomware gang never took credit for the attack, they seem to be connected to the attack.
Preventing a data breach
Now that we’ve covered the largest healthcare related data breaches in history. Let’s talk about prevention strategies:
- Implement access controls including multi-factor authentication (MFA), role-based access, and regular user permission audits
- Ensure that employees use a password manager to generate unique passwords for every app
- Segment your network to prevent the spread of a breach
- Encrypt all protected health information (PHI) both at rest and in transit using industry-standard protocols
- Subscribe to a dark web monitoring service to detect if your organization’s data or employee credentials appear on the dark web
- Establish a vendor risk management program, including security assessments, regular audits, and clear security requirements in contracts
- Conduct regular security awareness training for all staff, including phishing simulations and HIPAA compliance education
- Develop and maintain an incident response plan with clear roles, regular testing, and business continuity procedures
- Set up a 24/7 Security Operations Center (SOC) with security information and event management (SIEM) and endpoint detection and response (EDR) solutions
- Perform regular HIPAA security risk assessments, conduct penetration testing, and red team exercises.
- Secure physical access to facilities and implement proper controls for data centers, clean desk policies, and secure disposal of physical media
- Deploy mobile device management (MDM) solutions and establish clear BYOD and remote work security policies
- Implement secure software development practices and regular application security testing
- Utilize email security solutions including encryption, spam protection, and data loss prevention
- Regularly backup data following the 3-2-1 rule and test recovery procedures
- Monitor and log all system access and security events, with regular review of logs
RECOMMENDED READING: Prevent Data Breaches in Healthcare
