10.93 million dollars.
That’s the average cost of a healthcare breach in the U.S. It’s an alarming number that’s only continued to climb, increasing by over 53% in the past three years, according to IBM’s 2023 Cost of a Data Breach Report. In fact, the healthcare industry has had the highest average cost of a breach for 13 years running.
It’s not just the costs that are climbing, either. According to HIPAA Journal, “347 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights” in the first half of 2022 alone.
Why Are Cyber Attacks A Problem in Healthcare?
Healthcare providers store tremendous amounts of protected health information (PHI), don’t always have the resources for cutting-edge defenses, and need 24×7 uninterrupted access to their systems to properly care for patients and meet stringent compliance requirements. Threat actors know all of this, which is why healthcare is such a prime target for cybercriminals.
Learn more about common cyber threats in the healthcare industry with our blog, “5 Reasons the Healthcare Industry is Prone to Breaches.”
As the number and cost of healthcare data breaches continues to rise, it’s important to get a clear picture of just how much damage can be done. Here, then, is a look back at some of the biggest data breaches to date.
It’s important to note that this list is far from comprehensive. Rather, it’s a reminder to risk managers in the healthcare industry about the critical importance of security and compliance fundamentals.
Biggest Healthcare Industry Cyber Attacks
15. HCA Healthcare
One of the harshest truths of cybercrime is that the most vulnerable targets are often also the most desirable to thieves. That was proven yet again in a July 5, 2023 attack on Nashville, Tennessee-based HCA Healthcare, with cybercriminals gaining access to an external storage location that formatted emails and calendar reminders sent to patients.
While it does not appear that the stolen material included medical records, it did include data such as names, email addresses, birth dates, and other personally identifiable information for more than 11 million patients across 20 states.
The as-yet– unknown hackers were advertising the stolen HCA data on the dark web by July 10. Meanwhile on July 12, a class-action lawsuit was mounted by impacted HCA patients seeking monetary damages for what they say was a failure to provide adequate protection for their personally identifiable information.
Type of Attack: Third-party storage breach
Location: Nashville, Tennessee
People affected: 11 million U.S. healthcare patients
Russian-based hackers believed to have ties to the infamous REvil ransomware gang made off with the personal information of 9.7 million customers, including data on 1.8 million international customers and high-profile Australian politicians Prime Minister Anthony Albanese and cybersecurity minister Clare O’Neil.
The information stolen included patient names, dates of birth, social security numbers and, for some, even medical records. The cybercriminals demanded a $10M ransom Medibank refused to pay, stating, “We believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.”
Type of attack: Ransomware
Location: Australia, with global impact
People affected: 9.7 million patients
13. Regal Medical Group
This Southern California-based medical group was the victim of a ransomware attack in December of 2022, notifying patients in early 2023. The group stated that, “the categories of impacted personal information may include, among other things: your name, social security number (for certain, but not all, potentially impacted individuals), address, date of birth, diagnosis and treatment, laboratory test results, prescription data, radiology reports, Medicare ID number, health plan member number, and phone number.”
Type of attack: Ransomware
People affected: 3.3 million patients
Telehealth organization Cerebral made headlines in 2023 not for their technology, but for a data breach. In an interesting twist, Cerebral themselves may have also played the role of cybercriminal. The organization installed tracking pixels from major technology groups (including Google, Meta, and TikTok) on their applications, which caused PHI to be exposed to third parties without patient consent — a major HIPAA violation.
Cerebral notified HIPAA and patients when it was made aware of the error after reviewing their own privacy and logging technology, suggesting they may not have known third parties had access to patient data.
Exposed data included names, dates of birth, contact information, self-assessment responses, treatment details, and other clinical information.
Cyber attack type: Data breach
People affected: 3.1 million patients
11. Shields Health Care Group
In May of 2022, this Massachusetts-based medical imaging service provider reported that a cybercriminal had gained unauthorized access to some of its IT systems back in March.
All told, over two million patients had their PHI stolen, including names, addresses, Social Security numbers, insurance information, and medical history information. While we don’t know the full cost of this breach, the damage done is clear. Because Shields Health Care Group supplies management and imaging services for approximately 50 healthcare providers, the scope of the attack was massive. Not surprisingly, a class action lawsuit soon followed.
Cyber attack type: Not disclosed
People affected: 2 million patients
Shields Health Care Group sent letters to all affected patients in July, but so far maintains that there is no evidence of identity fraud or theft .
10. Advocate Aurora Health
With 26 hospitals across Wisconsin and Illinois, Advocate Aurora Health is one of the largest healthcare providers in the Midwest. Their improper use of a common website tracking device led to the exposure of the data of three million patients in July of 2022.
However, in the case of Advocate Aurora Health, the use of Meta Pixel on patient portals — where patients enter sensitive information — caused PHI to be disclosed, especially if users were logged into Facebook or Google at the same time.
Cyber attack type: Third-party vendor
Location: Wisconsin, Illinois
People affected: 3 million patients
Meta Pixel is used by many healthcare providers across the country, a fact patients might only learn about when they begin to receive targeted ads about their specific medical condition. This outrageous situation helps explain why class action lawsuits against Meta and healthcare providers are springing up nationwide.
9. Banner Health
In 2016, hackers used malware to breach the payment processing system of Banner Health’s food and beverage outlets. The attackers then used the system as a gateway into the Banner Health network, eventually obtaining access to servers containing patient data.
The cyber attack went undiscovered for nearly a month. Stolen data included highly sensitive information such as Social Security numbers, dates of services and claims, health insurance information, and more.
Cyber attack type: Malware
Cost: $6 million
People affected: 3.7 million patients
Following the data breach, Banner Health made upgrades to comply with payment card industry data security standards (PCI DSS), ramped up its security monitoring for cyber threats and risks, and implemented tighter cybersecurity practices overall. Other changes involved areas of program governance, identity and access management, and network and infrastructure security.
8. Medical Informatics Engineering
In 2015, Medical Informatics Engineering (MIE), an electronic health records software firm, published a notice that attackers had breached patient data in its WebChart web app.
Cyber thieves had entered the company network remotely by logging in with easily guessed credentials. Once inside, attackers introduced an SQL injection exploit into a company database. Weeks later, the attackers launched a second offensive, using c99 web shell malware to reach additional files.
Cyber attack type: Brute force attack/SQL injection/Malware
Cost: $1 million
People affected: 3.9 million patients
To address the situation, MIE notified the FBI and hired a team of third-party experts to remediate the attack vectors the cybercriminals used successfully. Since then, the organization has also made significant investments in additional safeguards and security measures, including security personnel, policies, procedures, controls, and monitoring and prevention tools.
MIE also retained third-party vendors and applications to help protect health information and audit and certify its information security program.
7. Advocate Medical Group
Between July and November 2013, Advocate Medical Group (AMG), a physicians’ group with more than 1,000 doctors, reported three separate data breaches. In the first breach, thieves stole four desktop computers from an administrative office in Park Ridge, Illinois. The computers contained the records of nearly 4 million patients.
The second breach involved an unauthorized third party, who gained access to the network of the billing services provider of AMG and potentially compromised the health records of more than 2,000 patients. Finally, an unencrypted laptop containing patient records of more than 2,230 people was stolen from an AMG staffer’s car.
Patient names, addresses, dates of birth, credit card numbers, demographic information, clinical information, and health insurance data were all compromised.
Cyber attack type: Physical theft
Cost: $5.55 million
People affected: 4 million patients
After the breach, Advocate reinforced its security protocols and encryption program with its associates. It also added 24×7 security personnel at the facility where the computers were stolen and accelerated deployment of enhanced technical safeguards.
6. Community Health Systems
In 2014, Community Health Systems, which then operated 206 hospitals in 29 states, suffered a network data breach that exposed the personal information of 4.5 million individuals. The organization’s 8-K filing to the U.S. Securities and Exchange Commission (SEC) stated that an “advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the company’s systems.”
Compromised data included names, addresses, birth dates, telephone numbers, and Social Security numbers.
Cyber attack type: Malware
Cost: $3.1 million
People affected: 4.5 million individuals
Community Health Systems engaged an outside forensics expert to conduct a thorough investigation and remediation of this incident. The company then implemented several efforts designed to protect against future intrusions. This included additional auditing and surveillance technology to detect unauthorized access, advanced encryption technologies, and having users change their access passwords.
5. University of California, Los Angeles Health
In 2014, officials from UCLA Health discovered suspicious activity on their network. At the time, they determined that hackers had not gained access to systems containing personal and medical data.
However, in 2015, officials confirmed the cyber attack had indeed compromised systems with patient information — including names, Social Security numbers, dates of birth, health plan identification numbers, and medical data.
Cyber attack type: Malware
Cost: $7.5 million
People affected: 4.5 million patients
As the result of a class-action lawsuit, UCLA Health agreed to update its cybersecurity practices and policies. The organization also began working with the FBI and hired computer forensic experts to secure its network — implementing measures such as assessing emerging threats and potential vulnerabilities.
4. Excellus Health Plan, Inc.
Excellus reported in 2015 that the data of 10 million clients might have been exposed in a cyber attack dating all the way back to 2013.
Excellus hired a cybersecurity firm to conduct a forensic review of its computer systems. The third-party firm found that the names, dates of birth, Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information, and claim data of Excellus clients were compromised.
Cyber attack type: Malware
Location: New York
Cost: $17.3 million
People affected: 10 million clients
Although the affected data was encrypted, the hackers gained access to administrative controls, making the encryption moot. The company said it moved quickly to close the vulnerability, and to strengthen and enhance the security of its systems moving forward.
3. Premera Blue Cross
In 2014, hackers sent a phishing email to a Premera employee. The email included a link to download a document containing malware. Once the employee clicked on the link and downloaded the document, the hackers were able to access Premera’s server.
Premera did not detect the breach for eight months. The company hired a cybersecurity consulting firm that attributed the breach to agents associated with the Chinese government.
Premera Blue Cross paid $74 million to settle a class-action lawsuit resulting from the data breach.
Cyber attack type: Phishing
Location: Washington State
Cost: $74 million
People affected: 11 million patients
Under the settlement of the lawsuit, the insurer agreed to improve its information security program. It began encrypting certain personal data, strengthened specific data security controls, and increased network monitoring.
Premera was also required to add stronger passwords, reduce employee access to sensitive data, enhance its email security, and perform annual third-party vendor audits.
2. American Medical Collection Agency
In 2018, hackers breached American Medical Collection Agency (AMCA), which supplied billing collections services for Quest Diagnostics, LabCorp, and others.
The unknown attacker was able to access and steal patient data, including Social Security numbers, addresses, dates of birth, medical information, and payment card information. The stolen data was later advertised for sale in underground forums on the dark web.
After AMCA’s four largest clients terminated their agreements, the company filed for bankruptcy. In the meanwhile, a multistate investigation into the breach by 41 attorneys general that concluded in December 2020 held the company liable for $21 million in injunctive damages.
Cyber attack type: Hacked online payment portal
Location: New York
Cost: $21 million (payment suspended unless certain terms of the settlement agreement are violated)
People affected: At least 21 million patients
AMCA migrated its web payments portal services to a different third-party vendor. It also hired an outside forensics firm to investigate the breach and retained additional experts to advise on and implement steps to increase its security.
1. Anthem, Inc.
In 2015, Anthem (formerly WellPoint) disclosed that attackers accessed its corporate database by way of a phishing email, thereby also gaining access to the organization’s ePHI.
The hackers stole nearly 79 million records containing patient and employee data. Compromised data included names, addresses, Social Security numbers, birth dates, medical IDs, insurance membership numbers, income data, and employment information. This is the largest healthcare industry cyber attack in history.
Cyber attack type: Phishing/Malware
Cost: $115 million
Anthem agreed to pay $115 million to resolve the litigation. As part of the settlement, Anthem was also ordered to implement sweeping “changes to its data security systems and policies,” and to nearly triple its cybersecurity budget, wrote the U.S. District Judge who approved the settlement.
Learn more about top attack vectors and how to prevent healthcare-related cyber attacks.
Explore how to keep patient data safe as your healthcare organization turns to the cloud.