The Top 18 Healthcare Industry Cyber Attacks of the Past Decade

Share :

10.93 million dollars USD.

That’s the average cost of a healthcare breach in the U.S. It’s an alarming number that’s only continued to climb, increasing by over 53% in the past three years, according to IBM’s 2023 Cost of a Data Breach Report. In fact, the healthcare industry has had the highest average cost of a breach for 13 years running.

It’s not just the costs that are climbing, either. According to Verizon, healthcare saw over 500 incidents last year, and Arctic Wolf found that, among our customers, healthcare is the top industry targeted by ransomware. Healthcare has found itself fully in the crosshairs of threat actors looking to exploit data, achieve financial gain, or both.

Why Are Cyber Attacks A Problem in Healthcare?

While threat actors tend not to be picky when it comes to which organizations they target, healthcare provides a lucrative opportunity, and is an industry hackers keep coming back to.

Healthcare organizations are vulnerable to cyber attacks for several reasons, including:

  • An expanding attack surfaces caused by digitization
  • An ecosystem of interconnected medical devices distributed across physical locations
  • A growing security talent shortage
  • The sheer volume and value of the data these organizations contain
  • An inclination to negotiate or pay a ransom due to regulatory pressures and high costs of downtime
  • A large user base that may lack security training and proper identity hygiene

While the above speaks more to traits of the organizations themselves, there’s another trend that has inadvertently put a target on healthcare –— the dark web marketplace of data and credentials.

Threat actors know that if they steal data, they can release it or sell it on the dark web to other cybercriminals, who in turn can use that data to launch future cyber attacks. This could include social engineering attacks on the victims of the original breach or the use of stolen credentials to hack into other organizations and their applications. Because healthcare organizations store so much personal data –— one organization on our list below is responsible for the insurance billing of a third of the country –— they become lucrative targets.

As the number and cost of healthcare data breaches continues to rise, it’s important to get a clear picture of just how much damage can be done. Here, then, is a look back at some of the biggest data breaches to date. It’s important to note that this list is far from comprehensive. Rather, it’s a reminder to risk managers in the healthcare industry about the critical importance of security and compliance fundamentals.

Biggest Healthcare Industry Cyber Attacks

1. HCA Healthcare

During this July 2023 breach of a Tennessee-based hospital and clinic operator, threat actors accessed and exfiltrated data from an external storage location that formatted emails and calendar reminders sent to patients.

Data such as names, email addresses, birth dates, and other personally identifiable information (PII) for more than 11 million patients across 20 states was taken. There were multiple class action lawsuits filed after the breach became public, with, “plaintiffs alleging that HCA ‘did not use reasonable security procedures and practices appropriate to the nature of the sensitive information it was maintaining’ for its patients and customers, such as encrypting the data or deleting it when it’s no longer needed.”

Type of Attack: Third-party storage breach
Location: Nashville, Tennessee, with nationwide impact
People affected: 11 million patients

2. Medibank

Russian-based hackers believed to have ties to the infamous REvil ransomware gang made off with the personal information of 9.7 million customers, including data on 1.8 million international customers and high-profile Australian politicians Prime Minister Anthony Albanese and cybersecurity minister Clare O’Neil in this 2022 hack.

The information stolen included patient names, dates of birth, social security numbers and, for some, even medical records. The cybercriminals demanded a $10M ransom Medibank refused to pay, stating, “We believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published.”

Type of attack: Ransomware
Location: Australia, with global impact
People affected: 9.7 million patients

3. Regal Medical Group

This Southern California-based medical group was the victim of a ransomware attack in December of 2022, notifying patients in early 2023. The group stated that, “the categories of impacted personal information may include, among other things: your name, social security number (for certain, but not all, potentially impacted individuals), address, date of birth, diagnosis and treatment, laboratory test results, prescription data, radiology reports, Medicare ID number, health plan member number, and phone number.”

Type of attack: Ransomware
Location: California
People affected: 3.3 million patients

4. Cerebral

Telehealth organization Cerebral made headlines in 2023 not for their technology, but for a data breach. In an interesting twist, Cerebral themselves may have also played the role of cybercriminal. The organization installed tracking pixels from major technology groups (including Google, Meta, and TikTok) on their applications, which caused PHI to be exposed to third parties without patient consent — a major HIPAA violation.

Cerebral notified HIPAA and patients when it was made aware of the error after reviewing their own privacy and logging technology, suggesting they may not have known third parties had access to patient data.

Exposed data included names, dates of birth, contact information, self-assessment responses, treatment details, and other clinical information.

Type of Attack: Data breach; accidental insider threat
Location: National
People affected: 3.1 million patients

5. Shields Health Care Group

In May of 2022, this Massachusetts-based medical imaging service provider reported that a cybercriminal had gained unauthorized access to some of its IT systems back in March.

All told, over two million patients had their PHI stolen, including names, addresses, Ssocial Ssecurity numbers, insurance information, and medical history information. While we don’t know the full cost of this breach, the damage done is clear. Because Shields Health Care Group supplies management and imaging services for approximately 50 healthcare providers, the scope of the attack was massive. Not surprisingly, a class action lawsuit soon followed.

Shields Health Care Group sent letters to all affected patients in July 2022, but so far maintains that there is no evidence of identity fraud or theft.

Type of Attack: Not disclosed
Location: Massachusetts
People affected: 2 million patients

6. Advocate Aurora Health

With 26 hospitals across Wisconsin and Illinois, Advocate Aurora Health is one of the largest healthcare providers in the Midwest. Their improper use of a common website tracking device led to the exposure of the data of three million patients in July of 2022.

Meta Pixel uses JavaScript to track visitors on websites, supplying vital information on how they interact, how long they stay on the site, and where they drop off. Pixels are a useful tool that helps web designers and organizations make their sites more user-friendly.

However, in the case of Advocate Aurora Health, the use of Meta Pixel on patient portals — where patients enter sensitive information — caused PHI to be disclosed, especially if users were logged into Facebook or Google at the same time.

Meta Pixel is used by many healthcare providers across the country, a fact patients might only learn about when they begin to receive targeted ads about their specific medical condition. This outrageous situation helps explain why class action lawsuits against Meta and healthcare providers are springing up nationwide.

Type of Attack: Third-party vendor
Location: Wisconsin, Illinois
People affected: 3 million patients

7. Banner Health

In 2016, hackers used malware to breach the payment processing system of Banner Health’s food and beverage outlets. The attackers then used the system as a gateway into the Banner Health network, eventually obtaining access to servers containing patient data.
The cyber attack went undiscovered for nearly a month. Stolen data included highly sensitive information such as Social Security numbers, dates of services and claims, health insurance information, and more.

Following the data breach, Banner Health made upgrades to comply with the payment card industry data security standard (PCI DSS), ramped up its security monitoring for cyber threats and risks, and implemented tighter cybersecurity practices overall. Other changes involved areas of program governance, identity and access management (IAM), and network and infrastructure security.

Type of Attack: Malware
Location: Arizona
Cost: $6 million
People affected: 3.7 million patients

8. Medical Informatics Engineering

In 2015, Medical Informatics Engineering (MIE), an electronic health records software firm, published a notice that attackers had breached patient data in its WebChart web app.

Hackers had entered the company network remotely by logging in with easily guessed credentials. Once inside, attackers introduced an SQL injection exploit into a company database. Weeks later, the attackers launched a second offensive, using c99 web shell malware to reach additional files.

To address the situation, MIE notified the FBI and hired a team of third-party experts to remediate the attack vectors the cybercriminals used successfully. Since then, the organization has also made significant investments in additional safeguards and security measures, including security personnel, policies, procedures, controls, and monitoring and prevention tools.

MIE also retained third-party vendors and applications to help protect health information, and audit and certify its information security program.

Type of attack: Brute force attack/SQL injection/Malware
Location: Indiana
Cost: $1 million
People affected: 3.9 million patients

9. Advocate Medical Group

Between July and November 2013, Advocate Medical Group (AMG), a physicians’ group with more than 1,000 doctors, reported three separate data breaches. In the first breach, thieves stole four desktop computers from an administrative office in Park Ridge, Illinois. The computers contained the records of nearly 4 million patients.

The second breach involved an unauthorized third party, who gained access to the network of the billing services provider of AMG and potentially compromised the health records of more than 2,000 patients. Finally, an unencrypted laptop containing patient records of more than 2,230 people was stolen from an AMG staffer’s car.

Patient names, addresses, dates of birth, credit card numbers, demographic information, clinical information, and health insurance data were all compromised.

After the breach, Advocate reinforced its security protocols and encryption program with its associates. It also added 24×7 security personnel at the facility where the computers were stolen and accelerated deployment of enhanced technical safeguards.

Type of attack: Physical theft
Location: Illinois
Cost: $5.55 million
People affected: 4 million patients

10. Community Health Systems

In 2014, Community Health Systems, which then operated 206 hospitals in 29 states, suffered a network data breach that exposed the personal information of 4.5 million individuals. The organization’s 8-K filing to the U.S. Securities and Exchange Commission (SEC) stated that an “advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the company’s systems.”

Compromised data included names, addresses, birth dates, telephone numbers, and Social Security numbers.

Community Health Systems engaged an outside forensics expert to conduct a thorough investigation and remediation of this incident. The company then implemented several efforts designed to protect against future intrusions. This included additional auditing and surveillance technology to detect unauthorized access, advanced encryption technologies, and having users change their access passwords.

Type of attack: Malware
Location: Tennessee
Cost: $3.1 million
People affected: 4.5 million individuals

11. Excellus Health Plan, Inc.

Excellus reported in 2015 that the data of 10 million clients might have been exposed in a cyber attack dating all the way back to 2013.
Excellus hired a cybersecurity firm to conduct a forensic review of its computer systems. The third-party firm found that the names, dates of birth, Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information, and claim data of Excellus clients were compromised.

Although the affected data was encrypted, the hackers gained access to administrative controls, making the encryption moot. The company said it moved quickly to close the vulnerability, and to strengthen and enhance the security of its systems moving forward.

Type of attack: Malware
Location: New York
Cost: $17.3 million
People affected: 10 million clients

12. University of California, Los Angeles Health

In 2014, officials from UCLA Health discovered suspicious activity on their network. At the time, they determined that hackers had not gained access to systems containing personal and medical data.

However, in 2015, officials confirmed the cyber attack had indeed compromised systems with patient information — including names, Social Security numbers, dates of birth, health plan identification numbers, and medical data.

As the result of a class-action lawsuit, UCLA Health agreed to update its cybersecurity practices and policies. The organization also began working with the FBI and hired computer forensic experts to secure its network — implementing measures such as assessing emerging threats and potential vulnerabilities.

Type of attack: Malware
Location: California
Cost: $7.5 million
People affected: 4.5 million patients

13. Premera Blue Cross

In 2014, hackers sent a phishing email to a Premera employee. The email included a link to download a document containing malware. Once the employee clicked on the link and downloaded the document, the hackers were able to access Premera’s server.

Premera did not detect the breach for eight months. The company hired a cybersecurity consulting firm that attributed the breach to agents associated with the Chinese government.

Premera Blue Cross paid $74 million to settle a class-action lawsuit resulting from the data breach. Under the settlement of the lawsuit, the insurer agreed to improve its information security program. It began encrypting certain personal data, strengthened specific data security controls, and increased network monitoring.

Type of attack: Phishing
Location: Washington State
Cost: $74 million
People affected: 11 million patients

14. American Medical Collection Agency

In 2018, hackers breached American Medical Collection Agency (AMCA), which supplied billing collections services for Quest Diagnostics, LabCorp, and others.

The unknown attacker was able to access and steal patient data, including Social Security numbers, addresses, dates of birth, medical information, and payment card information. The stolen data was later advertised for sale in underground forums on the dark web.

After AMCA’s four largest clients terminated their agreements, the company filed for bankruptcy. In the meanwhile, a multistate investigation into the breach by 41 attorneys general that concluded in December 2020 held the company liable for $21 million in injunctive damages.

AMCA migrated its web payments portal services to a different third-party vendor. It also hired an outside forensics firm to investigate the breach and retained additional experts to advise on and implement steps to increase its security.

Type of Attack: Hacked online payment portal
Location: New York
Cost: $21 million (payment suspended unless certain terms of the settlement agreement are violated)
People affected: At least 21 million patients

15. Anthem, Inc.

In 2015, Anthem (formerly WellPoint) disclosed that attackers accessed its corporate database by way of a phishing email, thereby also gaining access to the organization’s ePHI.

The hackers stole nearly 79 million records containing patient and employee data. Compromised data included names, addresses, Social Security numbers, birth dates, medical IDs, insurance membership numbers, income data, and employment information. This is the largest healthcare industry cyber attack in history.

Anthem agreed to pay $115 million to resolve the litigation. As part of the settlement, Anthem was also ordered to implement sweeping “changes to its data security systems and policies,” and to nearly triple its cybersecurity budget, wrote the U.S. District Judge who approved the settlement.

Cyber attack type: Phishing/Malware
Location: Indiana
Cost: $115 million
People affected: 78.8 million patients and employees

16. Change Healthcare

U.S. health insurance billing firm Change Healthcare is responsible for the patient records of one in three individuals. This meant they were a massive target, and unfortunately the victim of a ransomware attack byof notorious groups BlackCat/ AlphV in March 2024.
While the organization, which is owned by United Healthcare, has yet to confirm or deny, it’s believed they paid the ransom of $22 million USD in order to prevent more downtime and restore services. The fallout has included disrupted payments to doctors and healthcare facilities, an inability to bill for services, and difficulty billing for and filling prescriptions. The organization manages 15 billion claims a year. As of mid-March, all operations have been restored.

Type of attack: Ransomware
Location: Nationwide impact
People affected: Unknown

17. Community Health Systems (Again)

Years after the 2014 breach, Community Health Systems found themselves in the crosshairs of ClOP ransomware group in early 2023. Due to the Fortra GoAnywhere MFT zero-day vulnerability that affected many organizations, the ransomware group was able to exfiltrate PII data for over 1 million individuals.

Community Health Systems stated they patched the vulnerability, disconnected access, and has offered identity theft protection to those impacted.

Type of Attack: Ransomware
Location: Nationwide impact
People affected: 1 million patients

18. MCNA Dental

This U.S. dental insurance company fell victim to prolific ransomware group LockBit in the fall of 2023. According to reports, the group was in the organization’s system for 10 days without detection, and exfiltrated 700 GB of data, including PII of clients. The group set a ransom at $10 million USD.

When ransom was not paid, LockBit published the stolen data on the dark web, compromising the PII of 8.9 million individuals, which has resulted in 11 lawsuits across multiple states.

Type of attack: Ransomware
Location: Nationwide
People affected: 8.9 million patients

Learn more about the top threats facing your organization with the Arctic Wolf Labs 2024 Threats Report.
See how Arctic Wolf can help your healthcare organization stay compliant and secure.
Explore how to keep patient data safe as your healthcare organization turns to the cloud.

Picture of Arctic Wolf

Arctic Wolf

Arctic Wolf provides your team with 24x7 coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.
Share :
Table of Contents
Subscribe to our Monthly Newsletter