2021 has seen quite a few data breaches, especially in the healthcare field. Some of those breaches lead to business disruption and legal actions. Over 40 million patient records may have been exposed, and those are just the ones that have been reported.

Healthcare IT News has compiled a list of 10 of the largest data breaches in US Healthcare in 2021. While we don’t see incidences of mishandling of equipment disposal as the cause, that has happened. Vendors, and even end users have thrown out laptops, misplaced hard drives, and sold equipment with data still on the device.

10 largest data breaches reported to the U.S. Department of Health and Human Services’ Office of Civil Rights this year so far:

Organization: Florida Healthy Kids Corporation
Date reported: 1/29/2021
Number of individuals affected: 3,500,000
What happened? An analysis found that “significant vulnerabilities” had been present on the children’s health insurance program website since 2013. This may have lead to the exposure of personal information such as Social Security numbers, dates of birth, names, addresses and financial information.

Organization: 20/20 Eye Care Network, Inc.
Date reported: 5/24/2021
Number of individuals affected: 3,253,822
What happened? The eye care network 20/20, which provides eye and ear care services and administration, discovered suspicious activity in its Amazon Web Services environment. After an investigation, it was determined that data had been potentially removed, possibly including personal information. Later, 20/20 faced a lawsuit over the breach.

Organization: Forefront Dermatology
Date reported: 7/8/2021
Number of individuals affected: 2,413,553
What happened? The Wisconsin-based organization  has locations in 21 states and the District of Columbia. They reported that an intrusion resulted in unauthorized access to certain files on Forefront’s IT system containing patient and employee information.

Organization: NEC Networks, LLC
Date reported: 5/5/2021
Number of individuals affected: 1,656,569
What happened? NEC, which does business as CaptureRx, said it became aware of “unusual activity” involving some electronic files. An investigation determined that the relevant files contained first name, last name, date of birth and prescription information.

Organization: Eskenazi Health
Date reported: 10/01/2021
Number of individuals affected: 1,515,918
What happened? The Indiana-based health system said cybercriminals had gained access to their network for nearly three months. Eskenazi Health did not make a ransom payment, and the criminals released some of the stolen data on the dark web.

Organization: The Kroger Co.
Date reported: 2/19/2021
Number of individuals affected: 1,474,284
What happened? The Midwest grocery chain was affected by a data security incident affecting Accellion, a file-sharing company. Clinic customer information was found to be at risk, including pharmacy records.

Organization: St. Joseph’s/Candler Health System, Inc.
Date reported: 8/10/2021
Number of individuals affected: 1,400,000
What happened? The ransomware incident took the Georgia health system offline for multiple days. The unauthorized party had been able to access the network for six months.

Organization: University Medical Center Southern Nevada
Date reported: 8/13/2021
Number of individuals affected: 1,300,000
What happened? Although the incident only lasted a day, the attack – linked to the notorious REvil ransomware gang – compromised files containing protected health information and personally identifiable information. Just after the attack the group posted photos of driver’s licenses, passports and Social Security cards of a handful of alleged victims.

Organization: American Anesthesiology, Inc.
Date reported: 1/8/2021
Number of individuals affected: 1,269,074
What happened? An unauthorized party was able to gain access to the email system of the company’s business associate, MEDNAX, via phishing. Those email accounts contained the personal information of American Anesthesiology’s clients, although the hackers appeared to be mostly focused on payroll fraud.

Organization: Professional Business Systems, Inc.
Date reported: 7/1/2021
Number of individuals affected: 1,210,688
What happened? The practice management company, which does business as Practicefirst Medical Management Solutions and PBS Medcode Corp., said that hackers attempting to deploy ransomware had copied files from its system containing patient information.