The Department of Health and Human Services’ Office for Civil Rights’ breach portal shows that in 2021, there were at least 686 healthcare data breaches of 500 or more records. 2020 previously held the unwanted record of highest number of healthcare data breaches, with 642. 2021 beat that record by 44.
The 2021 breaches translate to 44,993,618 healthcare records having been exposed or stolen.
Here are some of the largest healthcare data breaches of 2021:
Accellion – At Least 3.51 Million Records
The largest healthcare data breach involved hacking of the firewall vendor, Accellion. Four vulnerabilities in their software were exploited and more than 100 companies were affected. Among those were at least 11 U.S. healthcare organizations. Sensitive data was stolen, ransom demands issued, and stolen data was leaked.
In total, the protected health information of at least 3.51 million individuals is believed to have been stolen.
Florida Healthy Kids Corporation – 3.5 Million Records
Another large healthcare data breach of 2021 was a hacking incident at the Florida health plan, Florida Healthy Kids Corporation (FHKC). The breach was due to the failure of a security vendor fix vulnerabilities on the FHKC website.
Hackers had access to the website for several years, and potentially stole highly sensitive information such as Social Security numbers and financial information. The breach involved the personal and protected health information of 3.5 million individuals.
20/20 Eye Care Network, Inc – 3,253,822 Records
20/20 Eye Care Network exposed the personal and protected health information of 3,253,822 people after a misconfiguring an Amazon Web Services S3 cloud storage bucket. In January 2021, 20/20 Eye Care Network discovered an unauthorized individual accessed the exposed storage bucket and downloaded some data, which may have included Social Security numbers, dates of birth, and health insurance information. The attacker then deleted the data in the bucket.
NEC Networks, LLC dba CaptureRx – At Least 2.42 Million Records
NEC Networks, doing business as CaptureRx, was the victim of the largest healthcare ransomware attack of 2021. The breach was reported to affect 1,656,569 patients of its healthcare provider clients, but several clients reported the breach separately. In total, at least 2.42 million individuals were affected.
Forefront Dermatology, S.C. – 2,413,553 Records
In June, 2021, Forefront Dermatology discovered that at lease one unauthorized individual had gained access to its network. This may have led to private and confidential employee and patient information, including names and Social Security numbers to be leaked.
The investigation confirmed the personal and protected health information of 4,431 individuals had been compromised, but the attacker may have gotten access to the records of 2,413,553 individuals.
Eskenazi Health – 1,515,918 Records
Eskenazi Health suffered a ransomware attack in August. The attackers stole files containing the personal health information of 1,474,284 patients, including Social Security numbers, passport numbers, driver’s licenses, photographs, pharmacy records, and financial information. Some of the stolen information was leaked on the attacker’s site when the ransom was not paid.
The Kroger Co. – 1,474,284 Records
The Kroger Company is a grocery chain and pharmacy operator. They were one of the companies worst affected by the exploitation of vulnerabilities in its Accellion File Transfer Appliance (FTA). Kroger said the internal investigation revealed that less than 1% of its customers were affected. That equates to 1,474,284 individuals. Names, contact information, Social Security numbers, insurance claim information, prescription information, and some medical history information was stolen in the attack. Kroger settled accompanying lawsuits for $5 million.
St. Joseph’s/Candler Health System, Inc. – 1,400,000 Records
St. Joseph Candler Health System in Georgia is another 2021 healthcare ransomware attack victim. The ransomware attack occurred in June; however, hackers had first breached its network 6 months previously. In that time, the attackers had access to the data of 1,400,000 patients, including names, date of birth, Social Security numbers, driver’s license numbers, financial information, health insurance information, and medical information. Two class action lawsuits were filed against the health system for failing to prevent the attack.
University Medical Center Southern Nevada – 1,300,000 Records
University Medical Center in Southern Nevada also had a ransomware attack. The attackers potentially stole the personal and protected health information of 1,300,000 patients. They were reported to have issued a ransom demand of $12 million for the keys to unlock encrypted files and prevent any misuse of stolen data. After the demand was made, some of that information was posted to the attacker’s site, including names, dates of birth, Social Security numbers, passports, and health histories.
American Anesthesiology, Inc. – 1,269,074 Records
New York based American Anesthesiology, Inc. was affected by a phishing attack. Employees responded to the phishing emails and disclosed their credentials, which provided the attackers with access to email accounts containing the protected health information of 1,269,074 patients. The attack did not appear to have been conducted to steal patient data, instead, the attackers were trying to divert payroll to their accounts.
Professional Business Systems, Inc. dba Practicefirst Medical Management Solutions and PBS Medcode Corp – 1,210,688 Records
The New York practice management company, Professional Business Systems, doing business as Practicefirst Medical Management Solutions and PBS Medcode Corp., was the victim of an attempted ransomware attack. The protected health information of 1,210,688 individuals was potentially stolen.