Largest Healthcare Data Breaches of 2021

Largest Healthcare Data Breaches of 2021

Share this article on:

The largest healthcare data breaches of 2021 rank as some of the worst of all time. In this post, we summarize some of the most serious data breaches to be reported in what has turned out to be another record-breaking year.

The Department of Health and Human Services’ Office for Civil Rights’ breach portal shows 686 healthcare data breaches of 500 or more records in 2021, and that number is likely to grow over the next couple of weeks and could well exceed 700 data breaches. As it stands, 2021 is already the worst ever year for healthcare data breaches, beating last year’s record of 642 data breaches.

It has also been a particularly bad year in terms of the number of breached healthcare records. Across the 686 2021 healthcare data breaches, 44,993,618 healthcare records have been exposed or stolen, which makes 2021 the second-worst year in terms of breached healthcare records.

There have been 245 data breaches of 10,000 or more records, 68 breaches of the healthcare data of 100,000 or more individuals, 25 breaches that affected more than half a million individuals, and 10 breaches of the personal and protected health information of more than 1 million individuals. Almost three-fourths of the year’s breaches (73.9%) were hacking or other IT incidents.

The Largest Healthcare Data Breaches of 2021

Each of the data breaches below involved the personal and protected health information of more than 1,000,000 individuals. All of these data breaches were hacking incidents where unauthorized individuals gained access to healthcare networks where electronic healthcare data were stored.

Accellion FTA Hack – At Least 3.51 Million Records

The largest healthcare data breach was a hacking incident involving the firewall vendor Accellion. Four vulnerabilities in the legacy Accellion File Transfer Appliance (FTA) were exploited and more than 100 companies were affected, including at least 11 U.S. healthcare organizations. The Accellion FTAs were used for transferring files too large to be sent via email. The attack was conducted by a threat actor linked to the Clop ransomware gang.  Ransomware was not used in the attack, but sensitive data were stolen, ransom demands issued, and stolen data were leaked on the Clop ransomware gang’s leak site.

The Accellion FTA hack does not appear as a single incident on the HHS’ Office or Civil Rights breach portal as each affected healthcare organization reported the breach separately. In total, the protected health information of at least 3.51 million individuals is believed to have been stolen.

Florida Healthy Kids Corporation – 3.5 Million Records

The largest healthcare data breach of 2021 to be reported to the HHS’ Office for Civil Rights by a HIPAA-covered entity was a hacking incident at the Florida health plan, Florida Healthy Kids Corporation (FHKC). The breach was reported in January 2021 and was due to the failure of a security vendor to apply patches to fix multiple vulnerabilities on the FHKC website over a period of 7 years.

Hackers had access to the website for several years, and potentially stole highly sensitive information such as Social Security numbers and financial information. Some of the data on the website was also tampered with. The analysis of the breach revealed the personal and protected health information of 3.5 million individuals was exposed.

20/20 Eye Care Network, Inc – 3,253,822 Records

20/20 Eye Care Network, a Florida-based provider of eye and ear care services, exposed the personal and protected health information of 3,253,822 individuals as a result of a misconfigured Amazon Web Services S3 cloud storage bucket. In January 2021, 20/20 Eye Care Network discovered an unauthorized individual accessed the exposed storage bucket and downloaded some data, which may have included Social Security numbers, dates of birth, and health insurance information. The attacker then deleted the data in the bucket.

NEC Networks, LLC dba CaptureRx – At Least 2.42 Million Records

Texas-based NEC Networks, doing business as CaptureRx, was the victim of the largest healthcare ransomware attack of 2021. Prior to the use of ransomware to encrypt files, the attackers exfiltrated files containing the personal and protected health information of its healthcare provider clients. The breach was reported by NEC Networks as affecting 1,656,569 patients of its healthcare provider clients, but several clients reported the breach separately. In total, at least 2.42 million individuals were affected.

Forefront Dermatology, S.C. – 2,413,553 Records

The Wisconsin-based healthcare provider, Forefront Dermatology, discovered in June 2021 that unauthorized individuals had gained access to its network and potentially viewed and potentially obtained private and confidential employee and patient information, including names and Social Security numbers.

The investigation confirmed the personal and protected health information of 4,431 individuals had been compromised, but the systems accessed by the attacker contained the records of 2,413,553 individuals, all of whom may have been affected.

Eskenazi Health – 1,515,918 Records

The Indiana-based healthcare provider Eskenazi Health suffered a ransomware attack in August conducted by the Vice ransomware gang. Prior to encrypting files, the attackers exfiltrated files containing the personal and protected health information of 1,474,284 patients, including Social Security numbers, passport numbers, driver’s licenses, photographs, pharmacy records, and financial information, some of which were leaked on the group’s data leak site when the ransom was not paid.

The Kroger Co. – 1,474,284 Records

The Ohio-based grocery chain and pharmacy operator, the Kroger Company, was one of the companies worst affected by the exploitation of vulnerabilities in its Accellion File Transfer Appliance (FTA).  Kroger said the internal investigation revealed fewer than 1% of its customers were affected – 1,474,284 individuals. Names, contact information, Social Security numbers, insurance claim information, prescription information, and some medical history information was stolen in the attack. Lawsuits were filed in response to the breach, which Kroger settled for $5 million.

St. Joseph’s/Candler Health System, Inc. – 1,400,000 Records

Georgia-based St. Joseph Candler Health System was another 2021 healthcare ransomware attack victim. The ransomware attack occurred in June; however, hackers had first breached its network 6 months previously. During those 6 months, the attackers had access to the sensitive data of 1,400,000 patients, including names, date of birth, Social Security numbers, driver’s license numbers, financial information, health insurance information, and medical information. Two class action lawsuits were filed in the wake of the breach alleging negligence for failing to prevent the attack and for failing to discover the breach for 6 months.

University Medical Center Southern Nevada – 1,300,000 Records

The Nevada-based healthcare provider University Medical Center Southern Nevada suffered a ransomware attack conducted by the REvil ransomware gang. The attackers allegedly issued a ransom demand of $12 million for the keys to unlock encrypted files and to prevent any misuse of stolen data. The gang potentially stole the personal and protected health information of 1,300,000 patients, and some of that information was posted to the gang’s data leak site, including names, dates of birth, Social Security numbers, passports, and health histories.

American Anesthesiology, Inc. – 1,269,074 Records

New York-based American Anesthesiology, Inc. was affected by a phishing attack on one of its business associates, MEDNAX. Employees responded to the phishing emails and disclosed their credentials, which provided the attackers with access to email accounts containing the protected health information of 1,269,074 patients. The attack did not appear to have been conducted to steal patient data, instead, the attackers were trying to divert payroll to their accounts.

Professional Business Systems, Inc. dba Practicefirst Medical Management Solutions and PBS Medcode Corp – 1,210,688 Records

The New York practice management company, Professional Business Systems, doing business as Practicefirst Medical Management Solutions and PBS Medcode Corp., was the victim of an attempted ransomware attack. Prior to attempting to encrypt data, the attackers exfiltrated files containing the names, addresses, driver’s license numbers, Social Security numbers, email addresses, and tax identification numbers of employees and patients of its healthcare provider clients. In total, the protected health information of 1,210,688 individuals was potentially stolen.

Other Large Healthcare Data Breaches Reported in 2021

The table below shows the U.S. healthcare data breaches reported to the HHS’ Office for Civil Rights in 2021 that affected between 500,000 and 1,000,000 million individuals. At least 10 of the 15 breaches below are known to be ransomware attacks.

Name of Covered Entity State Entity Type Individuals Affected Type of Breach Breach Cause
Personal Touch Holding Corp. New York Business Associate 753,107 Hacking/IT Incident Ransomware
Oregon Anesthesiology Group, P.C. Oregon Healthcare Provider 750,500 Hacking/IT Incident Ransomware
UF Health Central Florida Florida Healthcare Provider 700,981 Hacking/IT Incident Ransomware
Sea Mar Community Health Centers Washington Healthcare Provider 688,000 Hacking/IT Incident Unspecified hacking incident involving data theft
Health Net Community Solutions California Health Plan 686,556 Hacking/IT Incident Accellion FTA data theft and extortion attack
Community Medical Centers, Inc. California Healthcare Provider 656,047 Hacking/IT Incident Unspecified hacking incident
DuPage Medical Group, Ltd. Illinois Healthcare Provider 655,384 Hacking/IT Incident Ransomware
Hendrick Health Texas Healthcare Provider 640,436 Hacking/IT Incident Ransomware
UNM Health New Mexico Healthcare Provider 637,252 Hacking/IT Incident Unspecified hacking incident involving data theft
Trinity Health Michigan Business Associate 586,869 Hacking/IT Incident Accellion FTA data theft and extortion attack
Utah Imaging Associates, Inc. Utah Healthcare Provider 582,170 Hacking/IT Incident Unspecified hacking incident
Texas ENT Specialists Texas Healthcare Provider 535,489 Hacking/IT Incident Ransomware
Wolfe Clinic, P.C. Iowa Healthcare Provider 527,378 Hacking/IT Incident Ransomware
Health Net of California California Health Plan 523,709 Hacking/IT Incident Accellion FTA data theft and extortion attack
State of Alaska Department of Health & Social Services Alaska Health Plan 500,000 Hacking/IT Incident Hack by nation-state espionage group

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On