Healthcare Insights
20 largest healthcare data breaches
Under the HIPAA Breach Notification Rule, HIPAA-covered entities and their business associates must provide notification following a breach of unsecured protected health information (PHI). The Federal Trade Commission (FTC) has similar provisions that apply to vendors of personal health records and their third-party service providers.
The Secretary of the U.S Department of Health and Human Services (HHS) maintains a list of data breaches affecting 500 or more individuals’ PHI. The Definitive Healthcare HospitalView product tracks specific healthcare data breaches that take place at U.S. hospitals and healthcare systems.
This Healthcare Insight reviews the largest healthcare data breaches in 2021 and 2022 based on the number of patient records affected. Data from the HHS breach portal was accessed January 5, 2023.
| Rank | State | Covered entity type | Individuals affected | Type of breach | Location of breached information | Status | Explore dataset |
|---|---|---|---|---|---|---|---|
| 1 | FL | Business Associate | 4,142,440 | Hacking/IT incident | Network server | Resolved | Explore |
| 2 | FL | Health Plan | 3,500,000 | Hacking/IT incident | Network server | Resolved | Explore |
| 3 | CA | Business Associate | 2,592,494 | Hacking/IT incident | Network server | Under investigation | Explore |
| 4 | WI | Healthcare Provider | 2,413,553 | Hacking/IT incident | Network server | Resolved | Explore |
| 5 | FL | Healthcare Provider | 1,737,775 | Hacking/IT incident | Network server | Under investigation | Explore |
| 6 | TX | Business Associate | 1,656,569 | Hacking/IT incident | Network server | Under investigation | Explore |
| 7 | IN | Healthcare Provider | 1,515,918 | Hacking/IT incident | Network server | Under investigation | Explore |
| 8 | OH | Healthcare Provider | 1,474,284 | Hacking/IT incident | Network server | Under investigation | Explore |
| 9 | GA | Healthcare Provider | 1,400,000 | Hacking/IT incident | Network server | Under investigation | Explore |
| 10 | NV | Healthcare Provider | 1,300,000 | Hacking/IT incident | Network server | Under investigation | Explore |
| 11 | NY | Healthcare Provider | 1,269,074 | Hacking/IT incident | Under investigation | Explore | |
| 12 | NM | Healthcare Provider | 1,228,093 | Hacking/IT incident | Network server | Resolved | Explore |
| 13 | NY | Business Associate | 1,210,688 | Hacking/IT incident | Network server | Under investigation | Explore |
| 14 | MD | Healthcare Provider | 824,450 | Hacking/IT incident | Resolved | Explore | |
| 15 | NY | Business Associate | 753,107 | Hacking/IT incident | Network server | Resolved | Explore |
| 16 | OR | Healthcare Provider | 750,500 | Hacking/IT incident | Network server | Under investigation | Explore |
| 17 | FL | Healthcare Provider | 700,934 | Hacking/IT incident | Network server | Resolved | Explore |
| 18 | CA | Health Plan | 688,603 | Hacking/IT incident | Network server | Resolved | Explore |
| 19 | WA | Healthcare Provider | 688,000 | Hacking/IT incident | Network server | Under investigation | Explore |
| 20 | AZ | Business Associate | 685,574 | Hacking/IT incident | Network server | Resolved | Explore |
Fig. 1. Data is from the HHS Breach Portal. Accessed January 2023.
What were the largest healthcare data breach incidents in 2021?
Out of the 715 healthcare data breaches in 2021, the top twenty account for more than half, or 30.5 million, of the 54.1 million total individuals affected. The largest incident compromised over 4.1 million records and three breaches affected more than 2 million individuals each.
Healthcare provider organizations, including healthcare systems, hospitals, and physician groups) represent 12 of the largest data breaches in 2021, followed by business associates (6) and health plans (2). All were data hacks and all but two of the top 20 healthcare data breaches affected network servers.
| Rank | State | Covered entity type | Individuals affected | Type of breach | Location of breached information | Status | Explore dataset |
|---|---|---|---|---|---|---|---|
| 1 | WI | Business Associate | 4,112,892 | Hacking/IT incident | Network server | Under investigation | Explore |
| 2 | WI | Healthcare Provider | 3,000,000 | Unauthorized access/disclosure | Electronic medical record | Under investigation | Explore |
| 3 | PA | Business Associate | 2,216,365 | Hacking/IT incident | Network server | Under investigation | Explore |
| 4 | MA | Business Associate | 2,000,000 | Hacking/IT incident | Network server | Under investigation | Explore |
| 5 | CO | Business Associate | 1,918,941 | Hacking/IT incident | Network server | Under investigation | Explore |
| 6 | TX | Healthcare Provider | 1,608,549 | Hacking/IT incident | Network server | Under investigation | Explore |
| 7 | IN | Healthcare Provider | 1,500,000 | Unauthorized access/disclosure | Network server | Under investigation | Explore |
| 8 | NC | Business Associate | 1,362,296 | Unauthorized access/disclosure | Electronic medical record | Under investigation | Explore |
| 9 | FL | Healthcare Provider | 1,351,431 | Hacking/IT incident | Network server | Under investigation | Explore |
| 10 | TX | Healthcare Provider | 1,290,104 | Hacking/IT incident | Other | Under investigation | Explore |
| 11 | PR | Healthcare Provider | 1,195,220 | Hacking/IT incident | Network server | Under investigation | Explore |
| 12 | NY | Business Associate | 942,138 | Hacking/IT incident | Network server | Under investigation | Explore |
| 13 | MI | Healthcare Provider | 877,584 | Hacking/IT incident | Network server | Under investigation | Explore |
| 14 | CA | Health Plan | 854,913 | Hacking/IT incident | Network server | Under investigation | Explore |
| 15 | WA | Business Associate | 793,283 | Hacking/IT incident | Network server | Under investigation | Explore |
| 16 | AZ | Healthcare Provider | 737,448 | Hacking/IT incident | Network server | Under investigation | Explore |
| 17 | AZ | Health Plan | 637,999 | Hacking/IT incident | Network server | Under investigation | Explore |
| 18 | IL | Business Associate | 623,774 | Hacking/IT incident | Network server | Under investigation | Explore |
| 19 | TX | Healthcare Provider | 612,000 | Hacking/IT incident | Network server | Under investigation | Explore |
| 20 | IA | Healthcare Provider | 542,776 | Hacking/IT incident | Electronic medical record | Under investigation | Explore |
Fig. 2. Data is from the HHS Breach Portal. Accessed January 2023.
What were the largest healthcare data breach incidents in 2022?
As of January 2023, there were 693 healthcare data breaches reported for 2022. The top 20 breaches by total individuals affected account for 55% of all records compromised – 28.2 million of 51.3 million records. The two largest incidents affected 3 million individuals or more.
Half of the largest 2022 healthcare data breaches were at provider organizations, eight were though business associates and two at health plans. Most were hacking incidents with three instances of unauthorized access. Network servers were attacked in most cases with electronic medical records breached in three incidents.
Learn more
Healthcare Insights are developed with healthcare commercial intelligence from the Definitive Healthcare platform. Want even more insights? Start a free trial now and get access to the latest healthcare commercial intelligence on hospitals, physicians, and other healthcare providers.
You might also be interested in...
