Top 10 U.S. Healthcare-Related Breaches Revealed: Total of 19 Million People’s Data Exposed

The healthcare sector remains the target of hundreds of cyberattacks in 2021, with tens of millions of medical records compromised to unauthorized parties, according to a tally of data breach reports released to date.

Most of the largest data breaches are due to ransomware attacks, of which the TOP 10 will account for more than half of all medical records information breaches in 2021.

Millions of people’s personal information has been stolen or exposed

The Breach Notification Rule under the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations to disclose a breach if it affects 500 or more residents of a state or jurisdiction.

The top 10 most impactful cyber events listed on the U.S. Department of Health and Human Services (HHS) Office for Civil Rights portal were all hacking incidents that compromised the data of a total of 19 million people.

Top 10 Medical Data Breaches in the US

1.Florida Healthy Kids Corporation -> for 3.5 million people

Topping the list of reported incidents was the one at Florida Healthy Kids Corporation, where a seven-year unpatched vulnerability in the website’s hosting platform was exploited by hackers to expose the data of 3.5 million people.

2.20/20 Eye Care Network-> for 3.2 million people

The second largest data breach in the healthcare sector was at 20/20 Eye Care Network in Florida, which exposed the personal data of more than 3.2 million people, and hackers also gained access to the company’s AWS S3 bucket and deleted the information. 20/20 Eye Care Network A class action lawsuit has been filed against Eye Care Network.

3.Forefront Dermatology -> for 2.41 million people

Another notable data breach was by Forefront Dermatology, a dermatology group practice, which found that unauthorized persons had been accessing its systems for a week.

The breach exposed the information of more than 2.41 million patients, including names, addresses, dates of birth, health insurance plan member IDs, and details of medical and clinical treatments.

4. NEC Netsys (CaptureRx) -> for 1.65 million people

On February 19, 2021, NEC Networks & System Integration (CaptureRx) discovered that its systems had been compromised two weeks earlier and that intruders had accessed customer records.


Subsequent investigation revealed that it was a ransomware attack that affected data belonging to 1.65 million people.

5.Eskenazi Health -> for 1.5 million people

On August 4, an attack on Eskenazi Health’s public hospital division compromised data on more than 1.5 million people.

The hackers had been hacking into the internal network since May 19, preparing to encrypt the network, but were unable to complete the operation.

Although the data was not encrypted, we were able to successfully steal patients’ personal and health information from the organization.

6. The Kroger Co. -> for 1.47 million people

The Kroger Co. has confirmed a data breach that exposed the records of 1.47 million people. The incident occurred as part of a ransom attack by the Clop ransomware.

A vulnerability in Accellion’s legacy File Transfer Appliance service, used by up to 100 companies, was exploited to gain access to corporate data.

Kroger, the supermarket chain that operates the pharmacy, has agreed to pay $5 million to end claims against it on behalf of customers and employees whose personal information was compromised.

7. St. Joseph’s/Candler Health System -> for 1.4 million people

St. Joseph’s/Candler Health System, another victim of a ransomware attack, has announced that it detected the intrusion on June 17, 2021. Investigations revealed that the hackers had been accessing the network since December 18, 2020.

On the network, the attackers had access to data on 1.4 million patients, including addresses, birth dates, Social Security numbers, driver’s license numbers, financial information, health plan member IDs, and medical and clinical treatment information.

8.University Medical Center Southern Nevada -> for 1.3 million people

Ransomware “REvil” infiltrated the systems of University Medical Center Southern Nevada in mid-June, exfiltrating the data of 1.3 million people.

The data included “certain protected health information” as well as personally identifiable information (PII), the center’s data security incident notice revealed.

9.American Anesthesiology -> for 1.2 million people

In early January 2021, American Anesthesiology notified patients that one of its service providers, Mednax Services, had suffered a phishing incident that resulted in the unauthorized release of personal information.

In mid-June 2020, an attacker was able to access a partner’s Microsoft Office 365 email system and gain access to personal information belonging to American Anesthesiology patients. A total of 1.2 million people’s data was compromised in this incident.

10.Professional Business Systems, Inc. d/b/a Practicefirst Medical Management Solutions and PBS Medcode Corp. -> For 1.2 million people

Finally on the list of the 10 largest data breaches reported so far in 2021 are Professional Business Systems, Inc. d/b/a Practicefirst Medical Management Solutions and PBS Medcode Corp. (hereafter, Practicefirst) — multiple healthcare vendors — appear on the list.

This incident was a ransomware attack and was identified in late December 2020. The hackers did not encrypt the data, but they did copy files from Practicefirst’s network, exposing the personal information of more than 1.2 million patients and employees.

More than 50 hacking incidents disclosed on the HHS portal have affected more than 100,000 individuals, indicating that organizations in the healthcare sector continue to be attractive targets.

According to the HIPAA Journal, nearly 45 million medical records were compromised or stolen in reported information breaches in 2021.

Leave a Reply

Your email address will not be published.