Posted By HIPAA Journal on Dec 30, 2021
The largest healthcare data breaches of 2021 rank as some of the worst of all time. In this post, we summarize some of the most serious data breaches to be reported in what has turned out to be another record-breaking year.
The Department of Health and Human Services’ Office for Civil Rights’ breach portal shows 686 healthcare data breaches of 500 or more records in 2021, and that number is likely to grow over the next couple of weeks and could well exceed 700 data breaches. As it stands, 2021 is already the worst ever year for healthcare data breaches, beating last year’s record of 642 data breaches.
It has also been a particularly bad year in terms of the number of breached healthcare records. Across the 686 2021 healthcare data breaches, 44,993,618 healthcare records have been exposed or stolen, which makes 2021 the second-worst year in terms of breached healthcare records.
There have been 245 data breaches of 10,000 or more records, 68 breaches of the healthcare data of 100,000 or more individuals, 25 breaches that affected more than half a million individuals, and 10 breaches of the personal and protected health information of more than 1 million individuals. Almost three-fourths of the year’s breaches (73.9%) were hacking or other IT incidents.
The Largest Healthcare Data Breaches of 2021
Each of the data breaches below involved the personal and protected health information of more than 1,000,000 individuals. All of these data breaches were hacking incidents where unauthorized individuals gained access to healthcare networks where electronic healthcare data were stored.
Accellion FTA Hack – At Least 3.51 Million Records
The largest healthcare data breach was a hacking incident involving the firewall vendor Accellion. Four vulnerabilities in the legacy Accellion File Transfer Appliance (FTA) were exploited and more than 100 companies were affected, including at least 11 U.S. healthcare organizations. The Accellion FTAs were used for transferring files too large to be sent via email. The attack was conducted by a threat actor linked to the Clop ransomware gang. Ransomware was not used in the attack, but sensitive data were stolen, ransom demands issued, and stolen data were leaked on the Clop ransomware gang’s leak site.
The Accellion FTA hack does not appear as a single incident on the HHS’ Office or Civil Rights breach portal as each affected healthcare organization reported the breach separately. In total, the protected health information of at least 3.51 million individuals is believed to have been stolen.
Florida Healthy Kids Corporation – 3.5 Million Records
The largest healthcare data breach of 2021 to be reported to the HHS’ Office for Civil Rights by a HIPAA-covered entity was a hacking incident at the Florida health plan, Florida Healthy Kids Corporation (FHKC). The breach was reported in January 2021 and was due to the failure of a security vendor to apply patches to fix multiple vulnerabilities on the FHKC website over a period of 7 years.
Hackers had access to the website for several years, and potentially stole highly sensitive information such as Social Security numbers and financial information. Some of the data on the website was also tampered with. The analysis of the breach revealed the personal and protected health information of 3.5 million individuals was exposed.
20/20 Eye Care Network, Inc – 3,253,822 Records
20/20 Eye Care Network, a Florida-based provider of eye and ear care services, exposed the personal and protected health information of 3,253,822 individuals as a result of a misconfigured Amazon Web Services S3 cloud storage bucket. In January 2021, 20/20 Eye Care Network discovered an unauthorized individual accessed the exposed storage bucket and downloaded some data, which may have included Social Security numbers, dates of birth, and health insurance information. The attacker then deleted the data in the bucket.
NEC Networks, LLC dba CaptureRx – At Least 2.42 Million Records
Texas-based NEC Networks, doing business as CaptureRx, was the victim of the largest healthcare ransomware attack of 2021. Prior to the use of ransomware to encrypt files, the attackers exfiltrated files containing the personal and protected health information of its healthcare provider clients. The breach was reported by NEC Networks as affecting 1,656,569 patients of its healthcare provider clients, but several clients reported the breach separately. In total, at least 2.42 million individuals were affected.
Forefront Dermatology, S.C. – 2,413,553 Records
The Wisconsin-based healthcare provider, Forefront Dermatology, discovered in June 2021 that unauthorized individuals had gained access to its network and potentially viewed and potentially obtained private and confidential employee and patient information, including names and Social Security numbers.
The investigation confirmed the personal and protected health information of 4,431 individuals had been compromised, but the systems accessed by the attacker contained the records of 2,413,553 individuals, all of whom may have been affected.
Eskenazi Health – 1,515,918 Records
The Indiana-based healthcare provider Eskenazi Health suffered a ransomware attack in August conducted by the Vice ransomware gang. Prior to encrypting files, the attackers exfiltrated files containing the personal and protected health information of 1,474,284 patients, including Social Security numbers, passport numbers, driver’s licenses, photographs, pharmacy records, and financial information, some of which were leaked on the group’s data leak site when the ransom was not paid.
The Kroger Co. – 1,474,284 Records
The Ohio-based grocery chain and pharmacy operator, the Kroger Company, was one of the companies worst affected by the exploitation of vulnerabilities in its Accellion File Transfer Appliance (FTA). Kroger said the internal investigation revealed fewer than 1% of its customers were affected – 1,474,284 individuals. Names, contact information, Social Security numbers, insurance claim information, prescription information, and some medical history information was stolen in the attack. Lawsuits were filed in response to the breach, which Kroger settled for $5 million.
St. Joseph’s/Candler Health System, Inc. – 1,400,000 Records
Georgia-based St. Joseph Candler Health System was another 2021 healthcare ransomware attack victim. The ransomware attack occurred in June; however, hackers had first breached its network 6 months previously. During those 6 months, the attackers had access to the sensitive data of 1,400,000 patients, including names, date of birth, Social Security numbers, driver’s license numbers, financial information, health insurance information, and medical information. Two class action lawsuits were filed in the wake of the breach alleging negligence for failing to prevent the attack and for failing to discover the breach for 6 months.
University Medical Center Southern Nevada – 1,300,000 Records
The Nevada-based healthcare provider University Medical Center Southern Nevada suffered a ransomware attack conducted by the REvil ransomware gang. The attackers allegedly issued a ransom demand of $12 million for the keys to unlock encrypted files and to prevent any misuse of stolen data. The gang potentially stole the personal and protected health information of 1,300,000 patients, and some of that information was posted to the gang’s data leak site, including names, dates of birth, Social Security numbers, passports, and health histories.
American Anesthesiology, Inc. – 1,269,074 Records
New York-based American Anesthesiology, Inc. was affected by a phishing attack on one of its business associates, MEDNAX. Employees responded to the phishing emails and disclosed their credentials, which provided the attackers with access to email accounts containing the protected health information of 1,269,074 patients. The attack did not appear to have been conducted to steal patient data, instead, the attackers were trying to divert payroll to their accounts.
Professional Business Systems, Inc. dba Practicefirst Medical Management Solutions and PBS Medcode Corp – 1,210,688 Records
The New York practice management company, Professional Business Systems, doing business as Practicefirst Medical Management Solutions and PBS Medcode Corp., was the victim of an attempted ransomware attack. Prior to attempting to encrypt data, the attackers exfiltrated files containing the names, addresses, driver’s license numbers, Social Security numbers, email addresses, and tax identification numbers of employees and patients of its healthcare provider clients. In total, the protected health information of 1,210,688 individuals was potentially stolen.
Other Large Healthcare Data Breaches Reported in 2021
The table below shows the U.S. healthcare data breaches reported to the HHS’ Office for Civil Rights in 2021 that affected between 500,000 and 1,000,000 million individuals. At least 10 of the 15 breaches below are known to be ransomware attacks.
|Name of Covered Entity||State||Entity Type||Individuals Affected||Type of Breach||Breach Cause|
|Personal Touch Holding Corp.||New York||Business Associate||753,107||Hacking/IT Incident||Ransomware|
|Oregon Anesthesiology Group, P.C.||Oregon||Healthcare Provider||750,500||Hacking/IT Incident||Ransomware|
|UF Health Central Florida||Florida||Healthcare Provider||700,981||Hacking/IT Incident||Ransomware|
|Sea Mar Community Health Centers||Washington||Healthcare Provider||688,000||Hacking/IT Incident||Unspecified hacking incident involving data theft|
|Health Net Community Solutions||California||Health Plan||686,556||Hacking/IT Incident||Accellion FTA data theft and extortion attack|
|Community Medical Centers, Inc.||California||Healthcare Provider||656,047||Hacking/IT Incident||Unspecified hacking incident|
|DuPage Medical Group, Ltd.||Illinois||Healthcare Provider||655,384||Hacking/IT Incident||Ransomware|
|Hendrick Health||Texas||Healthcare Provider||640,436||Hacking/IT Incident||Ransomware|
|UNM Health||New Mexico||Healthcare Provider||637,252||Hacking/IT Incident||Unspecified hacking incident involving data theft|
|Trinity Health||Michigan||Business Associate||586,869||Hacking/IT Incident||Accellion FTA data theft and extortion attack|
|Utah Imaging Associates, Inc.||Utah||Healthcare Provider||582,170||Hacking/IT Incident||Unspecified hacking incident|
|Texas ENT Specialists||Texas||Healthcare Provider||535,489||Hacking/IT Incident||Ransomware|
|Wolfe Clinic, P.C.||Iowa||Healthcare Provider||527,378||Hacking/IT Incident||Ransomware|
|Health Net of California||California||Health Plan||523,709||Hacking/IT Incident||Accellion FTA data theft and extortion attack|
|State of Alaska Department of Health & Social Services||Alaska||Health Plan||500,000||Hacking/IT Incident||Hack by nation-state espionage group|