The Biggest Healthcare Data Breaches of 2021

Some of the major healthcare data breaches of 2021 are the worst in history. This post summarizes the major data breaches reported in 2021.

The Department of Health and Human Services’ Office for Civil Rights’ breach website indicates that there were 686 healthcare data breaches involving 500 or higher records in 2021. That number will probably increase in the next few weeks and go over 700 data breaches. As it is, 2021 is actually the worst year ever in terms of healthcare data breaches, going over 2020’s 642 data breaches.

In terms of breached healthcare records, there were 44,993,618 healthcare records exposed or stolen across the 686 healthcare data breaches. The report states that:

  • 245 data breaches involved 10,000 or higher records
  • 68 breaches involved 100,000 or higher records
  • 25 breaches involved over half a million records
  • 10 healthcare data breaches affected over 1 million people

Nearly 75% of the 2021’s breaches (73.9%) were due to hacking or additional IT incidents.

The Biggest Healthcare Data Breaches of 2021

The data breaches listed below affected the personal and protected health information (PHI) of over 1,000,000 people. All were due to hacking incidents where unauthorized persons acquired access to healthcare systems storing electronic healthcare data.

1. Accellion FTA Hack – No less than 3.51 Million Records

The hackers exploited four vulnerabilities in the legacy Accellion File Transfer Appliance (FTA) and over 100 firms were impacted, including 11 U.S. healthcare companies. The Accellion FTAs provides file transfer services and a threat actor connected to the Clop ransomware gang was behind the attack. No ransomware was used in the attack, however sensitive information was stolen. The attacker demanded ransom and leaked stolen data on the Clop ransomware gang’s leak website.

2. Florida Healthy Kids Corporation – 3.5 Million Records

This hacking incident at a Florida health plan is the largest healthcare data breach reported in 2021 by a HIPAA-covered entity Florida Healthy Kids Corporation (FHKC) reported the breach last January 2021, which occurred because of the inability of a security vendor to implement patches to correct several vulnerabilities on the FHKC site over a timeframe of 7 years.

Hackers got access to the website for a few years, and possibly stole highly sensitive data like Social Security numbers and financial data. A portion of the information on the website was likewise compromised. The breach analysis showed that the personal data and PHI of 3.5 million people were compromised.

3. 20/20 Eye Care Network, Inc – 3.25 Million Records

Eye and ear care services provider, 20/20 Eye Care Network based in Florida, exposed the personal data and PHI of 3,253,822 people due to the improper configuration of the Amazon Web Services S3 cloud storage bucket. Last January 2021, 20/20 Eye Care Network found out that an unauthorized person accessed the breached storage bucket and acquired some files, which might have contained Social Security numbers, birth dates, and medical insurance data. The attacker then erased the information in the bucket.

4. NEC Networks, LLC dba CaptureRx – About 2.42 Million Records

NEC Networks based in Texas, dba CaptureRx, encountered a ransomware attack in 2021. Before deploying the ransomware to encrypt files, the attackers copied files comprising the personal data and PHI of its healthcare provider clients. The breach report submitted by NEC Networks indicated that 1,656,569 patients of its healthcare provider clients were affected. However, a number of clients reported the breach on their own. Overall, about 2.42 million individuals were impacted.

5. Forefront Dermatology, S.C. – 2.41 Million Records

The healthcare provider Forefront Dermatology based in Wisconsin found out in June 2021 that unauthorized people acquired access to its system and possibly viewed and acquired private and confidential worker and patient data, such as names and Social Security numbers.

The breach investigators stated that the data of 4,431 people were compromised, however, the attacker accessed systems that contained the files of 2,413,553 people, all of whom were potentially affected.

6. Eskenazi Health – 1.52 Million Records

The healthcare provider Eskenazi Health based in Indiana experienced a ransomware attack by the Vice ransomware gang in August. Before encrypting files, the attackers acquired files with the personal data and PHI of 1,474,284 patients, such as Social Security numbers, driver’s licenses, passport numbers, photos, pharmacy information, and financial details, and leaked some of them on the group’s data leak website because no ransom was paid.

7. The Kroger Co. – 1.47 Million Records

The grocery chain and pharmacy owner, The Kroger Company, based in Ohio was seriously affected by the vulnerabilities exploitation in its Accellion File Transfer Appliance (FTA). Kroger’s internal investigation showed less than 1% of its clients were impacted – 1,474,284 people. Their names, contact data, Social Security numbers, insurance claim details, prescription details, and some medical background data were compromised in the attack. Kroger faced lawsuits because of the breach and paid out $5 million.

8. St. Joseph’s/Candler Health System, Inc. – 1.40 Million Records

St. Joseph Candler Health System based in Georgia encountered a ransomware attack in June. Nonetheless, the hackers had initially accessed its network 6 months earlier. In those 6 months, the attackers accessed the sensitive information of 1,400,000 individuals, which includes names, birth dates, driver’s license numbers, Social Security numbers, financial details, medical insurance data, and medical details. Two class-action lawsuits were submitted after the breach claiming the health system was negligent thus failing to stop the attack and did not discover the breach for 6 months earlier.

9. University Medical Center Southern Nevada – 1.30 Million Records

The healthcare provider University Medical Center Southern Nevada was attacked by the REvil ransomware gang. The attackers demanded a $12 million ransom for the keys to decrypt the files and to stop any stolen data misuse. The gang possibly stole the personal data and PHI of 1.30 Million patients, and certain data was published to the gang’s data leak website, such as names, birth dates, passports, Social Security numbers,
and medical backgrounds.

10. American Anesthesiology, Inc. – 1.27 Million Records

American Anesthesiology, Inc. based in New York was impacted by a phishing attack on its business associates, MEDNAX. Workers clicked on phishing emails and exposed their credentials, therefore the attackers got access to email accounts that contain the PHI of 1,269,074 individuals. The attack didn’t seem to have been carried out to steal patient information, rather, the attackers were attempting to redirect payroll to their own accounts.

11. Professional Business Systems, Inc. also known as Practicefirst Medical Management Solutions and PBS Medcode Corp – 1.21 Million Records

The New York practice management firm, Professional Business Systems, dba Practicefirst Medical Management Solutions, and PBS Medcode Corp., encountered an attempted ransomware attack. Before the attempt to encrypt files, the attackers copied files that contain the names, email addresses, addresses, Social Security numbers, driver’s license numbers, and tax ID numbers of workers and patients of its healthcare provider clients. Overall, the PHI of 1,210,688 persons was possibly stolen.

About Christine Garcia 1191 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA