US Healthcare Sector Breaches 342m+ Records Since 2009

  • Healthcare organizations (HCOs) in the US have suffered nearly 5000 publicly recorded data breaches since 2009, spilling hundreds of millions of records in the process, according to a new analysis from Comparitech.

    The tech research and comparison company analyzed data from 2009 to June 2022 to better understand the scale of the security challenges facing the sector.

    Of the 4746 medical breaches recorded over the period, the largest numbers came in 2020 (803) and 2021 (711), although the most records were breached in 2015 (112 million).

    California accounted for the most breaches (around 10%) in total, but when sliced according to population size, Indiana comes out on top with 1.28 million records affected per 100,000 residents.

    In 2021 and 2022, hacking was the most common type of breach, accounting for over 40% each year. Next most frequent, excluding unknowns, was ransomware, which accounted for nearly a quarter (23%) of incidents last year.

    Medical breaches continue to be a challenge today, with the Center Hospitalier Sud Francilien (CHSF) near Paris suffering a ransomware attack this week, which has led to a $10m extortion demand.

    The top five medical breaches of all time in the US are as follows:

    • Anthem, which impacted 78.8 million records in 2015. It stemmed from an employee opening a spear-phishing email
    • Optum360, which breached 11.5 million records containing personal and financial information on lab patients at the American Medical Collection Agency between August 2018 and March 2019
    • Premera Blue Cross, which affected 11 million records and resulted in a $6.9m fine after hackers used a phishing email to install malware. The breach went unnoticed from May 2014 until January 2015
    • Laboratory Corporation of America Holdings, which impacted 10.2 million records after an intruder accessed the payment website of partner American Medical Collection Agency in 2019
    • Excellus Health Plan, which breached 9.3 million records after hackers gained unauthorized access to the firm’s IT systems from December 2013 until May 2015