Breach, Ransomware, Incident Response

10 biggest healthcare data breaches of 2021 impact over 22.6M patients

The  U.S. Department of Health and Human Services building is shown Aug. 16, 2006, in Washington. (Photo by Mark Wilson/Getty Images)

The biggest healthcare data breaches reported in 2021 each impacted more than 1 million patients, with more than 22.64 million patients affected overall. Considering the runner-up incident claimed 1.2 million breach victims, the year has seen some of the largest cybersecurity impacts in healthcare’s history. 

Not to mention, these totals don’t account for the more than 600 incidents reported to the Department of Health and Human Services in 2021, nor the unreported incidents and other healthcare breaches that may not fall under The Health Insurance Portability and Accountability Act.

In total, four out of the top 10 biggest incidents were directly caused by vendors. The severity of the incidents reported this year highlight the sector’s ongoing challenges with vendors, the supply chain, and overall attack complexity. The largest breach reported this year best demonstrates these key weaknesses.

Despite media outlets naming other incidents, the hack of the Accellion File Transfer Application reported in early 2021 was the biggest healthcare data breach this year. It’s an important distinction, as the hack highlights the sector’s biggest Achilles heel: third-party vendors.

Threat actors cracked into longstanding, zero-day vulnerabilities in the FTA platform, which they used to pivot into connected provider systems and deploy a webshell named DEWMODE. The access was used to steal troves of sensitive information, used by the attackers to extort victims.

That the attackers were so aptly — and stealthily — able to perform their nefarious acts should serve as a warning to all covered entities and business associates to prioritize identity and access management, as well as visibility and inventory challenges into the coming year. 

Security researchers have warned throughout the year, these attacks will continue to move the bar on their tactics, while leveraging evasive techniques.

1. Accellion: over 3.51 million individuals

As noted, the Accellion FTA hack had far-reaching implications for healthcare, including the risk posed by leveraging legacy technology and failing to promptly patch known security gaps. The attack was launched by the Clop ransomware group, notorious for actively targeting the healthcare sector.

The hacking incident impacted at least 100 companies across all sectors, with the healthcare sector seeing the largest number of victims. Clop actors did end up leaking some of the exfiltrated data they stole from these victims, primarily from the U.S. and Canada.

The largest healthcare victims were:

  • Centene subsidiaries: 1.3 million
  • Health Net Community Solutions: 686,556
  • Health Net of California patients: 523,709 
  • California Health & Wellness: 80,138
  • University of Maryland, Baltimore: 30,468
  • Health Net Life Insurance Company: 26,637
  • Kroger: 1.5 million
  • Trinity Health: 586,869
  • Trillium Community Health Plan: 50,000
  • The Southern Illinois University School of Medicine: 40,330

2. Florida Healthy Kids: 3.5 million patients

More than 3.5 million online applicants and enrollees of the Florida Healthy Kids Corporation (FHKC) were affected by a seven-year data breach caused by an FHKC vendor failing to patch multiple vulnerabilities in its website.

The vendor informed FHKC that its security failure led to the access of thousands of applicant addresses. Some of the data was tampered with during the unauthorized access. A forensic review confirmed the website and its databases had several serious, unpatched flaws that allowed an attacker to access the site for many years before it was detected.

The data exposure included names, Social Security numbers, financial information, dates of birth, family relationships, and secondary insurance data.

3. 20/20 Eye Care Network: 3.3 million patients

In May, 20/20 Eye Care Network, also known as 20/20 Hearing Care Network, notified 3.3 million patients that their protected health information was accessed, downloaded, and possibly deleted, after an attacker gained access into its Amazon Web Services cloud storage bucket.

The investigation couldn’t conclusively determine what data the hacker had actually accessed, just that they downloaded some patient information before completely destroying it. The affected data included SSNs, health insurance details, member ID numbers, and dates of birth.

4. CaptureRx: 2.42M patients

HIPAA business associate CaptureRx faced a ransomware attack, which led to the access and exfiltration of a long list of its connected healthcare provider clients. The notice did not provide specifics on when the attack was launched, just that its investigation concluded in February.

The investigation ended on March 19, which confirmed the stolen data included patients’ prescription details, names, and dates of birth. CaptureRx reported the breach to HHS as impacting 2.42 million individuals.

Some of the affected covered entities included:

  • NYC Health + Hospitals: 43,000
  • Faxton St. Luke’s Healthcare in New York: 17,655
  • Jordan Valley Community Health Center: 12,000
  • Trinity Twin City Hospital: 9,500
  • Jones Memorial Hospital: 8,962
  • Hudson Headwaters Health Network: 8,100
  • UPMC Cole: 7,376
  • Gifford Health Care in Vermont: 6,777
  • Ascension St. Joseph Hospital: 5,807
  • Brownsville Community Health Center: 4,258
  • Thrifty Drug Stores: 3,958
  • MetroHealth System
  • Walmart

5. Forefront Dermatology: 2.41 million patients

In late June, screenshots shared with SC Media showed the Cuba hacking group posted data they claim to have obtained from Forefront Dermatology between June 4 and 6. The healthcare provider later confirmed its IT network was hacked, which led to “unauthorized access to certain files” that included protected health information tied to 2.41 million patients.

The official notice stated the attack was detected on June 4, but the hacker first gained access to the Forefront network on May 28.

The compromised data included names, contact information, dates of birth, insurance plan member ID numbers, medical record numbers, dates of service, provider names, medical data, and clinical treatment information. Strangely, despite the data being posted on the dark web, the notice states that the data was only accessed.

6. DNA Diagnostics Center: 2.1 million patients

The data of 2.1 million individuals was potentially accessed and/or stolen, after an attacker gained access to an archived database belonging to DNA Diagnostics Center. The database was tied to a national genetic testing system acquired by DDC in 2012 and was never operated by DDC. It contained personal information collected between 2004 and 2012.

An investigation determined a hacker removed certain files and folders from portions of the DDC network between May 24 and July 28, when it was discovered. The affected patients were informed the data included SSNs and payment information.

The provider worked with outside cybersecurity experts to retrieve the stolen data.

7. Eskenazi Health: 1.5 million patients

The Eskenazi Health breach notification continues to be a strong example on how to handle prompt and transparent notices for patients, which can enable individuals to swiftly move to prevent fraud or identity theft. In an era where security incidents have vast rippling effects, transparency is key to protecting patient privacy.

Indiana-based Eskenazi Health was hit with a ransomware attack on Aug. 4, prompting the response team to shut down its IT network to prevent the attack from spreading and to protect patient safety. The provider was forced into electronic downtime procedures and diverted ambulances in the early days of the response.

With each step of its response, Eskenazi Health provided patients with updates — including when it discovered patient data was stolen before the ransomware deployment and leaked by the Vice Society ransomware group online following the subsequent network outage.

The leak was confirmed on Aug. 25, well ahead of its official HIPAA breach notification released on Oct. 1. More than 1.51 million patients were notified that their names, SSNs, driver’s licenses, passport numbers, face photos, credit card data, prescriptions, and other sensitive information was leaked online.

8. St. Joseph's/Candler Health System: 1.4 million patients

A ransomware attack struck St. Joseph's/Candler Health System in Georgia on June 17, forcing one of Georgia’s largest health systems into EHR downtime procedures for a number of weeks. The attack raised a number of safety concerns for patients, who told local media outlets that clinicians were unable to view medical images or track medications during the outages.

What’s more, the investigation into the incident revealed the hackers first gained access to the system more than six months before deploying the ransomware and used their access to steal troves of patient data. There was no evidence of data exfiltration, but officials could not rule out access.

About 1.4 million patients were notified of the potential data compromise, which could include their names, contact details, SSNs, driver’s licenses, dates of service, provider names, medical record numbers, medical data, health information, and other sensitive data.

The impacted patients have since filed a class-action lawsuit against the health system.

9. University Medical Center of Southern Nevada: 1.3 million patients

REvil ransomware threat actors leaked data allegedly stolen from the University Medical Center of Southern Nevada in early June. In mid-August, UMC confirmed the health system was hit with a cyberattack on June 14 and contained by the security team within 24-hours.

The investigation revealed the hackers gained access to UMC network servers containing files tied to 1.3 million patients and stole the information, including SSNs, demographic details, diagnoses, clinical data, insurance numbers, and other financial and personal data.

10. Practicefirst Medical Management Solutions: 1.2 million patients

Practicefirst Medical Management Solutions and PBS Medcode waited nearly six months after falling victim to a ransomware attack to inform 1.2 million patients that their data was stolen by hackers ahead of the malware deployment. Practicefirst is a third-party medical management vendor tasked with data processing, billing, and coding services for providers.

The initial attack was launched on Dec. 25, 2020, prompting an investigation that found the attacks copied patient and employee files from the network during their access period. The stolen data varied by patient and included names, SSNs, contact details, dates of birth, driver’s licenses, medical data, patient ID numbers, credit cards, and other highly sensitive information.

The vendor negotiated the release of the data with confirmation from the hackers that the data was destroyed and not shared, but researchers have consistently warned there’s no guarantee hackers will actually adhere to promises made to victims about the return or deletion of data. 

Conti ransomware actors, in particular, have been known to falsify evidence provided to victims.

Overall, mid-year data from Fortified Health Security found a 27% year-over-year increase in the number of breaches reported to HHS during the first half of 2021 alone, which has certainly spike during the last six months. The data showed the majority of those incidents were caused by malicious cyberattacks.

As John Riggi, American Hospital Association senior advisor for cybersecurity and risk advisory, previously told SC Media, the biggest attacks seen in 2021 were brought on by business associates.

“There are mission-critical dependencies the provider has, for instance: certain medical devices may require access to a third-party cloud service for them to operate,” said Riggi. “Understanding third-party risk, its implications for patient care services and business operations, is critical for both hospitals and health systems, and healthcare.”

As such, providers must take advantage of the free resources provided by industry leaders and the federal government to quickly close these massive security vulnerabilities that pose a direct patient safety risk.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.