A recent analysis by the Healthnews team reveals that 2023 set a new record for healthcare data breaches.
Last year, the personal information of 135.2 million patients was compromised, affecting over a third of Americans — more than in 2022 and 2021 combined.
Although the number of reported breaches also rose in 2023, it only saw a slight uptick of 2% from the year before, climbing from 720 in 2022 to 734 in 2023. This suggests that the scale of individual breaches has grown larger.
A data breach occurs when sensitive information is accessed or disclosed without permission, putting individuals or organizations at risk. It can involve a range of data types, including personal, financial, and healthcare information.
Healthnews based the analysis on the publicly available data from the U.S. Department of Health and Human Services, which mandates that health organizations report any breaches involving the data of 500 or more individuals.
Patient data has long been a prime target for cybercriminals due to its inclusion of highly sensitive information.
Safeguarding this information demands rigorous data protection, an area where the healthcare sector has consistently fallen short. According to the HIMSS Healthcare Cybersecurity Survey, healthcare organizations dedicate a mere 6% of IT budgets to cybersecurity.
As the industry continues to digitize, the healthcare sector will become an even more lucrative source of information for cybercriminals.
Indeed, even the start of the new year has not been immune to cyberattacks. As of 2024, there have been 35 breaches reported to the Secretary of Health and Human Services, affecting 5.5 million patients.
Top 5 biggest data breaches of 2023
The figures become even more interesting if we delve deeper into the statistics. Despite there being 734 data breaches in U.S. healthcare organizations last year, just five of them were responsible for almost a third of all affected patients.
Here are the biggest healthcare breaches of 2023:
#1 HCA Healthcare
The largest healthcare breach of the year occurred at HCA Healthcare, one of the nation's leading healthcare providers, which affected nearly 11.3 million Americans.
The unauthorized access took place in late June and seems to have resulted from a theft from an external storage location exclusively used to automate the formatting of email messages.
The exposed files contained a range of sensitive patient details, including names, cities, states, zip codes, email addresses, telephone numbers, dates of birth, genders, service dates, locations, and, in some cases, the dates of the following appointments.
#2 Perry Johnson & Associates, Inc.
Next is medical transcription company Perry Johnson & Associates, Inc., which experienced a breach affecting nearly 9 million patients.
In May 2023, PJ&A became aware of a potential data security incident affecting its systems, with the hackers gaining access to personal health information between April 7 and April 19.
Some of the breached data included social security numbers as well as insurance and clinical information extracted from medical transcription files.
#3 Managed Care of North America
Yet another significant cyber incident impacted Managed Care of North America, Inc. (MCNA), which claims to be the leading dental benefits manager providing services to state agencies and managed care organizations for their Medicaid, Children's Health Insurance Program (CHIP), and Medicare members.
In May, MCNA reported a data breach compromising the information of 8.9 million patients and positioning it as the third-largest breach in terms of the number of affected individuals in 2023.
Personal information that may have been involved included names, dates of birth, addresses, phone numbers and emails, social security numbers, driver's license numbers or government-issued identification numbers, and health insurance information.
The LockBit ransomware group claimed responsibility for the cyberattack and reportedly published all the files it had obtained from MCNA Dental after the company declined to pay a $10 million ransom.
#4 Welltok, Inc.
Welltok, a Denver-based patient engagement company, experienced a data breach when an unauthorized actor compromised its MOVEit Transfer server, a system that allows organizations to move large sets of data over the internet. According to the U.S. Department of Health and Human Services, the breach affected approximately 8.5 million clients.
The compromised information differs for each individual and potentially includes names, addresses, telephone numbers, email addresses, social security numbers, Medicare/Medicaid ID numbers, or specific health insurance details such as plan or group names.
#5 PharMerica Corporation
Completing the top five list is the data breach of pharmacy services provider PharMerica Corporation, which impacted 5.8 million patients.
According to the company's statement, an unknown third party accessed PharMerica computer systems between March 12 and 13, 2023. Personal information that may have been compromised during the incident includes names, dates of birth, social security numbers, medication lists, and health insurance information.
Although PharMerica did not specify the type of hacking incident it suffered, the Money Message ransomware gang claimed responsibility for the attack.
- U.S. Department of Health and Human Services Office for Civil Rights. Cases Currently Under Investigation.
- HIMS. 2022 HIMSS Healthcare Cybersecurity Survey.
- Office of the New York State Attorney General. Consumer Alert: Attorney General James Warns New Yorkers Impacted by Medical Company’s Data Breach of Potential Identity Theft.
- Office of the Maine Attorney General. Data Breach Notifications.
- TechCrunch. Ransomware attack on US dental insurance giant exposes data of 9 million patients.
- Welltok. Notice of Data Privacy Event.
- PharMerica Corporation. PharMerica Notifies Individuals of Privacy Incident.
- Bleeping Computer® LLC. Ransomware gang steals data of 5.8 million PharMerica patients.