2020 was a really bad year when it comes to healthcare industry data breaches. There were 616 data breaches involving 500 or more health records documented by the HHS’ Office for Civil Rights. Those breaches had 28,756,445 healthcare records compromised, or impermissibly disclosed that makes 2020 the third worst year when it comes to the quantity of breached healthcare records.
2020’s Biggest Healthcare Data Breaches
In case a breach occurs at a business associate of a HIPAA-covered entity, the covered entity typically reports the incident and not the business associate. In 2020, the cloud service provider Blackbaud Inc. had suffered a huge data breach. Hackers obtained access to its network systems and stole its customer’s fundraising databases prior to deploying ransomware. Blackbaud got a ransom demand as well as a threat that if the ransom is not paid, the stolen records would be published to the public. Blackbaud opted to pay the ransom to avert exposing client data. Blackbaud was guarantees that the stolen files were completely disposed of and was not exposed.
The actual number of people affected individuals by the Blackbaud ransomware attack may never be reported correctly, nevertheless over 6 dozen healthcare companies have confirmed being affected thus far and above 8 million healthcare records were possibly exposed. That breach clearly is on top of the listing of the largest 2020’s healthcare data breaches and is one of the biggest healthcare data breaches in history.
Below is the list of the reported data breaches in 2020 involving 500,000 healthcare records. In some instances, the actual data breach took place prior to 2020, but was just uncovered and reported in 2020.
- Trinity Health – 3,320,726 people impacted
Trinity Health was the most severely affected healthcare organization of the Blackbaud ransomware attack. The hackers likely got the philanthropy data bank of the Catholic health system based in Livonia, Michigan which comprised patient and donor records from 2000 to 2020.
- MEDNAX Services, Inc. – 1,290,670 people impacted
MEDNAX Services Inc based in Sunrise, Florida experienced a security breach of its Office 365 account in June 2020 because staff members responded to phishing email messages. The substantial breach involved patient and guarantor data including driver’s license numbers, Social Security numbers, and health insurance and financial data.
- Inova Health System – 1,045,270 people impacted
Inova Health System based in Virginia was also impacted by the Blackbaud ransomware attack. Inova’s fundraising data bank that comprised patient and donor records was possibly compromised.
- Magellan Health Inc. 1,013,956 persons affected
Magellan Health based in Arizona experienced a ransomware attack in April 2020 that lead to the potential compromise of the protected health information (PHI) of patients. The ransomware attack actually started with a spear phishing email. A number of of its affiliated entities were likewise impacted by the breach as well.
- Dental Care Alliance – 1,004,304 persons impacted
Dental Care Alliance, LLC in Sarasota, Florida reported a security breach of its networks in December. The nature of the breach is still uncertain as the investigation is still ongoing. The breach impacted a lot of its affiliated dental practices.
- Luxottica of America Inc. – 829,454 persons impacted
Luxottica of America Inc. is a vision care company that is popular throughout the United States for the eyewear brands Oakley, Ray-Ban, and Persol. It experienced a cyberattack in August 2020 and hackers gained access to its online appointment scheduling system that stored the PHI its eye care partners’ of patients.
- Northern Light Health – 657,392 persons impacted
Northern Light Health in Maine was also affected by the Blackbaud ransomware attack. The hackers likely acquired access to its fundraising repository that comprised patient and donor records.
- Health Share of Oregon – 654,362 Individuals
In May 2020, Health Share of Oregon submitted a report of the theft of a laptop from its vendor of non-emergent medical transport. The stolen laptop lacked encryption, which likely permitted the crook to obtain access to patients’ contact details, Social Security numbers, and Health Share ID numbers.
- Florida Orthopaedic Institute – 640,000 people affected
Florida Orthopaedic Institute encountered a ransomware attack in April that resulted in the encryption of patient data kept on its servers. Prior to the use of ransomware, the attackers could have viewed or acquired patient records.
- Elkhart Emergency Physicians – 550,000 persons affected
Elkhart Emergency Physicians submitted a breach report in May 2020 regarding the incorrect disposal of patient documents by Central Files Inc., a third-party storage supplier. Elkhart Emergency Physicians was the worst impacted entity, nonetheless a number of other clients of the provider were likewise impacted by the breach. The documents were thrown out without shredding after the permanent closing of the storage center.