12. Sutter Medical Foundation
Individuals Affected: 943,434
When: October 2011
The Sacramento, Calif.-based Sutter Health affiliate reported the theft of a company desktop computer containing clinical data and medical diagnoses information of patients. Moreover, the computer also contained limited demographic data of more than 3.3 million additional individuals. There have been 11 lawsuits in total, which could amount to between $944 million and $4.25 billion.
11. Blue Cross Blue Shield of Tennessee
Individuals Affected: 1.02 million
When: October 2009
The Chattanooga, Tenn.-based health insurer reported stolen 57 unencrypted computer hard drives from one of the company’s leased facilities. The hard drives contained member demographic information in addition to Social Security numbers, diagnosis codes and health plan identification numbers. BCBST paid $1.5 million to the U.S. Department of Health and Human Services to settle breach allegations. Moreover, the group handed over $6 million for additional data encryption, and spent nearly $17 million for protection, investigation and member notification. The settlement paid to the HHS was the first enforcement action resulting from HITECH Breach Notification Rule.
10. The Nemours Foundation
Individuals Affected: 1.06 million
When: August 2011
The foundation reported that three unencrypted backup tapes in a locked storage cabinet went missing from its Wilmington, Del. facility. The tapes contained patient names, addresses, dates of birth, Social Security numbers and personal health information. Employee, vendor and patient guarantor financial and demographic information were also included on the tape. The foundation offered individuals affected one year of free credit monitoring and credit protection. Photo: Littleinfo, Wikimedia Commons
9. AvMed Inc.
Individuals Affected: 1.22 million
When: December 2009
The Miami-based health insurer reported stolen two unencrypted laptops containing member names, dates of birth, addresses, Social Security numbers and personal health information. According to officials, both laptops were reported missing from a locked conference room. Despite the breach occurring in December 2009, the company waited until February 2010 to notify members affected. The number of patients affected by the breach was initially pegged at 208,000; however, that number shot up to 1.22 million by June 2010.
8. Montana Department of Public Health and Human Services
Individuals Affected: 1.3 million
When: July 2013
The state agency notified some 1.3 million people after hackers gained unfettered access to an agency server for nearly a year before being discovered. Hackers likely first gained accessed to the server as far back as July 2013, according to DPHHS officials, but the breach was only discovered on May 15, 2014. An independently-conducted investigation confirmed May 22 the server had been accessed by outsiders. Data compromised included client, employee and contractors' names, addresses, dates of birth, Social Security numbers, clinical and medical data and dates of service. DPHHS employee bank account and payroll information was also held on the server, officials say. Photo: Snappy Jones, Flickr
7. New York City Health & Hospitals Corporation's North Bronx Healthcare Network
Individuals Affected: 1.7 million
When: December 2010
The Bronx, N.Y.-based health network reported two back-up tapes for two computer systems were stolen from a vendor truck parked on a Manhattan street. The tapes contained 20 years of personal health information of both employees, vendors and patients. The Bronx Healthcare Network includes Jacobi Medical Center, North Central Bronx Hospital, the Health Center at Gun Hill and the Health Center at Tremont. One year of free credit monitoring was provided to individuals affected. Photo: Brook Ward, Flickr
6. Health Net Inc.
Individuals Affected: 1.9 million
When: January 2011
The Woodland Hills, Calif.-based health insurance company reportedly lost nine server drives on Jan. 2011 and waited two months before it reported the breach. The servers contained the Social Security numbers, names, addresses, and health information of Health Net employees, members and providers. The company offered two years of free identity and fraud protection and identity theft insurance.Photo: John Pavliga
5. Advocate Health Care
Individuals Affected: 4.03 million
When: July 2013
One of the nation's largest healthcare systems notified more than four million patients that their protected health information and Social Security numbers had been compromised after the theft of four unencrypted company computers. Advocate Health System announced that the theft occurred at one of its Advocate Medical Group administrative buildings in Park Ridge, Ill. July 15. Patient names, addresses, dates of birth, Social Security numbers and clinical information – including physician, medical diagnoses, medical record numbers and health insurance data – were all contained on the computers, officials say. Class action lawsuits against the health system have thus far been unsuccessful, but several are still pending.
4. Community Health Systems
Individuals Affected: 4.5 million
When: April-June 2014
One of the nation's largest hospital operators notified some 4.5 million of its patients that their personal information was stolen by cybercriminals. The Franklin, Tenn.-based company, which operates 206 hospitals across 29 states, reported in an Aug. 18 federal security filing that hackers were able to gain access to CHS' systems throughout April and June 2014. The hacking group, which officials say originated from China, "used highly sophisticated malware and technology," the report revealed. According to information security firm TrustedSec, the Chinese hacker group, carried out by Chinese Advanced Persistent Threat, exploited CVE-2014-0160, also known as the Heartbleed vulnerability. Only on Aug. 19 did the Federal Bureau of Investigation issue an alert to healthcare organizations that may be susceptible to an attack. The alert was not specific to Chinese hacking group. This is the largest hacking-related HIPAA breach ever reported, according to data from HHS' Office for Civil Rights.
See also: Breach alert: Hackers swipe data of 4.5M
3. TRICARE Management Activity
Individuals Affected: 4.9 million
When: September 2011
In one of history's biggest HIPAA breaches, this Falls Church, Va.-based military health care provider reportedly lost backup tapes containing personally identifiable and protected health information from military beneficiaries' electronic health records. According to officials, the backup tapes may have contained patient addresses, phone numbers, Social Security numbers and clinical data.
2. Premera Blue Cross
Individuals Affected: 11 million
When: January 2015
Washington state-based Premera Blue Cross, a not-for-profit plan whose corporate clients include Pacific Northwest giants Microsoft and Starbucks, announced that it was targeted with a "sophisticated cyberattack" after hackers gained access to the financial and medical information of 11 million members. Officials announced the breach, which occurred back in January 2015, on March 17. The attackers – who some have suggested may be the same Chinese spies suspected in the massive Anthem breach revealed this past month, gained access to to a plethora of personal data. Hackers swiped Social Security numbers, financial information, medical claims data, addresses, email addresses, names and dates of birth.