Largest healthcare data breaches in 2020 and 2021

The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information (PHI). Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC) apply to vendors of personal health records and their third-party service providers.

In addition, the Secretary of Health and Human Services (HHS) must post a list of breaches of unsecured PHI affecting 500 or more individuals. Breaches are classified as Resolved or Under Investigation, with breach reports older than 24 months falling under the Resolved category.

How many healthcare data breaches are there each year?

According to HHS Office for Civil Rights Breach Portal, sometimes referred to as the Wall of Shame, in 2020 there were over 660 healthcare data breaches, an increase of 150 data breaches from 2019. There were less than 400 healthcare data breaches each year prior to 2018. There have been nearly 550 breaches through mid-October 2021.

HHS reported healthcare data breaches by year

How many records are affected by healthcare data breaches?

The 663 healthcare data breaches in 2020 affected over 33 million individual records. This is a slight decrease from the 42 million records from 512 breaches compromised in 2019. Through mid-October 2021, 543 breaches have affected more than 36 million records.

2015 had the highest number of total individuals affected over the last several years with more than 112 million records breached. A single health plan breach risked nearly 79 million records.

Total healthcare records affected each year

Between 2016 and 2020, about 47,350 records on average were affected by healthcare data breaches. 2019 had the highest average at 82,700. In 2021, breaches are affecting about 66,700 records on average.

Average number of healthcare records affected each year

What types of organizations are targets for healthcare data breaches?

HHS tracks data breaches at four types of organizations: healthcare providers, health plans, business associates and healthcare clearing houses. Healthcare providers consistently report the highest number of reported breaches.

In 2020, over three-quarters of healthcare data breaches took place at healthcare provider organizations. On average, health plans account for about 15 percent of breaches and business associates account for nine percent.

Type of organization with healthcare breach by year

What kind of healthcare data breaches are most common?

Of the 663 healthcare data breaches reported in 2020, over two-thirds were due to hacking or IT incidents. Hacking and IT incidents have consistently been the most common type of breach, and the number of such cases are increasing each year as ransomware attacks increase. At the same time, unauthorized access/disclosure, theft and loss cases have declined.

Type of healthcare data breach

What are the common sources of healthcare data breaches?

Network server breaches make up about 40 percent of healthcare data breaches in 2020, an increase from 26 percent of breaches in 2019. Email as the source of an attack decreased from 42 percent in 2019 to 36 percent in 2020.

Location of breached information

What are the largest healthcare data breach incidents in 2020 and 2021?

Out of the 663 healthcare data breaches in 2020, the top twenty account for nearly half, or 16 million, of the 33 million total individuals affected. The largest incident compromised over 3.3 million records and five breaches affected over 1 million individuals each.

Healthcare data breaches with highest number of individuals affected 2020

RankStateCovered Entity TypeIndividuals AffectedType of BreachLocation of Breached InformationStatus
1MIBusiness Associate3,320,726Hacking/IT IncidentNetwork ServerResolved
2OHBusiness Associate1,474,000Unauthorized Access/DisclosureEmailUnder Investigation
3FLBusiness Associate1,290,670Hacking/IT IncidentEmailUnder Investigation
4VAHealthcare Provider1,045,270Hacking/IT IncidentNetwork ServerResolved
5AZHealth Plan1,013,956Hacking/IT IncidentEmail, Network ServerUnder Investigation
6FLBusiness Associate1,004,304Hacking/IT IncidentNetwork ServerUnder Investigation
7MDBusiness Associate878,550Hacking/IT IncidentNetwork ServerUnder Investigation
8OHBusiness Associate829,454Hacking/IT IncidentNetwork ServerUnder Investigation
9ORHealth Plan654,362TheftLaptopResolved
10FLHealthcare Provider640,000Hacking/IT IncidentNetwork ServerUnder Investigation
11INHealthcare Provider550,000Improper DisposalPaper/FilmsUnder Investigation
12CTHealth Plan484,157Hacking/IT IncidentEmailUnder Investigation
13CAHealth Plan418,842Hacking/IT IncidentEmailUnder Investigation
14MOHealthcare Provider360,212Hacking/IT IncidentNetwork ServerResolved
15PAHealthcare Provider353,616Hacking/IT IncidentEmailUnder Investigation
16ILHealthcare Provider348,746Hacking/IT IncidentNetwork ServerResolved
17COHealthcare Provider343,493Hacking/IT IncidentNetwork ServerResolved
18FLHealthcare Provider315,337Hacking/IT IncidentNetwork ServerResolved
19NYHealthcare Provider314,829Hacking/IT IncidentNetwork ServerResolved
20AZBusiness Associate314,704Hacking/IT IncidentEmail, Network ServerResolved

Fig. 1 Data is from the HHS Breach Portal. Data accurate as of October 2021.

Through mid-October 2021, there have been 543 healthcare data breaches. The top twenty breaches by individuals affected account for two-thirds, or 24 million of 36 million, of all records compromised. The two largest incidents both affected over 3.2 million individuals.

Seven additional attacks compromised between 1.2 million and 2.4 million records. On average, each healthcare data breach in 2021 affected about 66,700 individuals, compared to 50,120 on average in 2020.

Healthcare data breaches with highest number of individuals affected 2021

RankStateCovered Entity TypeIndividuals AffectedType of BreachLocation of Breached InformationStatus
1FLHealth Plan3,500,000Hacking/IT IncidentNetwork ServerUnder Investigation
2FLBusiness Associate3,253,822Hacking/IT IncidentOtherUnder Investigation
3WIHealthcare Provider2,413,553Hacking/IT IncidentNetwork ServerUnder Investigation
4TXBusiness Associate1,656,569Hacking/IT IncidentNetwork ServerUnder Investigation
5OHHealthcare Provider1,474,284Hacking/IT IncidentNetwork ServerUnder Investigation
6GAHealthcare Provider1,400,000Hacking/IT IncidentNetwork ServerUnder Investigation
7NVHealthcare Provider1,300,000Hacking/IT IncidentNetwork ServerUnder Investigation
8NYHealthcare Provider1,269,074Hacking/IT IncidentEmailUnder Investigation
9NYBusiness Associate1,210,688Hacking/IT IncidentNetwork ServerUnder Investigation
10NYBusiness Associate753,107Hacking/IT IncidentNetwork ServerUnder Investigation
11FLHealthcare Provider700,981Hacking/IT IncidentNetwork ServerUnder Investigation
12CAHealth Plan686,556Hacking/IT IncidentNetwork ServerUnder Investigation
13ILHealthcare Provider655,384Hacking/IT IncidentNetwork ServerUnder Investigation
14TXHealthcare Provider640,436Hacking/IT IncidentNetwork ServerUnder Investigation
15NMHealthcare Provider637,252Hacking/IT IncidentNetwork ServerUnder Investigation
16MIBusiness Associate586,869Hacking/IT IncidentNetwork ServerUnder Investigation
17IAHealthcare Provider527,378Hacking/IT IncidentNetwork ServerUnder Investigation
18CAHealth Plan523,709Hacking/IT IncidentNetwork ServerUnder Investigation
19AKHealth Plan500,000Hacking/IT IncidentDesktop Computer, Laptop, Network ServerUnder Investigation
20CAHealthcare Provider495,949Unauthorized Access/DisclosureNetwork ServerUnder Investigation

Fig. 2 Data is from the HHS Breach Portal. Data accurate as of October 2021.

Explore our data