Here are the 10 biggest health data breaches in the first half of 2023

Cyberattacks and health data breaches have already affected tens of millions of Americans in 2023, and we’re only halfway through the year.

In looking at the biggest breaches of health data in the past six months of 2023, the two largest affected a combined total of more than 14 million people. Several breaches have affected at least 2 million Americans. Each of the 10 largest breaches in 2023 have affected at least 500,000 people, and combined, they affected more than 30 million Americans.

The U.S. Department of Health and Human Services requires organizations to report any health breach affecting at least 500 Americans. In the first six months of the year, more than 300 breaches have been reported to the HHS Office of Civil Rights.

• Read more: Paying the Ransom | A special report

Many of those breaches involve cyberattacks and ransom demands, but some breaches involve the inadvertent disclosure of private health data through tracking technologies, known as pixels, utilized by social media companies.

Cybersecurity experts have implored hospitals and health systems to fortify their defenses against cyberattacks, and to develop detailed response plans in order to maintain operations in the event of an attack.

John Riggi, the national advisor for cybersecurity and risk for the American Hospital Association, says there’s a growing awareness among hospital leaders about the threat of cyberattacks to patient safety.

“They understand that the number one risk posed by cyber risk is the risk to patient safety because of the disruption in delay to healthcare delivery,” Riggi says.

Here’s a look at the 10 biggest breaches of private health information in the first six months of 2023.

1. Managed Care of North America

MCNA, a dental insurer, has been hit with the largest breach of health data in 2023, and it surpasses any breach in 2022 as well. The breach affected more than 8.8 million Americans, according to HHS.

In a public statement, MCNA says it determined someone “was able to see and take copies of some information in our computer system between February 26, 2023 and March 7, 2023.”

The intruders gained access to information including full names, Social Security numbers, insurance information, driver’s licenses or other government identification numbers, and care for teeth and braces. MCNA is providing customers one year of identity theft protection service. The company is also bolstering its network defenses.

“We are also making our computer systems even stronger than before because we do not want this to happen again,” MCNA said.

(In this video, Clearwater CEO Steve Cagle discusses reducing the risks of a ransomware attack. The story continues below.)

2. PharMerica Corporation

A pharmacy services firm, PharMerica said in a statement it was hit with a cyberattack in March. The breach has affected more than 5.8 million Americans, the health department says.

PharMerica says a third party accessed its computers March 12-23, and the company and its parent, Brightspring Health Services, Inc., learned of the suspicious activity March 14. Later that month, the company determined the criminals may have taken data including names, Social Security numbers, medication information and insurance information.

The company says it’s not aware of any theft or fraud, but is offering identity theft protection and credit monitoring services.

PharMerica says it’s taking steps to improve its procedures to reduce the risk of another incident.

• Read more: Hospitals and cybersecurity: The government is giving greater attention and scrutiny

3. Regal Medical Group

The southern California medical group said in February that it was the victim of a ransomware attack. The breach potentially exposed the data of more than 3.3 million people, according to the health department.

Regal said in a statement the breach, which it said originated from a “ransomware cyberattack,” occurred on or about Dec. 1. The medical group became aware of the breach December 8.

The breach may have exposed information from Regal and its affiliates: ​​Lakeside Medical Organization, Affiliated Doctors of Orange County and Greater Covina Medical Group.

Patient information that could have been exposed includes names, Social Security numbers for some individuals, dates of birth, phone numbers, diagnoses and treatment information, health plan member numbers, prescriptions and lab results, Regal said.

The medical group said it is improving its security, and is offering free credit monitoring to patients for one year.

4. Cerebral, Inc.

The telehealth company said patient information was inadvertently disclosed to other parties. The health department says more than 3.1 million people are affected.

Cerebral said information may have been shared via pixels, such as those made available by Google, Meta (the parent of Facebook) and Tik Tok. Other health systems have reported similar breaches involving tracking technology.

In a statement, Cerebral said the company determined in early January that it had “disclosed certain information that may be regulated as protected health information (“PHI”) under HIPAA to certain Third-Party Platforms and some Subcontractors without having obtained HIPAA-required assurances.”

Cerebral said the information disclosed could include names, phone numbers, email addresses, dates of birth, and other information. For patients who completed mental health self assessments, the information disclosed could have included the services they received and assessment responses.

Four U.S. senators wrote letters to telehealth companies, including Cerebral, asking them to do more to protect patient information.

5. NationsBenefits Holdings

The company provides supplemental benefits, flex cards and other solutions for healthcare plans and managed care organizations. NationsBenefits has informed the New Hampshire Attorney General’s office it is one of more than 100 organizations affected by a data breach involving Fortra, a cybersecurity company, TechCrunch reports.

The health department says the NationsBenefits breach affected more than 3 million people.

A Russia-linked ransomware group Clop, which typically targets the healthcare sector, has claimed responsibility for the broader Fortra attack, according to the Michigan Attorney General’s office. The incident apparently involved vulnerabilities in file transfer servers, authorities say.

NationsBenefits says it began notifying plan members of the breach on April 13, and the company told the New Hampshire AG’s office it is providing two years of identity theft protection for those affected.

6. Harvard Pilgrim Health Care

The health insurer says in a public notice that it suffered a ransomware attack on April 17. The breach has affected more than 2.5 million people, according to the health department.

Harvard Pilgrim says an investigation determined that data was copied and taken from its systems from March 28 to April 17. The attacks involved systems that support Harvard Pilgrim Health Care Commercial and Medicare Advantage Stride plans.

The company says the attacker took information that could include names, addresses, dates of birth, Social Security numbers, insurance account information, and clinical information. The firm says it’s not aware of any misuse of private health information.

Harvard Pilgrim says it’s aiming to improve its data security.

“We want to assure you that we are taking this incident extremely seriously, and we deeply regret any inconvenience this incident may cause,” the company said.

7. Enzo Clinical Labs

The company says it identified a ransomware incident in April. The data breach has affected 2.47 million people, HHS says.

Enzo says in a public notice that an unauthorized party accessed files between April 4 and April 6.

The company says some of the files accessed include patient names, clinical test information and, in some cases, Social Security numbers. Enzo says patient financial and payment information was not involved.

“Enzo takes this incident very seriously and regrets any inconvenience or concern this may cause those who are affected. To help prevent something like this from happening in the future, we have and will continue to take steps to enhance the security of our computer systems and the data we maintain,” the company said.

8. ZOLL Medical Corporation

The company, which makes medical devices, suffered a breach that has affected about 1 million individuals. The U.S. health department estimates the figure is 997,097, while the Maine attorney general’s office puts the number affected at 1,004,443.

ZOLL said in a letter to patients the breach was caused by a “cybersecurity incident.”

“Based on our investigation, we have no indication that any of your information has been misused,” ZOLL said in the letter to patients.

Some information exposed could include Social Security numbers. Patients who have been affected are being offered identity theft services for up to two years, and employees who have been impacted are being offered those services for three years.

ZOLL produces devices for defibrillation and cardiac monitoring, sleep apnea, oxygen therapy and more.

9. Community Health Systems

The Tennessee-based hospital system said it was affected by the cybersecurity incident involving Fortra, the cybersecurity firm. More than 960,000 people have been affected, according to the health department.

Community Health Systems said in a statement the breach stems from an attack on Fortra, which contracts with the health system to provide a secure file transfer software called GoAnywhere.

The incident occurred between Jan. 28 and Jan. 30, Community Health System said.

In a notices to the SEC, the hospital system said, “While that investigation is still ongoing, the Company believes that the Fortra breach has not had any impact on any of the Company’s information systems and that there has not been any material interruption of the Company’s business operations, including the delivery of patient care.”

The hospital system said information relating to patients, a limited number of employees and others may have been disclosed. The information could have included names, addresses, medical billing, information such as diagnosis and mediations, dates of birth and Social Security numbers.

The hospital system said it was providing two years of identity theft and credit monitoring services to those affected.

“We share your frustration with this security incident, and we apologize for any inconvenience,” CHS said.

10. CentraState Healthcare System

The hospital system based in New Jersey suffered a data breach due to an attack affecting more than 617,000 individuals, according to the health department.

The company said in a public notice that on Dec. 29, someone obtained an archived database containing patient information.

The data included names, dates of birth, Social Security numbers, health insurance information and medical record numbers. The intruders also accessed information related to care provided by CentraState, including dates of service, diagnoses, treatment plans and prescription information. The health system says no financial account or payment information was involved.

The breach was reported to HHS on Feb. 10, and CentraState said it began notifying patients on that date. The system is offering identity theft protection and credit monitoring.

Due to the incident, the health system temporarily diverted ambulances and halted some outpatient services in late December, The Asbury Park Press reported.

“We deeply regret any concern this incident may have caused and want to assure you that we are committed to the security of our systems, and we remain ready to provide the high-quality care that our patients and families have come to expect from CentraState,” the health system said.