The 10 biggest health data breaches in the first half of 2022

Cybersecurity analysts projected it would be a difficult year for hospitals, and those predictions are proving to be accurate.

Hospitals, health systems and companies dealing with patient records have been targets for cyberattacks in 2022. Millions of Americans have been hit by breaches involving health information in the first half of the year.

The 10 biggest health data breaches reported to the federal government in the first six months of the year all affected at least 500,000 people.

The U.S. Department of Health and Human Services compiles a public listing of breaches that affect at least 500 patient records. In the first six months of 2022, the health department data indicates there have been 337 breaches involving a minimum of 500 patient records, but some of those attacks have affected hundreds of thousands of people.

The attacks have involved hospitals, health systems, physician practices, insurers and other companies with private health information. Cybersecurity experts say ransomware attacks are rising.

For hospitals and health systems, cyberattacks can cost millions of dollars. The average healthcare breach now costs more than $10 million, according to a report by IBM. Cyberattacks also threaten the safety of patients.

“Healthcare has been finding itself in the crosshairs of attackers for the past few years,” Limor Kessem, principal consultant of cyber crisis management at IBM Security, told Chief Healthcare Executive last month.

Here’s a rundown of the 10 largest breaches involving health records in the first half of 2022.

• Related stories on cybersecurity
• Not if, but when: Cyberattacks threaten health systems
• How hospitals can improve cybersecurity

Shields Health Care Group

The Massachusetts-based company was hacked and the breach has affected 2 million people, according to the health department. The breach was submitted to the department on May 27.

Shields, which offers imaging and outpatient services throughout New England, said in a statement it was alerted to suspicious activity that may have involved data compromise on March 28. An investigation determined that an unknown actor gained access to Shields’ systems between March 7 and March 21. Shields said it worked to identify what data may have been involved and notified its healthcare partners on May 25.

The data may have involved information such as names, Social Security numbers, dates of birth, addresses and other information.

Shields said it has worked to secure its systems and has cooperated with law enforcement. In some cases, the company said it had to rebuild some of its systems.

• Related story: Why smaller hospitals are targets for cyberattacks

Broward Health

The Florida-based health system reported the breach affecting 1.35 million people on Jan. 2, the health department said.

In a statement, Broward Health said someone gained access through a third-party medical provider. The system said it discovered the breach on Oct. 19, 2021 and notified the FBI and the U.S. Department of Justice. Broward Health said the justice department advised the organization to “briefly delay this notification to ensure that the notification does not compromise the ongoing law enforcement investigation.”

Broward said the system has worked to bolster security, including tougher security requirements for those devices outside the organization with access to its network.

The health system said the intruders were able to access private data including patient names, dates of birth and Social Security numbers. Broward said it offered identity theft services to those affected.

• Related story: Why the health sector should be worried about Russian cyberattacks

Texas Tech University Health Sciences Center

The health sciences center was hit in a hacking incident that affected 1.29 million people, the health department reports. The breach was reported to HHS on June 7.

Citing a news release, Fox 34 in Lubbock, Texas reports the organization said the breach involved information held by Eye Care Leaders, Inc., a third-party service provider of an electronic medical records system used by Texas Tech’s health sciences center.

Eye Care Leaders reported that it detected the incident in less than 24 hours and disabled the compromised system, Texas Tech said. An investigation found that some compromised databases and files contained patient records. Texas Tech said there was no evidence records were exfiltrated, it’s possible that records were removed.

Some of the records included names, birthdates, Social Security numbers and other medical record data. Texas Tech is offering identity theft services to those affected.

• Related story: How a rural health system improved its cybersecurity

Baptist Medical Center and Resolute Health Hospital

The breach involved the two Texas hospitals, both part of the Baptist Health System. A hacking incident affected 1.24 million people, according to the health department, which was notified June 15. Baptist Health System is part of Tenet Healthcare.

An “unauthorized party” gained access to some systems containing personal information and took some data between March 31 and April 24, according to a statement from the hospitals. The information may have included dates of birth, Social Security numbers, health insurance information, other medical data, and billing and claims information.

The hospitals said they are fortifying their system defenses and working with law enforcement, and individuals are being offered credit monitoring and identity theft services.

• Video: Linda Stevenson of Fisher-Titus Medical Center explains how even smaller hospitals and health systems can improve their cybersecurity. (The story continues below the video.)

Partnership HealthPlan of California

The organization suffered a cyberattack that affected 854,913 people, the health department says.

Someone took private information from Partnership HealthPlan’s systems on or about March 19. After investigating the scope of the attack and the information that was exposed, the organization notified authorities and affected individuals on May 18, according to information filed with the Maine attorney general’s office. The health department was notified May 18.

The information that could have been accessed includes Social Security numbers, dates of birth, medical information including diagnosis, treatment and prescriptions, and health insurance information.

Partnership HealthPlan of California said it is providing credit monitoring to those that were affected for up to two years.

MCG Health, LLC

The Seattle company, which provides clinical guidance technology for health systems, suffered a cyberattack that affected 793,283 people, according to the health department. The firm reported the breach to HHS on June 10.

The company said someone obtained personal information on March 25. The data could have included dates of birth, email addresses, phone numbers and Social Security numbers.

MCG said in a letter that it has employed additional monitoring systems and is working with law enforcement.

Yuma Regional Medical Center

The Arizona hospital suffered a data breach affecting 737,448 people, the health department said. It was reported to HHS on June 9.

Yuma Regional said in a letter that an investigation determined that someone gained access to the medical center’s network between April 21 and April 25. The medical center said the actor or actors gained access to health insurance information, Social Security numbers and limited medical data. The organization said its electronic medical record system was not accessed in the breach.

Yuma said it is bolstering the security of its systems and offering free credit monitoring and identity theft protection.

Morley Companies

The breach affecting Morley Companies offers a window into the size of cyberattacks this year.

The organization reported a hacking incident to the health department Feb. 2. The Morley breach, affecting 521,406 people, was the second biggest reported during the first quarter of the year. However, several larger attacks affecting patient information have been reported since then. Morley offers business services to scores of companies, including health plans.

Michigan Attorney General Dana Nessel said in February the company reported “a data security incident” that may have involved personal data and private health information.

The breach began on Aug. 1, 2021, when Morley’s data became unavailable, the company said in a news release. The company said the attacker or attackers gained access to Social Security numbers, dates of birth, health insurance information, and diagnostic and treatment information. The company has offered resources to those affected.

Adaptive Health Integrations

The North Dakota company endured a cyberattack affecting 510,574 people, according to the health department. Adaptive Health Integrations, which provides software and billing services for health companies, physicians offices and laboratories, notified HHS on April 11.

The firm said in a letter given to the Montana Department of Justice that the breach occurred on or about Oct. 17, 2021 and involved personal data. The company said it worked with external cybersecurity professionals to investigate the breach, and the probe concluded on Feb. 23, 2022.

The company is offering identity theft monitoring services for those affected for a year.

Christie Clinic

The organization, which operates medical practices across Illinois, sustained a cyberattack affecting 502,689 people, according to the health department, which was notified March 25.

The company said in a statement that it discovered suspicious activity related to a business email account between July 14 through Aug. 19, 2021. An investigation determined the actor or actors attempted “to intercept a business transaction between Christie Clinic and a third party vendor,” the company said.

Christie Clinic said the breach didn’t impact electronic medical records, the organization’s patient portal or patient care. On March 10, 2022, the company said it determined the email account could have contained some personal information and notified those affected. Christie Clinic said in a letter it is offering identity theft protection services to those affected for two years.