The 11 biggest health data breaches in 2022

Cyberattacks continued to target hospitals and health systems. More than 21 million people were affected by the 11 largest breaches of health information.

Millions of Americans were affected by security breaches involving their private health information in 2022.

Hospitals and health systems have become prized targets for cybersecurity attacks in recent years. Cybersecurity experts say ransomware attacks involving hospitals are rising, and they expect those attacks to continue.

The U.S. Department of Health and Human Services publicly reports all breaches affecting at least 500 individuals. In 2022, the HHS Office of Civil Rights reported 600 breaches involving at least 500 people. However, some of the breaches involved hundreds of thousands of individuals.

All of the 11 biggest breaches over the past year affected at least one million people. Cumulatively, the 11 largest breaches of 2022 affected more than 21.5 million people. For perspective, 61 other breaches affected at least 100,000 individuals.

Cyberattacks are proving to be very costly to hospitals and health systems. The average healthcare breach now costs more than $10 million, according to an analysis by IBM Security. Cyberattacks also pose serious risks to patient safety, and security experts have implored health systems to bolster their defenses to protect patients.

Here’s a rundown of the 11 largest healthcare breaches in 2022. Some of these breaches involve hospitals and health systems.

Some attacks also involve other companies with access to private health information, including firms providing services to health systems and medical practices. Some also involved systems reporting the unauthorized disclosure of patient information through tracking tools on their websites.

1. OneTouchPoint, Inc.

The Wisconsin-based company suffered a breach involving more than 4.1 million individuals. OneTouchPoint provides mailing, marketing, and other services to healthcare organizations.

The company said it learned of the breach beginning on April 27. On June 1, OneTouchPoint said the company learned it would not be able to determine what specific files were accessed.

The scope of information potentially involved included names and information that may have been provided during a health assessment, the company said.

Scores of companies were affected, including Anthem Affiliated Covered Entities, Blue Cross Blue Shield of Arizona, Blue Cross Blue Shield of Massachusetts, Clover Health, Geisinger, UPMC Health Plan, and others, OneTouchPoint said.

2. Advocate Aurora Health

The health system, which operates hospitals in Illinois and Wisconsin, suffered a breach involving 3 million patients.

Advocate Aurora, one of America’s largest non-profit health systems, said in a statement that some information has been transmitted to other companies due to tracking technologies from Facebook and Google. These online tools, called pixels, track patient trends and preferences on Advocate Aurora's websites. Many hospitals, and many other businesses, use pixels on their websites.

Pixels and other technologies on patient portals, available through MyChart and LiveWell websites, and some scheduling widgets, transmitted some patient information, Advocate Aurora said. The system said it has disabled the pixel technology.

The health system said out of caution, it is assuming that all users of Advocate Aurora MyChart accounts, the LiveWell application, and anyone who used the health system’s scheduling widgets, may have been affected. The system said it hasn’t found any evidence of fraud stemming from the incident, and said the pixels would be very unlikely to result in identity theft or any financial harm.

In December, Advocate Aurora completed its planned merger with Atrium Health.

3. Connexin Software, Inc.

The company, which provides electronic medical records and other information technology services to pediatric practices, suffered a breach affecting more than 2.2 million people, the health department says.

The Pennsylvania-based company, known as Office Practicum, said it discovered an anomaly on its computer network on Aug. 23. On Sept. 13, the company determined hackers removed some patient data. More than 100 practices were affected, the company said.

Some patient information that may have been accessed included names, addresses, dates of birth, Social Security numbers, health insurance information, and billings and claims information. Information on parents and guardians may also have been accessed, Connexin said.

In response to the incident, Connexin said it has “enhanced its security and monitoring as well as further hardened its systems as appropriate to minimize the risk of any similar incident in the future.”

4. Shields Health Care Group

The Massachusetts-based company was hacked and the breach affected 2 million people, according to the health department. The department said it was notified on May 27.

Shields, which provides imaging and outpatient services throughout New England, said in a statement it was alerted to suspicious activity that may have involved data compromise on March 28. An investigation determined that an unknown actor gained access to Shields’ systems between March 7 and March 21. Shields said it worked to identify what data may have been involved and notified its healthcare partners on May 25.

The data may have involved information such as names, Social Security numbers, dates of birth, addresses and other information.

Shields said it has worked to secure its systems and has cooperated with law enforcement. The company said it has moved to improve its protection of private data.

5. Professional Finance Company, Inc.

The Colorado-based company, which collects debts for healthcare systems, suffered a cyberattack that affected more than 1.9 million people, the health department said.

Professional Finance Company said in a statement that it “detected and stopped a sophisticated ransomware attack” in February. The company said that an investigation found that certain private health information was accessed.

PFC said it notified healthcare providers in early May about the breach, and hundreds of companies were affected. Here’s the list provided by PFC.

The company said it found no evidence that private information has been misused, but PFC said unauthorized actors may have accessed names, Social Security numbers, health insurance and medical treatment information.

6. Baptist Medical Center and Resolute Health Hospital

The breach involved the two Texas hospitals, both part of the Baptist Health System. A hacking incident affected 1.6 million people, according to the health department, which was notified June 15. Baptist Health System is part of Tenet Healthcare.

An “unauthorized party” gained access to some systems containing personal information and took data between March 31 and April 24, according to a statement from the hospitals. The information may have included dates of birth, Social Security numbers, health insurance information, other medical data, and billing and claims information.

The hospitals said they are fortifying their system defenses and working with law enforcement, and individuals are being offered credit monitoring and identity theft services.

The health department initially said in the summer that the breach affected 1.24 million people, but the agency now says the number affected has grown to 1.6 million.

7. Community Health Network

The organization, based in Indiana, suffered a data breach affecting 1.5 million people, the health department said. Community Health Network said the breach involved third-party tracking technology, similar to the breach that affected Advocate Aurora (see above).

Community disclosed the breach Nov. 16. Like other health systems, Community said in a statement it worked with service providers to use web-based tracking technologies provided by Google and Facebook, among others.

“On September 22, 2022, we discovered through our investigation that the configuration of certain technologies allowed for a broader scope of information to be collected and transmitted to each corresponding third-party tracking technology vendor (e.g., Facebook and Google) than Community had ever intended,” the system said in a release.

Community said it was unable to say precisely what information was involved, but it could have included names and medical information communicated through MyChart, along with information about appointments and scheduled procedures.

The system said it had no information that Social Security numbers, financial account numbers, or debit and credit card information was collected by or transmitted through the tracking technologies.

8. Novant Health

Breaches involving tracking technology are becoming more common.

Novant Health notified some of its patients and customers about the potential disclosure of patient health information to Meta due to what it described as an incorrect configuration of a pixel. More than 1.36 million people were affected, according to the health department.

Novant said it determined on June 17, 2022 that private health information may have been disclosed to Meta, which operates Facebook and Instagram. The information could have been disclosed through Novant’s website and the MyChart portal, the North Carolina-based system said.

The information involved could have included email addresses, phone numbers, and information about appointments. Novant said the information did not include Social Security numbers or other financial information, unless the user typed it into a text box. The system sent letters to each patient and said the letters would state if financial information was involved.

9. Broward Health

The Florida-based health system reported the breach affecting 1.35 million people on Jan. 2, 2022, the health department said.

Broward Health said in a statement that someone gained access through a third-party medical provider. The system said it discovered the breach on Oct. 19, 2021 and notified the FBI and the U.S. Department of Justice. Broward Health said the justice department advised the organization to “briefly delay this notification to ensure that the notification does not compromise the ongoing law enforcement investigation.”

Broward said the system has worked to strengthen security, including tougher security requirements for those devices outside the organization with access to its network.

The health system said the intruders were able to access private data including patient names, dates of birth and Social Security numbers. Broward said it offered identity theft services to those affected.

10. Texas Tech University Health Sciences Center

The health sciences center was hit in a hacking incident that affected 1.29 million people, the health department said. The breach was reported to the department on June 7.

Citing a news release from Texas Tech, FOX 34 in Lubbock, Texas reported that the organization said the breach involved information held by Eye Care Leaders, Inc., a third-party service provider of an electronic medical records system used by Texas Tech’s health sciences center.

Eye Care Leaders reported that it detected the incident in less than 24 hours and disabled the compromised system, Texas Tech said. An investigation found that some compromised databases and files contained patient records. Texas Tech said there was no evidence records were exfiltrated, but it’s possible that records were removed.

Some of the records included names, birthdates, Social Security numbers and other medical record data. Texas Tech is offering identity theft services to those affected.

11. Doctors’ Center Hospital

The system, based in Puerto Rico, suffered a breach affecting more than 1.19 million people, the health department reported. Doctors’ Center Hospital reported the breach to the health department on Nov. 9.

Doctors’ Center Hospital said in a statement on its website that no misuse of patient information has been reported.

The system said the incident was detected Oct. 17, 2022, and that systems were fully restored. The system said the attack affected its communications network.

The organization said it is working with IT consultants to strengthen its network to ensure patient data is protected.