These are the 11 biggest health data breaches of 2023

Cyberattacks affected tens of millions of Americans in 2023.

Analysts say ransomware groups and attackers found ways to deliver more damaging breaches over the past year. Breaches of private health information affected more victims, cybersecurity experts say. Some organizations suffered attacks that exposed the information of millions of patients.

• Read more: Emerging cybersecurity threats in healthcare

The U.S. Department of Health and Human Services requires organizations to disclose if they’ve suffered a data breach affecting more than 500 individuals. According to the department’s data, 541 breaches were reported in 2023. It’s worth noting additional breaches that occurred in 2023 may be reported in the future.

Here’s a review of the 11 largest health data breaches in 2023, based on the health department’s data. Each of the 11 biggest breaches affected a minimum of 3 million individuals.

Taken together, these 11 breaches of private health information affected more than 70.3 million individuals. By comparison, the 11 biggest health data breaches of 2022 affected 21.5 million people.

Some breaches involved hospitals and health systems, but attackers have also gone after insurers. Analysts also warn that attackers have targeted the vendors that work with health systems and payers. Some of the organizations were affected by breaches involving file transfer software used by their partners.

John Riggi, national advisor for cybersecurity for the American Hospital Association, said 2023 is likely to be the most damaging year for cyberattacks, in terms of the number of victims. The average breach over the past year affected more than 200,000 people, he said.

“The bad guys have figured out it's not the number of attacks. It's where you attack,” he told Chief Healthcare Executive® in a recent interview.

Here’s the rundown of the largest breaches of health information over the past year.

HCA Healthcare

The nation’s largest hospital system disclosed a breach in July that affected as many as 11 million individuals.

HCA said that the information included patients, names, addresses, dates of birth and information on patient service dates, locations, and the dates for appointments.

“This appears to be a theft from an external storage location exclusively used to automate the formatting of email messages,” HCA said in a statement.

HCA said the breach did not expose clinical information, such as treatment, diagnosis, or condition, or payment information, such as credit card or account numbers.

The company says it has been working with law enforcement agencies and threat intelligence advisors to investigate the breach.

HCA operates 182 hospitals and more than 2,300 healthcare sites across the United States and in the United Kingdom. HCA says the UK facilities were not affected.

(In this video, cybersecurity experts talked with Chief Healthcare Executive® about emerging threats for hospitals and healthcare organizations.)

PJ&A

Perry Johnson & Associates, Inc., which does business as PJ&A, suffered a breach affecting more than 8.95 million individuals. PJ&A offers medical transcription services used by health systems and providers for documenting patient notes.

The breach was posted on the health department database on Nov. 3.

PJ&A said in a notice that there is no evidence the data has been used for fraud or identity theft. The company said an unauthorized party gained access to the PJ&A network between March 27 and May 2, 2023.

The company said the breach “did not involve access to any systems or networks of PJ&A’s healthcare customers.”

New York Attorney General Letitia James said in November that at least 4 million individuals in New York were affected.

• Read more: Paying the ransom: Hospitals face hard decisions in cyberattacks

MCNA

Managed Care of North America (MCNA), a dental insurer, suffered a breach affecting more than 8.8 million Americans. The breach was reported in May.

MCNA said in a public statement that it determined someone “was able to see and take copies of some information in our computer system between February 26, 2023 and March 7, 2023.”

The attackers gained access to data including full names, Social Security numbers, insurance information, driver’s licenses or other government identification numbers, and care for teeth and braces.

The LockBit ransomware game claimed credit for the attack and released the data after issuing a ransom demand, Bleeping Computer reported.

• Read more: The average cost of a health data breach nears $11 million

Welltok

The software company suffered a breach affecting nearly 8.5 million individuals, according to the health department. It was posted on Nov. 6.

Welltok said in a statement that it’s one of many organizations affected by the breach involving MOVEIt, a well-known file transfer tool from Progress Software. Many health data breaches have involved the MOVEIt incident, says John Riggi of the American Hospital Association.

Welltok says it has reached out to dozens of hospitals, health systems and insurers utilizing the company’s software. The company says the breach involved the names, addresses, phone numbers and email addresses of individuals, and a smaller group may have had their Social Security numbers or their Medicare and Medicaid identification numbers exposed.

Progress Software has said that it disclosed the MOVEit vulnerability on May 31, and deployed a patch that day.

PharMerica Corporation

A pharmacy services firm, PharMerica said in a statement it was hit with a cyberattack in March. The breach has affected more than 5.8 million Americans, according to the health department.

PharMerica says a third party accessed its computers March 12-23, and the company and its parent, Brightspring Health Services, Inc., learned of the suspicious activity March 14. Later that month, the company determined the criminals may have taken data including names, Social Security numbers, medication information and insurance information.

The company said it’s not aware of any theft or fraud related to the breach, but is offering identity theft protection and credit monitoring services.

PharMerica also said it was changing procedures to reduce the likelihood of another breach.

Health EC

Health EC, a population health technology company, suffered a cyberattack that has affected health systems and providers across the country. More than 4.4 million people have been affected by the breach, according to the health department.

Health EC issued a public statement about the breach on Dec. 22. The company said in a press release that an unknown actor accessed Health EC’s network and copied files between July 14 and 23, 2023. The company completed its investigation in late October and began notifying its clients, as well as individuals who had been impacted.

More than 1 million residents in Michigan have been affected by the breach, according to Michigan Attorney General Dana Nessel. HealthEC is a vendor for Corewell Health, the Michigan-based health system operating 21 hospitals and more than 300 outpatient locations.

Reventics

A software company, Reventics suffered a breach affecting more than 4.2 million individuals, according to the health department. Reventics provides revenue cycle management services for healthcare providers.

Reventics said in a letter to the New Hampshire attorney general’s office that it first discovered a breach of its systems in late December 2022, and the company discovered in March 2023 that more records had been accessed. The company said records potentially exposed included names, addresses, patient account numbers, and possibly clinical data and dates of services.

The company offered free identity theft services to those affected.

Colorado Department of Health Care Policy & Financing

The Colorado agency experienced a breach affecting more than 4 million people, according to HHS. The department, which oversees Colorado’s Medicaid program, issued a public statement about the breach in August.

The agency said the exposure is tied to the MOVEit Transfer software breach, which has affected many companies. IBM, which is a contractor working with the department, uses the MOVEit software to transfer files and notified the Colorado health department that it had been affected.

The Colorado agency said none of its systems or databases were affected, but it found out that some of the department’s files on the MOVEit application were accessed.

The data could have included names, Social Security numbers, Medicare and Medicaid ID numbers, and clinical information, such as diagnosis and lab results, the Colorado department said. Those affected are being offered two years of free credit monitoring.

Regal Medical Group

A medical group based in southern California, Regal said it experienced a ransomware attack. The health department says nearly 3.4 million individuals were affected.

Regal Medical Group posted the information on its website and notified individuals in February. Regal later found additional individuals who were affected in March.

The breach may have exposed information from Regal and its affiliates: ​​Lakeside Medical Organization, Affiliated Doctors of Orange County and Greater Covina Medical Group.

Patient information that could have been exposed included names, Social Security numbers, dates of birth, phone numbers, diagnosis and treatment information, prescriptions and lab results, Regal said.

Regal offered one year of free credit monitoring to those affected.

CareSource

An insurance company based in Dayton, Ohio, CareSource experienced a breach affecting more than 3.1 million individuals. The breach was posted on the health department database on July 27.

In a notice filed with the California Department of Justice, CareSource said it is one of the many organizations affected by the MOVEit breach on May 31. CareSource said it patched software as instructed by MOVEit on June 1. (MOVEit notes it issued the patch on May 31.) In late June, CareSource said it learned that some of its data was accessed.

CareSource said that some of the information potentially accessed included names, addresses, medications, and health conditions. CareSource said it’s offering two years of free credit monitoring to the individuals who have been affected.

Cerebral, Inc.

The telehealth company said patient information was inadvertently disclosed to other parties. The health department says more than 3.1 million people are affected.

Cerebral said information may have been shared via pixels, such as those made available by Google, Meta (the parent of Facebook) and Tik Tok. Other health systems have reported similar breaches involving technology that tracks visitors to websites.

In a statement, Cerebral said the company determined in early January that it had “disclosed certain information that may be regulated as protected health information.”

Cerebral said the information disclosed could include names, phone numbers, email addresses, dates of birth, and other information. For patients who completed mental health self assessments, the information disclosed could have included the services they received and assessment responses.

Four U.S. senators wrote letters to telehealth companies last year, including Cerebral, asking them to do more to protect patient information.

(Note: This story has been updated from an earlier version.)