Biggest Healthcare Data Breaches of 2015

The financial sector and retail industries have suffered the largest data breaches over the past couple of years, but 2015 was without doubt the year of the healthcare data breach. The biggest healthcare data breaches of 2015 were all caused by hackers and the industry has been increasingly targeted by cybercriminals seeking valuable healthcare data.

Biggest Healthcare Data Breaches of 2015

The two biggest healthcare data breaches of 2015 exposed more patient records than were exposed in all healthcare industry data breaches over the last four years combined. Heading into 2015, the previous largest healthcare data breach had exposed 4.9 million patient records. A security incident of that magnitude was fortunately a rarity. In 2015, there were two healthcare data breaches reported in that order of magnitude; two exposed more than twice that number of records, and one created more than 17 times as many victims.

Healthcare providers were targeted, but the top three biggest healthcare data breaches of 2015 all affected health insurers.

2015 Healthcare Data Breach Summary

Company Breach Victims Covered Entity Incident Type
Anthem Inc. 78,800,000 Health Plan Hacking/IT Incident
Premera BlueCross 11,000,000 Health Plan Hacking/IT Incident
Excellus BlueCross BlueShield 10,000,000 Health Plan Hacking/IT Incident
UCLA Health 4,500,000 Healthcare Provider Hacking/IT Incident
Medical Informatics Engineering 3,900,000 Business Associate Hacking/IT Incident
CareFirst BlueCross BlueShield 1,100,000 Health Plan Hacking/IT Incident
Virginia Department of Medical Assistance Services (VA-DMAS) 697,586 Healthcare Provider Hacking/IT Incident
Georgia Department of Community Health 557,779 Healthcare Provider Hacking/IT Incident
Georgia Department of Community Health 355,127 Healthcare Provider Hacking/IT Incident
Beacon Health System 306,789 Healthcare Provider Hacking/IT Incident
Empi Inc., / DJO, LLC 160,000 Healthcare Provider Device theft

Source: Dept. Health & Human Services’ Office for Civil Rights

The problem for the healthcare industry was underinvestment in cybersecurity protections, and more individuals targeting the industry due to the value of the data held on patients and plan subscribers.

A full set of patient data carries a far higher value than a credit card number, which can only be used for a matter of hours before theft is noticed and the account is blocked. Heath data and Social Security numbers can be used for days, months, or even years before the victim becomes aware of any fraud. The healthcare industry simply wasn’t ready for the phishing campaigns and increasing sophistication of attacks.

In order to stop the worrying data breach trend continuing into 2016, the healthcare industry must increase investment in cybersecurity defenses. All healthcare data should be encrypted at rest and in motion and staff training must be increased to prevent careless mistakes from being made that allow hackers to gain access to computer networks.

The two biggest healthcare data breaches of 2015 were caused as a result of employees falling for phishing emails. The provision of staff training to aid phishing email recognition can greatly reduce the probability of a cyberattack being suffered.

Multi-layered security systems, increased training, and encryption could have prevented many of the biggest healthcare data breaches of 2015 from occurring. Fortunately, 2015 has been a wakeup call and healthcare organizations have increased budgets and invested more heavily in cybersecurity protections. It is hoped that as a result, 2016 will be a much better year.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of