Major Healthcare Data Breaches Reported in December 2021

2021 has been a particularly bad year for healthcare data breaches and the attacks did not let up in December. 4 major healthcare data breaches have been reported this month that collectively resulted in the exposure of the personal and protected health information of more than 2 million Americans

So far in 2021, 686 healthcare data breaches of 500 or more records have been reported to the HHS’ Office for Civil Rights, and almost 45 million records have been exposed. That makes 2021 the worst ever year for healthcare data breaches to date and the second-worst year in terms of the number of exposed healthcare records. The figures are likely to grow further when the breach reports submitted to OCR over the holiday period are added to its data breach portal early in the New Year.

Oregon Anesthesiology Group Ransomware Attack Affects More That 750,000 Individuals

The largest healthcare data breach reported in December affected Oregon Anesthesiology Group (OAG), P.C. In July 2021, OAG suffered a ransomware attack, and the attackers encrypted files containing sensitive employee and patient information. The ransom was not paid, and the encrypted systems were restored from backups.

While data theft was not suspected, in October the FBI notified OAG that an account belonging to the HelloKitty ransomware gang had been seized which contained the data of OAG patients and employees. The FBI believes a vulnerability in OAG’s third-party firewall was exploited to gain access to its systems. OAG reported the breach as affecting 750,000 patients and 522 employees.

Texas ENT Specialists Breach Affects Over 535,000 Patients

Texas Ear, Nose & Throat Specialists P.A. (Texas ENT Specialists) reported a major breach in December that affected more than half a million patients. The attack was detected on October 19, 2021, with the attackers determined to have first accessed its systems on August 9. They exfiltrated data from its systems over the course of a week. Texas ENT Specialists did not explain whether this was an extortion attempt and has not released any other information about the nature of the attack.

A review of the compromised systems confirmed they contained the personal and protected health information of 535,489 patients. Patients have been warned to be vigilant for any misuse of their information and have been offered complimentary identity monitoring services.

Almost 400,000 Patients by Monongalia Health System Phishing and BEC Attack

Monongalia Health System (Mon Health) announced it was the victim of a recent phishing and business email compromise attack. Hackers first gained access to employee email accounts using phishing emails, compromised the email account of a contractor, and then used that account to divert a payment. The attack was detected when the failure to provide payment was queried and Mon Health discovered the payment had left its accounts but had been sent to an unknown bank account.

The investigation revealed Mon Health email accounts had been compromised that contained the personal and protected health information of 398,164 patients. Mon Health believes it was not the intention of the attacker to steal patient data, but unauthorized data access and data theft could not be ruled out.

350,000 Patients Potentially Affected by Cyberattack on BioPlus Specialty Pharmacy Services

Florida-based BioPlus Specialty Pharmacy Services has recently announced a data breach that involved the protected health information of 350,000 patients. The breach was detected on November 11, 2021, with the hackers determined to have gained access to its systems on October 25. The investigation confirmed the attacker had accessed files containing patient data and may have exfiltrated some of that data.

It was not possible to tell how many patients were affected, so breach notification letters were sent to all 350,000 of its patients. The breach was announced on December 10 and on December 27, a class action lawsuit was filed by victims of the breach seeking damages for the exposure of their sensitive data.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of