Largest Healthcare Data Breaches in 2020

2020 was the most awful ever year when it comes to healthcare industry data breaches. There were 616 data breaches involving 500 or more health records documented by the HHS’ Office for Civil Rights. Those breaches had 28,756,445 healthcare records breached that makes 2020 the third worst year with regards to the quantity of breached healthcare records.
2020’s Biggest Healthcare Data Breaches

Whenever a breach happens at a business associate of a HIPAA-covered entity, the covered entity typically reports the data breach instead of the business associate. In 2020, the cloud service provider Blackbaud Inc. had suffered a huge data breach. Hackers obtained access to its network systems and stole its client’s fundraising databases prior to deploying ransomware. Blackbaud got a ransom demand as well as a threat that if the ransom is not paid, the stolen information would be published publicly. Blackbaud made the decision to pay the ransom to avert publishing client information. Blackbaud got guarantees that the stolen files were completely erased and was not exposed.

The complete number of affected individuals from the Blackbaud ransomware attack might never be known, yet over 6 dozen healthcare companies have claimed being impacted so far and more than 8 million healthcare records were potentially exposed. That breach definitely leads the listing of the biggest 2020’s healthcare data breaches and is one of the biggest healthcare data breaches ever.

Here is the list of the reported data breaches in 2020 having 500,000 healthcare records. In some instances, the actual incident took place prior to 2020, however was only uncovered and reported in 2020.

1. Trinity Health – 3,320,726 people affected
Trinity Health was the most severely affected healthcare company of the Blackbaud ransomware attack. The hackers possibly acquired the philanthropy data bank of the Catholic health system based in Livonia, Michigan which included patient and donor records from 2000 to 2020.

2. MEDNAX Services, Inc. – 1,290,670 persons impacted
MEDNAX Services Inc based in Sunrise, Florida suffered a security breach of its Office 365 account in June 2020 because staff members responded to phishing emails. The extensive breach affected patient and guarantor data like driver’s license numbers, Social Security numbers, and health insurance and financial data.

3. Inova Health System – 1,045,270 persons impacted
Inova Health System based in Virginia was also impacted by the Blackbaud ransomware attack. Inova’s fundraising data bank which comprised patient and donor data was possibly exposed.

4. Magellan Health Inc. 1,013,956 persons affected
Magellan Health based in Arizona experienced a ransomware attack in April 2020 that resulted in the likely exposure of the protected health information (PHI) of patients. The ransomware attack actually began with a spear phishing email. A number of of its affiliated entities were likewise impacted by the breach as well.

5. Dental Care Alliance – 1,004,304 persons affected
Dental Care Alliance, LLC in Sarasota, Florida reported a security breach of its networks in December. The details of the breach is still unclear and the investigation is still ongoing. The breach impacted a lot of its associate dental practices.

6. Luxottica of America Inc. – 829,454 persons impacted
Luxottica of America Inc. is a vision care company that is well-known throughout the United States for the eyewear brands Oakley, Ray-Ban, and Persol. It encountered a cyberattack in August 2020 and hackers acquired access to its online appointment scheduling system that held the PHI its eye care partners’ of patients.

7. Northern Light Health – 657,392 people impacted
Northern Light Health in Maine was also affected by the Blackbaud ransomware attack. The hackers possibly acquired access to its fundraising repository that comprised patient and donor data.

8. Health Share of Oregon – 654,362 Individuals
In May 2020, Health Share of Oregon reported the theft of a laptop from its supplier of non-emergent medical vehicles. The stolen laptop computer lacked encryption, which possibly allowed the crook to obtain access to patients’ contact details, Social Security numbers, and Health Share ID numbers.

9. Florida Orthopaedic Institute – 640,000 people affected
Florida Orthopaedic Institute encountered a ransomware attack in April that led to the encryption of patient data kept on its servers. Before the deployment of ransomware, the attackers might have viewed or acquired patient data.

10. Elkhart Emergency Physicians – 550,000 people impacted
Elkhart Emergency Physicians submitted a breach report in May 2020 regarding the inappropriate disposal of patient documents by Central Files Inc., a third-party storage supplier. Elkhart Emergency Physicians was the worst impacted entity, nonetheless many other clients of the provider were also affected by the breach. The files were thrown out without shredding after the permanent closing of the storage center.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at