The 13 Biggest Data Breaches of 2019 (So Far)
Nearly 31 million records were exposed in the 13 biggest breaches in the first half of 2019, with 11 of the top 13 breaches occurring at medical or healthcare organizations.
Unwanted Exposure
See the Latest Entry: The 10 Biggest Data Breaches Of 2022
Looking for patterns and new trends in security breaches may help educate consumers and businesses about the value of protecting personally identifiable information.
The information compromised can include everything from Social Security numbers and credit card numbers to protected health information and user names. Methods, meanwhile, for obtaining the data span the gamut from insider threats to hacking to employee negligence.
Nearly 31 million records were exposed in the 13 biggest data breaches in the first half of 2019, according to information compiled by the Identity Theft Resource Center as well as other sources. Eleven of the thirteen largest breaches impacting medical or healthcare organizations, with one breach hitting a government agency and one breach striking an educational institution.
Read on to learn how the biggest data breaches of 2019 (so far) transpired.
13. Zoll Services
Number Of Records Exposed: 277,319
Data from Zoll Services emails was exposed during a server migration that occurred between Nov. 8, 2018 and Dec. 28, 2018. Information that may have been exposed during the leakage includes patient names, addresses, dates of birth, Social Security numbers, and limited medical information.
The Chelmsford, Mass.-based medical device manufacturer had its emails archived by a third-party service provider to comply with record retention and maintenance requirements, policies, and procedures. Some personal information was included in the email communications stored by the third-party service provider.
Zoll learned of the data leakage on Jan. 24, 2019, and disclosed it publicly on March 18. The company said it's taking steps to review its process for managing third party vendors, and confirmed the impacted email archiving provider has also taken actions to help protect against similar incidents in the future.
12. Navicent Health
Number Of Records Exposed: 278,016
Navicent Health was the victim of a cyber attack in which an unauthorized third party illegally accessed the Mason, Ga.-based hospital system's employee and hosted email accounts. The company notified law enforcement after learning about breach in July 2018, and retained forensic security firms to investigate and conduct a comprehensive search for any personal information in the impacted email accounts.
Navicent determined on Jan. 24, 2019 that that the breached accounts contained some personal information, including some individuals' names, dates of birth, addresses, Social Security numbers, and limited medical information, such as billing and appointment information.
The breach, which was disclosed on March 25, affected employee email accounts only, and had no impact on Navicent's computer networks or electronic medical record systems. Navicent said it's not aware of any fraud or identity theft to any individual as a result of the breach, and does not know if any personal information was ever viewed or acquired by the hackers.
11. UConn Health
Number Of Records Exposed: 326,629
UConn Health learned that an unauthorized third party in August 2018 illegally accessed the Farmington, Conn.-based health care system's employee email accounts. The company notified law enforcement and retained a leading forensic security firm to investigate and conduct a comprehensive search for any personal information in the impacted email accounts.
UConn determined on Dec. 24, 2018, that the accounts contained some personal information, including individuals’ names, dates of birth, addresses, Social Security numbers, and limited medical information, such as billing and appointment information.
The breach, which was disclosed on Feb. 22, had no impact on UConn Health's computer networks or electronic medical record systems. A class-action lawsuit was filed against UConn Health in March after a fraudulent charge was made from one patient's bank account and caused an overdraft, alleging that officials failed to provide a timely, accurate, and adequate notice that a data breach had occurred.
10. Columbia Surgical Specialists of Spokane
Number Of Records Exposed: 400,000
Columbia Surgical Specialists learned on Jan. 9 that hackers had carried out a ransomware attack against the electronic systems of the Spokane, Wash.-based healthcare facility. The encrypted files contained information about medical services and patients that Columbia is legally required to track, such as names, drivers' licenses, Social Security numbers and other protected health information.
Columbia received notice of the ransomware attack just a few hours before several patients were scheduled for surgeries, and they said the adversaries made it clear the organization wouldn't have access to patient information until it paid a fee. As a result, the doctors who own Columbia decided to pay the hackers $14,609.09.
After making the payment, Columbia said the threat actors provided the decryption key so the organization could immediately proceed unlocking the data. Columbia doesn't believe that the locked data was acquired, disclosed or misused by the hackers or any other third party.
9. BioReference Laboratories
Number Of Records Exposed: 422,600
Hundreds of thousands of BioReference Laboratories customers had data stored on the web payment page of the American Medical Collection Agency (AMCA) that was breached between Aug. 1, 2018, and March 30, 2019. AMCA is an external collection agency used by LabCorp and other healthcare companies.
Information exposed could include first and last name, date of birth, address, phone, date of service, provider, balance information, as well as credit card information, bank account information and email addresses provided by the consumer to AMCA. The 6,600 customers whose credit card or bank account information was stored by AMCA will get identity protection and credit monitoring services for 2 years.
BioReference had not sent any collection requests to AMCA since October 2018, and asked AMCA to stop working on any pending collection requests involving BioReference patients. BioReference never provided laboratory results or diagnostic information to AMCA, and AMCA said that no Social Security numbers were compromised.
8. Carecentrix
Number Of Records Exposed: 500,000
The Maryland Attorney General's office said in a June alert that the attack against the American Medical Collection Agency also affected 500,000 Carecentrix patients. Compromised data could include: patient name, date of birth, address, phone number, date of service, provider, balance information, payment card information, bank account information, social security number, and the lab test performed.
Like other impacted organizations, Carecentrix stopped sending new work to the American Medical Collection Agency (AMCA) and terminated or substantially curtailed its business relationship with the AMCA. Carecentrix was AMCA's four largest clients.
The severe drop off in AMCA's business following public disclosure of the breach in early June was a contributing factor in the company's decision to file for Chapter 11 bankruptcy protection on June 17.
7. UW Medicine
Number Of Records Exposed: 973,024
A vulnerability on a UW Medicine website server caused by "internal human error" made protected internal files available and visible by search on the internet starting on Dec. 4, 2018. The files contained patients’ names, medical record numbers, and a description and purpose of what patient information was shared, with whom, and why.
In general, the files described what parts of a patient's medical record were shared rather than providing their actual health information. In some instances, the UW Medicine files included the name of a lab test that was performed (but not the result) or the name of the research study that included the name of a health condition.
UW Medicine fixed the error immediately upon discovery on Dec. 26, 2018, and then worked with Google to remove saved versions of the files and prevent them from showing up in search results. All saved files were completely removed from Google’s servers by Jan. 10, 2019, and the data leakage was made public on Feb. 20.
6. Georgia Tech
Number Of Records Exposed: 1.3 Million
Unauthorized access to a Georgia Tech web application exposed personal information for current and former faculty, students, staff and student applicants. The school is conducting a thorough forensic investigation to determine precisely what information was extracted from the database, which might include names, addresses, Social Security numbers and birth dates.
Georgia Tech identified signs in late March that an unauthorized person had found a way to send queries through a web server at the school to an internal database. As a result, the school said the hacker might have been able to access the database between Dec. 14, 2018 and March 22, 2019.
The school publicly disclosed the hack on April 2, and is offering credit monitoring and identity theft protection services to individuals whose Social Security numbers were involved in the breach. Georgia Tech said people should actively monitor for the possibility of fraud and identity theft by reviewing their credit report and credit card, bank, and other financial statements for any unauthorized activity.
5. Inmediata Health Group
Number Of Records Exposed: 1.57 Million
Inmediata Health Group became aware in January that some electronic health information was viewable online due to a webpage setting that permitted search engines to index internal webpages that are used for business operations. The information potentially involved in this data leakage may include patients’ names, addresses, dates of birth, gender, Social Security numbers, and medical claim information.
The San Juan, Puerto Rico-based health information systems provider said that it immediately deactivated the website after becoming aware of the data leakage and engaged an independent digital forensics firm to assist with an investigation. Inmediata hasn't seen evidence that any of the exposed files were copied, saved, or subject to actual or attempted misuse.
Inmediata publicly disclosed the incident on April 22, and began mailing notification letters to the potentially affected individuals on the same day. Ten days later, the Michigan Attorney General’s Office said it had been contacted by two people who had received multiple letters from Inmediata about the breach, some of which had been misaddressed to other people.
4. Federal Emergency Management Agency (FEMA)
Number Of Records Exposed: 2.3 Million
The Office of the Inspector General (OIG) said in March that FEMA violated the Privacy Act of 1974 and Department of Homeland Security policy by releasing sensitive personally identifiable information of the survivors of hurricanes Harvey, Irma, and Maria and the California wildfires in 2017 that went well beyond what was needed to verify their eligibility for the transitional sheltering assistance program.
FEMA released unnecessary personal information for the disaster survivors to its contractor beyond what's used to confirm eligibility during the sheltering check-in process at participating hotels. FEMA, gave the contractor more than 20 unnecessary data fields, including the applicant's: street address, city name, zip code, financial institution name, electronic funds transfer number, and bank transit number.
Prior iterations of the transitional sheltering assistance program required additional information such as applicant bank names and account numbers; however, the current program does not require this information. The OIG said that FEMA’s failure to provide only the required data elements placed disaster survivors at increased risk of identity theft and fraud.
3. Dominion National
Number Of Records Exposed: 2.96 Million
Dominion National determined that an unauthorized party may have gained access to some of its computer servers as early as Aug. 25, 2010. Information exposed in the breach may have included names, addresses, email addresses, dates of birth, Social Security numbers, member ID numbers, group numbers, subscriber numbers, bank account and routing numbers, and taxpayer identification numbers.
The Arlington, Va.-based dental and vision insurer and administrator learned of the breach through an investigation of an internal alert of April 24, 2019, and disclosed it publicly on June 21, 2019. After learning of this, Dominion National said it moved quickly to clean the affected servers and implement enhanced monitoring and alerting software.
Dominion National said it has no evidence that any information was in fact accessed, acquired, or misused. The company is offering a two-year membership to ID Experts MyIDCare, which includes credit monitoring and fraud protection services, for any potentially affected individual.
2. LabCorp
Number Of Records Exposed: 7.7 Million
Millions of LabCorp customers had data stored on the web payment page of the American Medical Collection Agency (AMCA) that was breached between Aug. 1, 2018, and March 30, 2019. AMCA is an external collection agency used by LabCorp and other healthcare companies.
Information exposed could include first and last name, date of birth, address, phone, date of service, provider, balance information, as well as credit card or bank account information provided by the consumer to AMCA. The 200,000 LabCorp consumers whose credit card or bank account information may have been accessed will receive identity protection and credit monitoring services for 24 months.
In response to the breach, LabCorp ceased sending new collection requests to AMCA and stopped AMCA from continuing to work on pending collection requests involving LabCorp consumers. LabCorp never provided ordered test, laboratory results, or diagnostic information to AMCA, and AMCA said it didn't store or maintain Social Security numbers or insurance identification information for LabCorp clients.
1. Quest Diagnostics
Number Of Records Exposed: 11.9 Million
Quest Diagnostics said in June that a potential breach on the web payment page of its billings collection vendor exposed financial and medical information of its patients.
The New York-based clinical laboratory provider said that, between Aug. 1, 2018 and March 30, 2019, an unauthorized user had access to the American Medical Collection Agency (AMCA) system containing information that AMC had received from Quest Diagnostics and others, according to a filing with the U.S. Securities and Exchange Commission (SEC). This information was provided to Quest by AMCA.
The information on AMCA's affected system included medical information, financial information such as credit card numbers and bank account information, and other personal information like Social Security Numbers, according to the Quest filing. Quest said its laboratory tests were not provided to AMCA, and therefore weren't impacted by the breach.