Summary of the Biggest Healthcare Data Breaches of 2018

This is a summary of the biggest healthcare data breaches of 2018. The healthcare data breaches referred to here have resulted in the exposure of 100,000+ patient health records.

There were 18 data breaches in 2018 that have exposed 100,000 or more health records. Eight breaches involved over half a million healthcare records and three saw more than 1 million healthcare records exposed.

Up until December 27, 2018, there had been 351 data breaches of 500+ healthcare records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). The total number of records exposed in those breaches was 13,020,821. In 2017, 359 data breaches of 500+ healthcare records were reported to OCR. Those breaches resulted in the exposure of 5,138,179 health records.

The Biggest Healthcare Data Breaches of 2018

Here is a brief summary of the biggest healthcare data breaches of 2018. OCR is currently investigating all of these breaches to determine whether HIPAA Rules have been violated, with the exception of the LifeBridge Health breach, the investigation into which has already been closed.

1. AccuDoc Solutions, Inc.

AccuDoc Solutions, the billing company based in Morrisville, NC, found out that some of its databases were compromised between September 22 and September 29, 2018. The 2,652,537 patient records contained in the databases could have been viewed by hackers, but were not be downloaded. This is the largest healthcare data breach of 2018 and the largest since September 2016.

2. UnityPoint Health

UnityPoint Health discovered a phishing attack on May 31, 2018. The forensic investigation showed multiple email accounts were compromised from March 14 to April 3, 2018. The attacks involved the spoofing of an executive’s email account. A number of employees responded to the spoofed messages and disclosed their email account credentials. The PHI of 1,421,107 individuals was contained in the breached email accounts.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

3. Employees Retirement System of Texas

The Employees Retirement System of Texas identified a defect in its ERS OnLine portal which permitted logged in members to see the PHI of other members. The breach was due to an error in coding. The PHI of approximately 1,248,263 people was possibly seen by other plan members.

4. CA Department of Developmental Services

A break-in at the California Department of Developmental Services offices allowed thieves to access the sensitive data of about 15,000 workers, contractors, job applicants, and parents of minors who had previously received services from CDDS. The PHI of 582,174 patients was also potentially viewed, although the thieves did not appear to have been interested in patient data, only electronic equipment, all of which was protected by encryption.

5. MSK Group

MSK Group based in Tennessee, a network of orthopedic medical practices, found out in May 2018 hackers had infiltrated its network. The hackers had access to parts of the network for several months. The personal, medical and insurance records of 566,236 patients were potentially viewed and downloaded by the hackers.

6. CNO Financial Group, Inc.

Health insurer Bankers Life Chicago, a division of CNO Financial Group Inc., found hackers accessed its systems from May 30 to September 13, 2018. The personal information of 566,217 customers was potentially stolen.

7. LifeBridge Health, Inc

Malware was installed on a server of LifeBridge Health in Baltimore. The server hosted the electronic health record system of LifeBridge Potomac Professionals as well as the patient registration and billing systems of LifeBridge Health. The PHI of 538,127 patients was potentially viewed and downloaded.

8. Health Management Concepts, Inc.

Hackers accessed a server of Health Management Concepts and installed ransomware. The company paid the ransom to restore the encrypted files; but, HMC inadvertently provided a file to the attackers that contained the PHI of 502,416 patients. While not confirmed, it is thought that the file was supplied to establish whether the attackers had the keys to decrypt files.

9. AU Medical Center, INC

A phishing attack on Augusta University Medical Center allowed an unauthorized person to access two employees’ email accounts. The email accounts contained the PHI of 417,000 patients.

10. SSM Health St. Mary’s Hospital – Jefferson City

When St. Mary’s Hospital relocated to new premises administrative documents containing the PHI of 301,000 patients were left behind. The breached information mostly was limited to names and health record numbers.

11. Oklahoma State University Center for Health Sciences

Oklahoma State University Center for Health Sciences found out that an unauthorized person accessed parts of its computer system and possibly viewed files that contained Medicaid patients’ billing data. The breach exposed a limited amount of 279,865 patients’ PHI.

12. Med Associates, Inc.

Med Associates, a billing firm based in Latham, NY, provides claims services to over 70 healthcare companies. A Med Associates employee’s computer was accessed by an unauthorized person who possibly viewed the PHI of up to 276,057 patients.

13. Adams County

Adams County, WI, discovered hackers accessed its network and possibly viewed the PHI and PII of 258,102 people. The compromised network was used by the departments of Health and Human Services, Child Support, Solid Waste, Adams County Employees, Veteran Service Office, Extension Office and the Sheriff’s Office.

14. MedEvolve

MedEvolve, an electronic billing and record services provider, found out that an FTP server was left unsecured from March 29, 2018 to May 4, 2018. The PHI of 205,434 Premier Immediate Medical Care patients was contained in a file on the FTP server.

15. HealthEquity, Inc.

HealthEquity, a Utah-based firm providing services to people to get tax advantages to reduce healthcare costs, suffered a phishing attack that saw hackers gain access to two employees’ email accounts which contained the PHI of 165,800 people.

16. St. Peter’s Surgery & Endoscopy Center

St. Peter’s Surgery & Endoscopy Center in New York discovered malware had been installed on a server which potentially permitted hackers to access the data of 134,512 patients. The malware was detected on the same day it was installed. The quick detection potentially stopped the attackers from viewing or copying patients’ data.

17. New York Oncology Hematology, P.C.

A phishing attack on New York Oncology Hematology in Albany, NY allowed hackers to access 15 employees’ email accounts that contained the PHI of 128,400 present and past patients and employees.

18. Boys Town National Research Hospital

Boys Town National Research Hospital based in Omaha, NE specializes in pediatric deafness, visual and communication disorders. It suffered a phishing attack that allowed hackers to access one email account that contained 105,309 patients’ PHI.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: