Learn which healthcare breaches exposed the most records and what they teach you.
• The Change Healthcare breach alone affected 190 million people and cost UnitedHealth $2.9 billion. A single stolen credential on a portal without MFA made it possible.
• Third-party vendors caused 5 of the 15 largest healthcare data breaches. Your security is only as strong as your weakest vendor’s.
• Attackers maintained access for months in most of these breaches. Premera went 9 months before detection, Excellus nearly 2 years.
• Healthcare records sell for $250-$1,000 each on criminal markets, making hospitals and insurers high-value targets for ransomware groups.
Healthcare records sell for up to $1,000 each on criminal markets. That’s hundreds of times more than stolen credit card data.
The combination of sensitive data and outdated systems makes healthcare one of the most targeted industries. Ransomware groups know hospitals can’t afford extended downtime.
Since 2013, the 15 largest healthcare data breaches have exposed over 350 million patient records. Several of these happened in the last two years.
Here are the biggest healthcare data breaches in history, what went wrong in each case, and what you can do to avoid the same mistakes.
When a retailer gets breached, you cancel a credit card. When a hospital gets breached, your medical history and Social Security number are exposed permanently. That’s why healthcare data is worth so much more on criminal markets.
You’ll see “PHI” throughout these breaches. Here’s what it means.
Protected Health Information (PHI) is any individually identifiable health information held by a healthcare provider or their business associates. This covers medical records and insurance IDs, plus lab results and any data that could identify a patient. PHI is protected under HIPAA whether it’s stored electronically, on paper, or communicated verbally.
Complete medical records sell for $250 to $1,000 each on criminal markets. Credit card numbers go for $1 to $5. That price gap makes healthcare organizations high-value targets.
On top of that, many hospitals run legacy systems with outdated security controls. Medical devices that can’t be patched. Networks that weren’t designed with segmentation in mind.
And healthcare organizations work with dozens of vendors who have direct access to patient data. Billing companies and transcription firms become potential entry points. Five of the 15 breaches below started through a third-party vendor.
Six of the 15 breaches below involved ransomware. Here’s what that looks like in healthcare.
Ransomware is malware that encrypts your files and demands payment for the decryption key. Modern ransomware groups also steal data before encrypting, then threaten to publish it if you don’t pay. In healthcare, this means patient records end up on public leak sites even when the ransom is paid.
The largest healthcare data breach ever. In February 2024, the ALPHV/BlackCat ransomware group used a stolen credential to access a Citrix portal that lacked MFA. They had 9 days of undetected access before deploying ransomware.
The disruption was massive. Change Healthcare processes 1 in 3 U.S. patient records. Thousands of providers couldn’t process payments or prescriptions for weeks. UnitedHealth paid a $22 million ransom and spent $2.9 billion on breach response. For a detailed breakdown, see our Change Healthcare case study.
Attackers phished their way into Anthem’s database. The breach exposed personal and employment records for 78.8 million members. Anthem’s database wasn’t encrypted because it didn’t contain medical information, a loophole the company exploited under HIPAA rules.
The breach went undetected for weeks. Anthem settled roughly 100 class-action lawsuits for $115 million.
Part of the Cl0p group’s mass exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer tool. The exploit hit more than 2,600 companies worldwide. Welltok’s breach leaked sensitive patient data across multiple healthcare organizations.
An attacker compromised two employee email accounts and accessed patient records including medical record numbers. Kaiser Permanente discovered the breach in September 2024.
A breach at AMCA, a third-party billing company, exposed Quest Diagnostics customer data. Medical and financial records were stolen. This is a textbook example of why vendor risk management matters. Your vendors’ security gaps become your breaches.
An attacker accessed an external storage location and began selling patient data on a hacker forum. The stolen records covered patients from 2021 through 2023 and included contact information and appointment details.
A phishing email tricked employees into installing malware in March 2014. The malware gave attackers access to claims data, including clinical records and bank details. The attackers maintained access for nearly 9 months before anyone noticed.
Attackers gained access in December 2013 and stayed hidden for nearly two years before Mandiant discovered the breach. Claims data and financial records were exposed. Excellus paid $5.1 million to the Office for Civil Rights to settle.
Also hit by the AMCA breach that affected Quest Diagnostics (#5). Personal records and account balances were exposed for 10.2 million patients. Roughly 200,000 accounts also had payment card data stolen. Two major healthcare companies compromised through a single vendor.
Another victim of the MOVEit exploit. The Clop ransomware group accessed Medicaid ID numbers and medical claims data from this Medicare contractor. The breach affected 9.1 million people.
Attackers breached this medical transcription firm and accessed patient data across multiple healthcare systems. Because PJ&A served as a vendor to numerous organizations, the breach hit patients at Northwell Health (3.8 million) and Baycare (2.5 million). Another vendor breach with cascading impact.
The LockBit ransomware gang stole 700 gigabytes of data from MCNA, one of the largest dental insurers for government Medicaid programs. After demanding $10 million, LockBit published everything when MCNA didn’t pay.
Attackers used compromised admin credentials to access CHS’s network through its VPN. Patient records for 6.2 million people were stolen, including personal identifiers and contact information.
The Money Message ransomware gang exfiltrated 4.7 terabytes of data from one of the largest pharmacy service providers in the U.S. The stolen data included medication records and insurance details.
In May 2024, a ransomware attack forced dozens of Ascension hospitals to cancel non-emergency procedures and revert to paper records. Patient medical and insurance records were exposed. The Black Basta ransomware gang is connected to the attack.
Look at these 15 healthcare data breaches together and the same patterns keep showing up.
Stolen credentials open the door. Change Healthcare, Anthem, and Premera all started with compromised login credentials. A phishing email or stolen password gave attackers their initial foothold. MFA would have stopped several of these attacks entirely. The Change Healthcare breach is the starkest example: one Citrix portal without MFA led to the most expensive healthcare breach in history.
Third-party vendors are the weakest link. Five breaches on this list happened through vendors: AMCA (Quest and Labcorp), MOVEit (Welltok and Maximus), and PJ&A. Your vendor risk management program needs to treat vendor access with the same scrutiny as employee access. The MOVEit exploit is particularly telling. One vulnerability in a file transfer tool gave Cl0p access to data at thousands of organizations. The healthcare companies that used MOVEit didn’t get hacked directly. Their vendor did.
Attackers stay hidden for months. Premera’s breach went 9 months without detection. Excellus went nearly 2 years. Even Change Healthcare had 9 days of undetected access before ransomware deployed. Every extra day gives attackers more time to move through your network and steal more data. The consequences of a healthcare data breach grow with every day of undetected access.
Ransomware is now the default playbook. Six of the 15 breaches involved ransomware groups: ALPHV/BlackCat (Change Healthcare), LockBit (MCNA), Clop (Welltok and Maximus), Money Message (PharMerica), and Black Basta (Ascension). These groups steal data first, then encrypt systems. Even if you don’t pay the ransom, the data ends up published on leak sites. Healthcare organizations can’t treat ransomware as an IT problem. It’s a patient data problem.
The cost goes far beyond the ransom. UnitedHealth spent $2.9 billion on breach response for Change Healthcare. Anthem paid $115 million in lawsuit settlements. Excellus paid $5.1 million to HHS. These numbers don’t include lost revenue, operational disruption, or the long-term damage to patient trust. For Ascension, the breach meant turning away ambulances and canceling surgeries. The real cost is measured in patient care that didn’t happen.
The prevention advice is straightforward. The challenge is actually doing it.
Lock down credentials. Enforce MFA on every remote access point. The Change Healthcare breach happened because one Citrix portal didn’t have it. Use a password manager so employees generate unique passwords for every application. Monitor for stolen credentials on criminal markets so you can reset compromised accounts before attackers use them.
Control vendor access. Treat third-party access with the same oversight as internal access. Audit what data vendors can reach. Require security assessments before granting access. The AMCA breach proved that one vendor’s failure can compromise millions of your patients.
Detect breaches faster. Deploy endpoint detection and response (EDR) tools. Set up behavioral monitoring that flags unusual data access. Subscribe to a dark web monitoring service to catch leaked credentials and patient data early. The difference between a 9-day breach and a 2-year breach comes down to detection.
Prepare for when it happens. Maintain an incident response plan with clear roles and procedures. Know your HIPAA notification deadlines (60 days for individuals, immediate for HHS if 500+ records). Test your plan regularly.
For a complete prevention framework, see our guide on preventing data breaches in healthcare.
The 15 largest healthcare data breaches have exposed over 350 million patient records. The pattern is consistent: stolen credentials and unmonitored vendor access give attackers the time they need to cause massive damage.
Healthcare organizations can’t eliminate the risk entirely, but the breaches on this list show where defenses fail most often. MFA on every access point. Continuous credential monitoring. Strict vendor oversight. These aren’t optional if you handle patient data.
Check if your organization’s credentials are already exposed before attackers find them first.
Patient records contain everything an attacker needs for identity fraud: Social Security numbers and insurance details, plus full medical histories. Hospitals also can’t afford downtime, which makes them more likely to pay ransoms quickly.
Stolen credentials and phishing are the most common entry points. The Change Healthcare breach started with a single stolen password on a portal without MFA. Several others on this list started with phishing emails that installed malware or captured login credentials.
Contain the breach by isolating affected systems. Preserve evidence for forensic investigation. Notify your legal team and begin HIPAA breach notification procedures. You have 60 days to notify affected individuals and HHS. See our data breach response guide for step-by-step procedures.
Often months. Premera’s breach went undetected for 9 months. Excellus wasn’t discovered for nearly 2 years. The Change Healthcare attackers had 9 days of access before deploying ransomware. Faster detection through credential monitoring and behavioral analytics can shorten this window.
A HIPAA breach specifically involves Protected Health Information (PHI). HIPAA requires you to notify affected individuals within 60 days and report breaches of 500+ records to HHS. Penalties range from $100 to $50,000 per violation, with annual caps up to $1.5 million per violation category.
Yes. Dark web monitoring for healthcare catches stolen employee credentials before attackers use them. Several breaches on this list started with compromised credentials. If those credentials had been detected on criminal markets first, the breaches could have been prevented.
Vendors like billing companies and medical transcription firms often have direct access to patient data but less security oversight than the healthcare organizations they serve. The AMCA breach hit both Quest Diagnostics and Labcorp. The MOVEit exploit hit Welltok and Maximus through a shared file transfer tool.
Threat Intelligence Dark Web Monitoring Infostealer Malware Ransomware Identity Security
What 2025 actually looked like Breachsense has indexed 90+ billion identity records across third-party breaches, …
Risk Management Data Security Best Practices
What is data risk management? Every company has data worth stealing. The question is whether you know where it is and …