What You Need to Know:
Data breaches aren’t going anywhere and we’re here to keep you up-to-date on the worst data breaches of the year putting you at risk of identity theft.
Note: This post will be continuously updated with new information as additional 2021 data breaches are reported. Breaches appear in descending order, with the most recent appearing at the bottom of the page.
- 2016 Data Breaches | The Largest Data Breaches of the Year
- 2017 Data Breaches | The Year of Historic Risks
- 2018 Data Breaches | The Worst Breaches of the Year
- 2019 Data Breaches | The Biggest Breaches of the Year
- 2020 Data Breaches | The Most Significant Breaches of the Year
- 2021 Data Breaches | The Worst Breaches of the Year
Goodwill
January 14, 2022: Nonprofit Goodwill experienced a data breach that affected the accounts of customers using its ShopGoodwill.com e-commerce auction platform. The attack disclosed contact information including first and last name, email address, phone number and mailing address. No payment information was disclosed as ShopGoodwill.com does not store payment card information. The nonprofit attributed the breach to a site vulnerability which has since been fixed.
SOURCE | BleepingComputer
State of Washington
February 11, 2022: A security breach at the Washington State Department of Licensing affected the personal data in active, expired, revoked or suspended licenses for 23 of the 39 professions and businesses that require state licensing. At least 650,000 professionals who require licensing were impacted, possibly affecting their professional lives as a license is required to obtain professional service. Authorities believe Social Security numbers and some personal data were compromised.
SOURCE | KOMO News
International Order of the Red Cross
February 16, 2022: The International Committee of the Red Cross (ICRC) said a targeted cyberattack against its servers was likely coordinated by a state-backed hacking group. During the incident, the attackers gained access to the personal information (names, locations and contact information) of over 515,000 people in the “Restoring Family Links” program that helps reunite families separated by war, disaster and migration. The intruders were able to maintain access to ICRC’s servers for 70 days after the initial breach.
SOURCE | BleepingComputer
Axis Communications
February 23, 2022: Video surveillance solutions manufacturer Axis Communications was victim of a cyberattack. The attack interrupted many of Axis’s offerings and as of the date of this notice, the company was working to restore affected services and preserve the safety of its systems and data. The company does not believe any sensitive customer or partner data was compromised.
SOURCE | Securityinfowatch.com
State Bar of California
February 28, 2022: A third party unlawfully accessed a State Bar of California public website that aggregates nationwide court case records. The site temporarily displayed confidential information on 260,000 non-public attorney discipline case records, along with about 60,000 public State Bar court case records,s and may have included information from other jurisdictions. The case profile data exposed included case number, file date, case type, case status and respondent and complaining witness names. It did not include full case records.
SOURCE | The State Bar of California
Toyota
February 28, 2022: Toyota, the world’s largest automaker, was forced to halt production at all of its Japanese plants after one of its major suppliers was hit with a cyberattack, disrupting the automaker’s parts supply management system. The supplier, Kojima Industries, provides plastic parts to Toyota. Toyota’s subsidiaries Hino Motors and Daihatsu Motor were also forced to cease operations at some plants in Japan.
SOURCE | Nikkei Asia
Aon
March 1, 2022: Professional services and insurance giant Aon, which also provides cybersecurity services to its customers, has itself experienced a cyberattack. In a statement to its investors, the company said the Feb. 23 incident impacted a limited number of systems but declined to provide further details. The company has launched an inquiry into the breach.
SOURCE | CyberNews
Logan Health
March 2, 2022: Montana-based Logan Health Medical Center notified 213,543 patients, employees and business associates that their personal and health data was possibly accessed. A sophisticated cyberattack on its IT systems led to the unlawful entry of a file server containing protected health information. The compromised data varied by individual and could include names, Social Security numbers, dates of birth, contact information and email addresses.
SOURCE | SC Media
Bako Diagnostics
March 3, 2022: Laboratory Bako Diagnostics (BakoDX) confirmed that the company experienced a data breach resulting in the personal and healthcare information of certain consumers being compromised. Bako Diagnostics’ services cover more than 250 million individuals. While the compromised information varies by consumer, it may include the affected parties’ name, date of birth, address, telephone number, email address, Social Security number, driver’s license number, state identification number, health insurance information, medical information and billing and claims information.
SOURCE | JD Supra
PracticeMax
March 7, 2022: PracticeMax, a provider of healthcare support services, informed 165,698 individuals of a security incident resulting in an unauthorized party gaining access to their sensitive information. While the compromised information varies by consumer, it may include the affected parties’ names, addresses, Social Security numbers, dates of birth, treatment and diagnosis information, health insurance information, financial information, patient account numbers, employer and employee identification numbers, passport numbers, driver’s license numbers, state identification numbers, prescription information, and provider or employee login information.
SOURCE | JD Supra
Norwood Clinic
March 11, 2022: Alabama-based Norwood Clinic notified 228,103 patients that their data was potentially accessed or acquired after a cyberattack in October 2021. The investigation determined the cyberthieves gained access to folders that contain personal information of patients, including names, contact details, date of birth, Social Security numbers, driver’s licenses, some health information, and/or health insurance policy numbers.
SOURCE | SC Media
South Denver Cardiology Associates
March 15, 2022: An unknown actor was able to gain access to the computer network of South Denver Cardiology Associates (SDCA). The unknown perpetrator(s) gained access to files containing information on 287,652 patients. The information exposed includes patients’ names, dates of birth, Social Security numbers and/or drivers’ license numbers, patient account numbers, health insurance information and clinical information, such as physician names, dates and types of service and diagnoses.
SOURCE | Infosecurity
Jefferson Dental and Orthodontics
March 18, 2022: More than one million Texans were impacted by a data breach at Jefferson Dental and Orthodontics. The breach is the largest ever reported to the Texas Attorney General. Types of data exposed or stolen include Social Security numbers, driver’s license numbers, health insurance information and financial information.
SOURCE | CBS News
New York City Public Schools
March 28, 2022: In what may be the largest breach of student data in U.S. history, the personal information for roughly 820,000 current and former New York City public school students has been compromised. Every student profile in the database had information about which teachers they have, what courses they take, their grades and more.
SOURCE | The Record
CSI Laboratories
March 31, 2022: Cytometry Specialists, Inc. (doing business as CSI Laboratories) in Alpharetta, GA announced it was the victim of a cyberattack. An investigation determined that 312,000 individuals were impacted. Information disclosed includes patient names and case numbers used for identifying patients. A subset of patients also had their address, date of birth, medical record number and health insurance information compromised.
SOURCE | HIPAA Journal
Partnership Health Plan of California
April 5, 2022: The Hive ransomware group posted a message on its HiveLeaks dark website declaring the group had access to the personal private information of approximately 850,000 patients of healthcare coverage provider Partnership Healthplan of California (“PHC”). This data included their patients’ names, addresses, and Social Security numbers.
SOURCE | Healthleaders
Block
April 6, 2022: Block, the company behind the mobile payment service Cash App, acknowledged a Cash App data breach in which a former employee accessed reports that included U.S. customer information. The company is notifying about 8.2 million current and former customers about the breach. The reports included customer names and brokerage account numbers, and in some cases brokerage portfolio values, brokerage portfolio holdings and stock trading activity for one trading day.
SOURCE | CNET
Texas Department of Insurance
April 6, 2022: A data breach at the Texas Department of Insurance affected approximately 1,800,000 Texans. The department discovered a security issue with a TDI web service application that manages workers’ compensation information. The data breach exposed names, addresses, Social Security numbers and medical information.
SOURCE | Insurance Journal
Clinic of North Texas
April 6, 2022: Clinic of North Texas (CNT) fell victim to a cyberattack that resulted in unauthorized access to patient information for 244,174 individuals. The unauthorized actor accessed a folder containing names, birth dates, addresses and limited health information.
SOURCE | HealthITSecurity
SuperCare Health
April 7, 2022: SuperCare Health in California suffered a data breach which impacted 318,379 individuals. The respiratory care provider determined that names, addresses, health insurance information, medical record numbers, birth dates, patient account numbers, claim information, treatment information and hospital or medical group information were involved in the incident. A smaller number of Social Security numbers and driver’s license numbers were also involved.
SOURCE | HealthITSecurity
Lakeview Loan Servicing
April 12, 2022: Mortgage servicer Lakeview Loan Servicing disclosed a data breach that went undetected for over a month. The company said in public notices that the breach impacted 2,537,261 borrowers. An unauthorized person external to the company obtained access to the firm’s servers and information including names, addresses, loan information and Social Security numbers.
SOURCE | National Mortgage News
Christie Clinic
April 13, 2022: Illinois-based medical practice Christie Clinic disclosed a data breach occurred when a third party gained unauthorized access by way of a single business email account. The personal information of roughly 500,000 individuals was potentially compromised. The hacked email account contained names, addresses, medical and health insurance information and Social Security numbers.
SOURCE | SecurityWeek
Choice Health
May 7, 2022: An unauthorized person accessed Choice Health database and took multiple files. This breach occurred because Choice Health’s service provider failed to properly configure the security settings. The unauthorized person had the intention of making these stolen files available to others. The files contained information including first and last name, social security numbers, Medicare beneficiary identification numbers, date of birth, address, contact information, and health insurance information. It is assumed the breach allowed for 2.1 million records to be compromised.
SOURCE |Legal Scoops
MCG Health
May 25, 2022: Seattle based MCG Health discovered that files including social security numbers, medical codes, postal addresses, telephone numbers, email addresses, dates of birth and genders were missing from their database, affecting 793,283 individuals. Investigators discovered that information of up to 11 million people was potentially obtained.
SOURCE |Hippa Journal
Flagstar Bank
June 2, 2022: Flagstar Bank experienced a breach between December 3rd and 4th 2021 but did not discover it until June 2, 2022. The breach was caused by “unauthorized access” to the bank’s private network and after careful investigation Flagstar determined information, including social security numbers, were accessed to over 1.5 million people.
SOURCE | ZDNet
Baptist Health System
June 16, 2022: An unauthorized party gained access to the Baptist Health System’s computer network by installing a line of malicious code onto their system’s website. This breach affected over 1.2 million patients and the compromised information included full names, dates of birth, addressed, Social Security numbers, health insurance information, as well as medical and billing information.
SOURCE | JDSurpa
Professional Finance Company Inc. (PFC)
July 1, 2022: A Colorado based accounts receivable management company, Professional Finance Company Inc. (PFC), fell victim to a ransomware attack in February 2022. The company believed they had successfully blocked the attack but realized mid-summer that many of their computer systems were disabled. PFC is a leading debt recovery agency and holds accounts for many healthcare providers, financial institutions, and government organizations. It is believed the breach affected nearly 657 of its healthcare provider clients and nearly 1,918,941 individuals. Compromised information included names, addresses, account receivable balances, health insurance information, and Social Security numbers.
SOURCE |HIPAA Journal
Goodman Campbell Brain and Spine
July 22, 2022: Goodman Campbell Brain and Spine in Indiana announced to their patients that they had been affected by a data breach and the PII of 326,833 patients were potentially compromised. The hacker accessed appointment information, referral forms, as well as insurance eligibility forms. Information exposed includes names, dates of birth, email addresses, medical record numbers, patient account numbers, diagnosis and treatment information, insurance information, and Social Security numbers.
SOURCE |WishTV
Aetna ACE
August 3, 2022: Health insurance provider, Aetna ACE fell victim to a ransomware attack through a third-party mailing vendor, OneTouchPoint. The breach involved the protected information of 326,249 patients, exposing names, addresses, dates of birth, member ID, and some medical information.
SOURCE |Hipaa Journal
Plex
August 23, 2022: The streaming video service, Plex, requested over 25-million users to update their passwords after they discovered a third-party had accessed their database, exposing emails, usernames, and encrypted passwords. The California-based service sent a mass email to all their users instructing them to log out of all accounts, reset accounts to a secure password, and encouraged the set-up of two-factor authentication.
SOURCE |FierceVideo
Wolfe Eye Clinic
September 21, 2022: Iowa-based Wolfe Eye Clinic confirmed that they have been affected by a breach occurring within their electronic medical provider, Eye Care Leaders, and over 540,000 records were exposed as a result. Names, birth dates, Social Security numbers, and patient health insurance information were potentially compromised.
SOURCE |HIPAA Journal
Family Medicine Centers
September 29, 2022: A Texas-based network of primary care clinics, Family Medicine Centers, suffered a data breach after an outside attempt to shut down their computer operations and databases, resulting in certain information being accessible to an unauthorized party. The breach impacted 233,948 individuals and information such as names, Social Security numbers, addresses, medical insurance information and health information.
SOURCE |Health IT Security
Los Angeles Unified School District
October 2, 2022: In what has been one of the largest breaches within the education sector, the Los Angeles Unified School District (LAUSD) was hit with a ransomware attack that disrupted staff and students’ access to their emails, databases, and applications. The hackers released nearly 500GB of stolen data onto the dark web containing personal information such as social security numbers, passport details, tax documents, financial reports, health data, and psychological evaluations of students. The LAUSD is the second largest school district in the United States with nearly 700,000 teachers, staff and students among 1,300 schools.
SOURCE |Tech Crunch
CSI Laboratories
October 7, 2022: Cancer testing and diagnostic laboratory group, CSI Laboratories, confirmed an employee email account was breached and accessed by an unauthorized third party. The breach may have allowed access to the private health information of nearly 244,.870 CSI patients. The group discovered that certain files containing patient information had been transferred out of the employee’s mailbox to an unknown source. Most of the files only contained patient numbers, but some did contain names, dates of birth and health insurance information.
SOURCE |HIPAA JOURNAL
Advocate Aurora Health
October 14, 2022: Advocate Aurora Health is one of the largest healthcare providers in the greater Chicago area. Using internet tracking, certain interactions between their database were leaked and their electronic medical records system was breached as a result. The U.S. Department of Health and Human Services predicted that this breach could affect all 3 million of their patients. Sensitive leaked information included IP addresses, physical location, names, and confidential health information. The health group does not believe that Social Security numbers or debit and credit card information were involved.
SOURCE |FierceHealthcare
Commonwealth Care Alliance of California
November 15, 2022: California-based Commonwealth Care Alliance (CCA) reported a data breach after an unauthorized source gained access to the company’s private files. CCA has notified their patients of the breach but did not disclose how many were affected in the attack. Exposed information included Social Security numbers, dates of birth, driver’s license numbers, and protected health information for some individuals.
SOURCE |JD Surpa
HomeTrust Mortgage
November 23, 2022: HomeTrust Mortgage operates as a non-depository mortgage bank headquartered in Texas and operates at 13 different locations throughout the USA’s southern states. The company fell victim to a ransomware attack that compromised data and private information stored on the company’s database. Breached information included Social Security numbers, addresses, names and phone numbers of certain individuals. HomeTrust Mortgage declined to announce the number of customers affected by the attack.
SOURCE |JD Surpa
Doctors’ Center Hospitals
November 23, 2022: Doctors’ Center Hospitals the largest healthcare network in Puerto Rico recently learned an unauthorized third party was able to gain access to their database. The breach resulted in the protected health information of 1,925,220 people being compromised in the attack.
SOURCE |JD Surpa
CommonSpirit Health
December 1, 2022: CommonSpirit Health is the second largest health system in the United States. Data belonging to over 623,000 patients was potentially compromised in a ransomware attack from earlier in the year. Exposed data includes full names, addresses, phone numbers, dates of birth, and unique identification used as internal codes by the organization.
SOURCE |BleepingComputer
