1. In 2011, military health system Tricare reported that records for 4.9 million patients were breached when a contractor for the system's insurance carrier, Tricare Management Activity, lost backup tapes used to store electronic health-record data for patients in the San Antonio area. The contractor, Science Applications International Corp. (now Leidos), said the tapes were stolen from the car of an employee transporting them to an off-site storage facility. The breach sparked a $4.9 billion class-action lawsuit. All but two of the cases were dismissed in 2014.
2. Franklin, Tenn.-based Community Health Systems, an investor-owned company that operates 206 hospitals in 29 states, reported a breach affecting over 4.5 million patients in August 2014. The breach was the result of a cyberattack that cybersecurity experts believe exploited a software bug, Heartbleed, discovered in 2014. The attack was traced to China. Officials believe the hackers were seeking intellectual property on medical devices but instead made off with nonmedical protected patient data including Social Security numbers, names, addresses and dates of birth.
3. Advocate Health Care, Downers Grove, Ill., reported the theft of four computers from one of its physician groups in August 2013. The computers contained the unencrypted medical records of over 4 million patients. It was not Advocate's first breach. In 2009, a thief stole an unencrypted laptop holding data on 812 patients. The health system said the encryption protocol established after the 2009 theft had not yet been deployed in the offices affected in the 2013 theft.
4. The Texas Health and Human Services Commission sued Xerox Corp. in May 2014, alleging Xerox had jeopardized the protected health data of nearly 2 million Texas Medicaid patients by refusing to hand over patient records after the state terminated its contract with Xerox's Medicaid claims administration unit. Xerox also copied and removed patient data and allowed other vendors and its lawyers to access it. The state said Xerox's actions put the state out of compliance with federal HIPAA regulations.
5. Insurer Health Net, Rancho Cordova, Calif., reported in March 2011 that protected health data for 1.9 million past and current customers had been compromised when its IT vendor, IBM Corp., lost drives containing the data.
6. In February 2011, New York City Health and Hospitals Corp. sued its data storage and transport vendor, GRM Management Information Services, saying the vendor was responsible for the breach of 1.7 million patients' and employees' data when drives containing the data were left in an unlocked van.
7. Gainesville, Fla.-based insurer AvMed reported 1.2 million members' data was compromised when two laptops were stolen from the company's headquarters in December 2009. Affected members brought a class-action lawsuit which was reportedly later settled for $3 million.
8. In May 2014, IT employees at Montana's Department of Public Health and Human Services discovered malware on a server containing protected health information of nearly 1.1 million current, former, and deceased state residents. The agency said it expected its cyber liability insurance would cover costs associated with the hacking incident.
9. Nemours, a healthcare system based in Wilmington, Del., lost a storage cabinet containing unencrypted backup tapes bearing patient billing and employee payroll data for over 1.6 million individuals. The HHS website reports nearly 1.1 million individuals' protected health data was potentially compromised. The cabinet was lost in the course of remodeling.
10. Insurer Blue Cross and Blue Shield of Tennessee disclosed a breach affecting more than 1 million members after 57 hard drives containing patient data were removed from the insurer's servers located in a Chattanooga office. The breach resulted in HHS' first enforcement action for a self-reported incident. The health plan paid $1.5 million in penalties.
