The 10 Biggest Data Breaches of 2022 (So Far)

The number of victims per incident may be down, but the number of actual breaches continues to rise, according to the Identify Theft Research Center.

The good news about data breaches so far in 2022: The number of victims per cyberattack appears to be down compared to last year.

But the bad news is that the actual number of reported breach incidents increased by 14 percent, to 404, during the first quarter of 2022, compared to the same period in 2021, according to data from the Identify Theft Research Center.

And the average payment for ransomware attacks has increased by 71 percent from last year, with average payouts now approaching $1 million.

So the bottom line: It’s been one step forward, two steps back when it comes to preventing data breaches and their financial consequences.

According to data from the Identify Theft Research Center, health-care institutions, financial services companies, manufacturers and utilities continue to be the top targets of hackers.

The center also reports that phishing and ransomware attacks account for most of the reported data breaches, based on first quarter stats. Other causes of breaches include malware, credential stuffing and unsecured cloud tools.

But 154 of the 404 filed incident reports in the first quarter did not specify the cause of a breach, an increase in the lack of transparency, the center said.

Following are the 10 biggest breaches so far in 2022, according to data and information compiled by the Identify Theft Research Center and CRN. Click through our slideshow for more details.

The 10 Biggest Data Breaches of 2022 So Far:

* Baptist Medical Center (San Antonio, Texas)

* Flagstar Bank

* Texas Department of Insurance

* Shields Health Care Group

* Horizon Actuarial Services LLC

* Lakeview Loan Servicing

* Elephant Insurance Services LLC

* FlexBooker

* Beetle Eye

* Cash App Investing LLC

10. Baptist Medical Center (San Antonio, Texas)

Number of individuals impacted: 1.24 million

This is a case of a health-care institution being targeted by hackers. In late June, San Antonio-based Baptist Medical Center and affiliate Resolute Health Hospital of New Braunfels, Texas experienced a major breach, apparently the result of a malware attack, according to published accounts.

The incident ranks as one of the largest breaches recently tracked by the U.S. Department of Health and Human Services, which now compiles reports on health-care breaches across the country. The breach, discovered in April, included unauthorized access to highly sensitive patient data.

9. Flagstar Bank

Number of individuals impacted: 1.54 million

This incident involved another favorite target of hackers: a financial institution. In June, Flagstar Bank of Troy, Mich. reported it suffered a major breach late last year that impacted 1.54 million people, according to TechCrunch.

“After an extensive forensic investigation and manual document review, we discovered on June 2, 2022 that certain impacted files containing your personal information were accessed and/or acquired from our network,” the bank wrote in a letter to customers.

This was the second recent data breach at the bank. In January 2021, Flagstar notified customers it was one of the many companies impacted by the Accellion hack, TechCrunch reports.

8. Texas Department of Insurance

Number of individuals impacted: 1.8 million

Another increasingly favorite target for hackers: state and local government agencies. But in this case, the perpetrator of the incident at the Texas Department of Insurance may have been the government agency itself. TDI reported in March about a “security issue with a TDI web application that manages workers’ compensation information.”

TDI said the data breach was caused by programming code that allowed internet access to a protected area of the application.Sensitive data that could have been accessed included Social Security numbers, dates of births, and other personal information.

7. Shields Health Care Group

Number of individuals impacted: 2 million

Yet, another health-care institution. In June, Quincy, Mass.-based Shields Health Care Group reported that it was investigating a data security breach that appeared to impact about 2 million people at dozens of regional health-care facilities.

Saying it was alerted in March to “suspicious activity that may have involved data compromise,” Shields Health Care Group said its investigation “determined that an unknown actor gained access to certain Shields systems from March 7, 2022 to March 21, 2022. Furthermore, the investigation revealed that certain data was acquired by the unknown actor within that time frame.”

Shields said there was no evidence the data – which included names, Social Security numbers and insurance information — has been used to commit identify fraud or theft.”

6. Horizon Actuarial Services LLC

Number of individuals impacted: 2.29 million

Horizon Actuarial, which provides technical and actuarial consulting services for many union benefit plans in the United States, reported earlier this year that it was the victim of ransomware attack late last year after two computer servers were accessed without authorization.

“The group provided a list of information they claimed to have stolen,” Horizon reported, noting the info allegedly including names, dates of birth, Social Security numbers and health plan information. “During the course of the investigation, Horizon Actuarial negotiated with and paid the group in exchange for an agreement that they would delete and not distribute or otherwise misuse the stolen information.”

Among the benefit plans impacted were the Major League Baseball Players Benefit Plan, the National Hockey League Players Association Health and Benefits Fund and the New York Times Benefit Guild.

5. Lakeview Loan Servicing

Number of individuals impacted: 2.57 million

Yet another breach involving a financial-services entity, in this case Coral Gables, Fla.-based Lakeview Loan Servicing, which is now facing multiple lawsuits over a data breach that impacted millions.

The breach, which reportedly led to the theft of highly sensitive customer information, occurred from October 27 through Dec. 7, 2021. The breach was discovered in January and publicly announced in March. According to one lawsuit, some of the stolen data has been listed for sale on the “dark web,” according to a report at National Mortgage Professional.

4. Elephant Insurance Services LLC

Number of individuals impacted: 2.76 million

In May, Henrico, Va.-based Elephant Insurance Services reported that it had experienced a cyber incident that began in late March and that may have impacted information related to millions of customers seeking insurance policies.

After detecting “unusual activity on its network,” Elephant Insurance said it launched an immediate probe and determined that an intruder may have had access to information that included names, driver‘s license numbers and dates of birth of people.

3. FlexBooker Number of individuals impacted: 3.75 million

In January, FlexBooker, which sells online appointment booking tools that businesses embed in their websites, revealed it had discovered a data breach that ultimately impacted more than three million people.

According to ZDNet, the Columbus, Ohio-based company said that some of its customer database had been breached after its AWS servers were compromised in late 2021 and that FlexBooker said its “system data storage was also accessed and downloaded” as part of the attack. The information obtained included partial credit card data, ZDNet reports.

2. Beetle Eye Number of individuals impacted: 7 million

Beetle Eye, which is an online tool that helps marketers with their email marketing campaigns, experienced a major breach apparently caused by a misconfigured AWS S3 Bucket that was left without any encryption, according to a report at Data Breach Today.

Researchers at Website Planet first discovered the breach at the Sarasota, Fl.-based Beetle Eye, which reportedly left its Amazon S3 bucket open, exposing sensitive data belonging to an estimated 7 million people.

1. Cash App Investing LLC Number of individuals impacted: 8.2 million

Companies often urge employees to take precautions to avoid cyberattacks and other cyber mishaps. But what happens when a former employee is the one launching the hack? You get the cyber-debacle Cash App Investing experienced earlier this year – and which has turned out to be the largest data breach so far in 2022.

As CNN reported in April: “More than 8 million Cash App Investing customers may have had personal data compromised after a former employee downloaded internal reports without permission, parent company Block Inc revealed. … Information in the reports accessed by the former employee included customers’ full names and brokerage account number, which is the personal identification number associated with a customers’ stock activity on the platform.”