The 10 Biggest Data Breaches of 2019

More than 137 million records were exposed in the 10 biggest data breaches in 2019, with six of the 10 largest incidents occurring at medical or healthcare organizations and two taking place at government agencies.


Data Doldrums

See the latest entry: The 10 Biggest Data Breaches Of 2022

Looking for patterns and new trends in security breaches may help educate consumers and businesses about the value of protecting personally identifiable information.

The information compromised can include everything from Social Security numbers and credit card numbers to protected health information and user names. Methods, meanwhile, for obtaining the data span the gamut from insider threats to hacking to employee negligence.

Sponsored post

More than 137 million records were exposed in the 10 biggest data breaches in 2019, according to information compiled by the Identity Theft Resource Center and the U.S. Department of Health and Human Services.

Six of the 10 largest breaches impacted medical or healthcare organizations, with two breaches hitting government agencies, one breach walloping a bank, and one breach striking an educational institution. Read on to learn how adversaries carried out the biggest data breaches of 2019.

Get more of CRN's 2019 tech year in review.

10. Oregon Department of Human Services

Number Of Records Exposed: 645,000

A successful email phishing campaign against the ended up exposing Social Security numbers and personal health information for clients of the Oregon Department of Human Services (DHS).

Nine Oregon DHS employee opened a phishing email sent on Jan. 8, 2019, and clicked on an internet link that gave the sender access to their email accounts. The affected accounts were located and access to those accounts was stopped by Jan. 28, and the agency determined in June how many customers were impacted after an extensive forensic investigation.

The exposed client information included first and last name, addresses, dates of birth, Social Security numbers, case numbers, personal health information, and other information used in DHS programs, according to the department. Most of the exposed client information was found in email attachments, like reports. Affected individuals are being offered access to identity theft and monitoring services.

9. UW Medicine

Number Of Records Exposed: 973,024

A vulnerability on a UW Medicine website server caused by "internal human error" made protected internal files available and visible by search on the internet starting on Dec. 4, 2018. The files contained patients’ names, medical record numbers, and a description and purpose of what patient information was shared, with whom, and why.

In general, the files described what parts of a patient's medical record were shared rather than providing their actual health information. In some instances, the UW Medicine files included the name of a lab test that was performed (but not the result) or the name of the research study that included the name of a health condition.

UW Medicine fixed the error immediately upon discovery on Dec. 26, 2018, and then worked with Google to remove saved versions of the files and prevent them from showing up in search results. All saved files were completely removed from Google’s servers by Jan. 10, 2019, and the data leakage was made public on Feb. 20.

8. Georgia Tech

Number Of Records Exposed: 1.3 Million

Unauthorized access to a Georgia Tech web application exposed personal information for current and former faculty, students, staff and student applicants. The school is conducting a thorough forensic investigation to determine precisely what information was extracted from the database, which might include names, addresses, Social Security numbers and birth dates.

Georgia Tech identified signs in late March that an unauthorized person had found a way to send queries through a web server at the school to an internal database. As a result, the school said the hacker might have been able to access the database between Dec. 14, 2018 and March 22, 2019.

The school publicly disclosed the hack on April 2, and is offering credit monitoring and identity theft protection services to individuals whose Social Security numbers were involved in the breach. Georgia Tech said people should actively monitor for the possibility of fraud and identity theft by reviewing their credit report and credit card, bank, and other financial statements for any unauthorized activity.

7. Inmediata Health Group

Number Of Records Exposed: 1.57 Million

Inmediata Health Group became aware in January that some electronic health information was viewable online due to a webpage setting that permitted search engines to index internal webpages that are used for business operations. The information potentially involved in this data leakage may include patients’ names, addresses, dates of birth, gender, Social Security numbers, and medical claim information.

The San Juan, Puerto Rico-based health information systems provider said that it immediately deactivated the website after becoming aware of the data leakage and engaged an independent digital forensics firm to assist with an investigation. Inmediata hasn't seen evidence that any of the exposed files were copied, saved, or subject to actual or attempted misuse.

Inmediata publicly disclosed the incident on April 22, and began mailing notification letters to the potentially affected individuals on the same day. Ten days later, the Michigan Attorney General’s Office said it had been contacted by two people who had received multiple letters from Inmediata about the breach, some of which had been misaddressed to other people.

6. Clinical Pathology Laboratories

Number Of Records Exposed: 2.2 Million

Clinical Pathology Laboratories was notified in May that an American Medical Collection Agency (AMCA) database containing information for some CPL patients had been affected in a data security incident. AMCA is an external collection agency used by Clinical Pathology Laboratories and other healthcare companies.

But at the time at AMCA’s initial notification, Clinical Pathology Laboratories said they weren’t provided with enough information to identify potentially affected patients or confirm the nature of patient information potentially involved in the incident. For this reason, the company held off on notifying patients about the breach until July.

As a result, Clinical Potential Laboratories said that might have had their names, addresses, phone numbers, dates of birth, dates of services, balance information and treatment provide information exposed during the breach. Of the 2.2 million affected patients, Clinical Pathology Laboratories said roughly 34,500 of them might have had their credit card or banking information exposed as well.

5. Federal Emergency Management Agency (FEMA)

Number Of Records Exposed: 2.3 Million

The Office of the Inspector General (OIG) said in March that FEMA violated the Privacy Act of 1974 and Department of Homeland Security policy by releasing sensitive personally identifiable information of the survivors of hurricanes Harvey, Irma, and Maria and the California wildfires in 2017 that went well beyond what was needed to verify their eligibility for the transitional sheltering assistance program.

FEMA released unnecessary personal information for the disaster survivors to its contractor beyond what's used to confirm eligibility during the sheltering check-in process at participating hotels. FEMA, gave the contractor more than 20 unnecessary data fields, including the applicant's: street address, city name, zip code, financial institution name, electronic funds transfer number, and bank transit number.

Prior iterations of the transitional sheltering assistance program required additional information such as applicant bank names and account numbers; however, the current program does not require this information. The OIG said that FEMA’s failure to provide only the required data elements placed disaster survivors at increased risk of identity theft and fraud.

4. Dominion National

Number Of Records Exposed: 2.96 Million

Dominion National determined that an unauthorized party may have gained access to some of its computer servers as early as Aug. 25, 2010. Information exposed in the breach may have included names, addresses, email addresses, dates of birth, Social Security numbers, member ID numbers, group numbers, subscriber numbers, bank account and routing numbers, and taxpayer identification numbers.

The Arlington, Va.-based dental and vision insurer and administrator learned of the breach through an investigation of an internal alert of April 24, 2019, and disclosed it publicly on June 21, 2019. After learning of this, Dominion National said it moved quickly to clean the affected servers and implement enhanced monitoring and alerting software.

Dominion National said it has no evidence that any information was in fact accessed, acquired, or misused. The company is offering a two-year membership to ID Experts MyIDCare, which includes credit monitoring and fraud protection services, for any potentially affected individual.

3. LabCorp

Number Of Records Exposed: 7.7 Million

Millions of LabCorp customers had data stored on the web payment page of the American Medical Collection Agency (AMCA) that was breached between Aug. 1, 2018, and March 30, 2019. AMCA is an external collection agency used by LabCorp and other healthcare companies.

Information exposed could include first and last name, date of birth, address, phone, date of service, provider, balance information, as well as credit card or bank account information provided by the consumer to AMCA. The 200,000 LabCorp consumers whose credit card or bank account information may have been accessed will receive identity protection and credit monitoring services for 24 months.

In response to the breach, LabCorp ceased sending new collection requests to AMCA and stopped AMCA from continuing to work on pending collection requests involving LabCorp consumers. LabCorp never provided ordered test, laboratory results, or diagnostic information to AMCA, and AMCA said it didn't store or maintain Social Security numbers or insurance identification information for LabCorp clients.

2. Quest Diagnostics

Number of Records Exposed: 11.9 Million

Quest Diagnostics said in June that a potential breach on the web payment page of its billings collection vendor exposed financial and medical information of its patients.

The New York-based clinical laboratory provider said that, between Aug. 1, 2018 and March 30, 2019, an unauthorized user had access to the American Medical Collection Agency (AMCA) system containing information that AMC had received from Quest Diagnostics and others, according to a filing with the U.S. Securities and Exchange Commission (SEC). This information was provided to Quest by AMCA.

The information on AMCA's affected system included medical information, financial information such as credit card numbers and bank account information, and other personal information like Social Security Numbers, according to the Quest filing. Quest said its laboratory tests were not provided to AMCA, and therefore weren't impacted by the breach.

1. Capital One

Number of Records Exposed: 106 Million

Capital One revealed in July that a hacker had gained access to personal information from 106 million credit card applicants and customers in the United States and Canada.

The McLean, Va.-based financial services giant said one million Canadian Social Insurance Numbers, 140,000 U.S. Social Security numbers, and 80,000 linked bank account numbers of Capital One clients were compromised in the breach. People that applied for a Capital One credit card between 2005 and early 2019 had their name, address, ZIP code/postal code, phone number, email address, date of birth, and self-reported income accessed by the hacker, according to the company.

Former Amazon Web Services employee Paige Thompson was ultimately charged with accessing the personal information of Capital One credit card applicants and customers as well as stealing data from more than 30 other companies. A firewall misconfiguration allegedly allowed Thompson to access folders or buckets of data in Capital One's AWS storage space.