The 10 Biggest Data Breaches of 2020 (So Far)

More than 3.2 million records were exposed in the 10 biggest data breaches in the first half of 2020, with eight of the top 10 breaches occurring at medical or health-care organizations.


Out In The Open

See the latest entry: The 10 Biggest Data Breaches Of 2022

Looking for patterns and new trends in security breaches may help educate consumers and businesses about the value of protecting personally identifiable information.

The information compromised can include everything from Social Security numbers and driver’s license numbers to credit/debit card numbers and personal medical records. Methods, meanwhile, for obtaining the data span the gamut from insider threats and hacking to employee negligence, physical theft or unauthorized access.

Sponsored post

More than 3.2 million records were exposed in the 10 biggest data breaches in the first half of 2020, according to information compiled by the Identity Theft Resource Center and the U.S. Department of Health and Human Services.

Eight of the 10 largest breaches impacted medical or health-care organizations, with one breach hitting a government agency and one breach striking an educational institution. Read on to learn how the biggest data breaches of 2020 (so far) transpired.

For more of the biggest startups, products and news stories of 2020, click here.

10. Tandem Diabetes Care

Number Of Records Exposed: 140,781

Tandem Diabetes Care learned Jan. 17 that an unauthorized person gained access to an employee’s email account through phishing, with a subsequent investigation finding that five Tandem employee email accounts may have been accessed by an unauthorized user between Jan. 17 and Jan. 20, the San Diego-based medical device manufacturer said on March 16.

Some customer information was contained within these email accounts, including customer names, contact information, information related to those customers’ use of products or services from Tandem, clinical data regarding their diabetes therapy, and in a few limited instances, Social Security numbers.

Customers whose Social Security numbers were included in the email accounts can get a complimentary membership for credit monitoring and identity protection services, Tandem said. A class-action lawsuit filed in April accused Tandem of failing to have adequate technological safeguards, which the lawsuit claimed caused foreseeable risk of patient data loss as well as identity theft and other economic losses.

9. Aveanna Healthcare

Number Of Records Exposed: 166,077

Aveanna Healthcare became aware on Aug. 24, 2019, of suspicious activity relating to a number of employee email accounts, with a subsequent investigation determining that an unknown intruder accessed certain employee email accounts between July 9, 2019, and Aug. 24, 2019, the Atlanta-based pediatric home care provider said on Feb. 14, 2020.

Aveanna said it determined on Dec. 19, 2019, that information for certain patients and employees may have been accessible in the email accounts involved in the breach. Some of the accessible information included Social Security nnumbers, bank/financial account numbers, credit/debit card information, passport numbers, driver's licenses, patient diagnosis infofrmation, and prescription/medication information.

More than 100 patients filed a class-action lawsuit in May, alleging that Aveanna waited well beyond the 60-day notification window allowed under HIPAA to begin sending notices to potential victims. The lawsuit also alleged that Aveanna inadequately safeguarded patient data and maintained the private information in a reckless manner.

8. BST & Co., CPAs

Number Of Records Exposed: 170,000

Albany N.Y.-area accounting firm BST & Co. CPAs fell victim to a ransomware attack that encrypted files on its computer network without authorization and prohibited access to those files. The virus was active on BST’s network from Dec. 4 to Dec. 7, 2019, was disclosed on Feb. 14, and allowed an unknown person to gain access to part of the network where BST customer Community Care Physicians’ client files were stored.

Information encrypted in the ransomware attack included name, date of birth, billing codes, insurance description and medical record numbers for CCP patients. Some of the data showed up on the website of the Maze ransomware gang, and included a complete list of BST's employee names, addresses, Social Security numbers, dates of birth, phone numbers and pay rate, Brett Callow of Emsisoft found.

A class-action lawsuit filed at the end of May alleged BST lacked adequate security practices and computer systems, failed to implement standard policies and tools to prevent ransomware attacks, and didn’t employ adequate network monitoring. The CCP patients also allege that BST did not provide prompt notification that an attack had occurred.

7. PIH Health

Number Of Records Exposed: 199,548

PIH Health learned on June 18, 2019, that certain employee email accounts had been accessed without authorization as a result of a targeted email phishing campaign, with subsequent investigation finding that the access had occurred between June 11 and June 18, 2019, the Whittier, Calif.-based health-care provider disclosed on Jan. 10, 2020.

Information belonging to current and former PIH Health patients was contained within the breached email accounts, although PIH Health didn’t disclose what types of patient data had potentially been accessed. PIH Health said it took steps to secure its email system and network, including resetting the passwords required to access the potentially affected employee email accounts.

A class-action lawsuit filed in February alleged that PIH Health maintained private patient information in a reckless manner on the company’s computer network in a condition vulnerable to cyberattacks.

6. Ambry Genetics

Number Of Records Exposed: 232,772

The security team at Ambry Genetics identified unauthorized access to an employee’s email account between Jan. 22 and Jan. 24, 2020, but was unable to determine whether there was unauthorized acquisition of any particular information from the email account, the Aliso Viejo, Calif.-based genetic testing company disclosed on April 17.

The security incident may have resulted in the disclosure of customers’ names, medical information, information related to customers’ use of Ambry’s services, and in a relatively small number of instances, Social Security numbers, according to Ambry. In response, Ambry said it has undertaken an ongoing effort to enhance its security measures and provide additional training to employees.

A class-action lawsuit filed the following week alleged Ambry failed to implement “adequate and reasonable” cybersecurity protocols. The suit alleged Ambry neglected to implement even “basic security practices” despite the availability of industry standards and guidance.

5. BJC HealthCare

Number Of Records Exposed: 287,876

BJC HealthCare on March 6 identified suspicious activity within three employees’ email accounts, and a subsequent investigation determined an unauthorized person gained access to the employee email accounts for a limited period of time that day, the St. Louis-based health-care organization disclosed on May 5.

BJC identified emails and/or attachments in the accounts that contained patients’ Social Security numbers, driver’’ license numbers, names, dates of birth, medical record or patient account numbers, and limited treatment or clinical information. For patients whose Social Security numbers or driver’s license numbers are identified, BJC is offering free credit monitoring and identity protection services.

The investigation was unable to determine if the unauthorized person viewed any BJC emails or information while having access to the employee email accounts. BJC said additional email security measures will be implemented to prevent incidents such as this in the future and staff will be retrained to help them identify and avoid suspicious emails.

4. U.S. Marshals Service

Number Of Records Exposed: 387,000

A public-facing United States Marshals Service server that hosts information pertaining to current and former prisoners was noticed to have been breached on Dec. 30, 2019, the federal law enforcement agency disclosed on May 1, 2020.

Personally identifiable information exposed in the breach could include date of birth, Social Security number and addresses, which the U.S. Marshals Service said might be used to commit identity theft. The agency recommended that affected individuals complete a Federal Trade Commission ID Threat Affidavit, which will allow people to notify creditors that their identity might have been compromised.

A new cybersecurity monitoring tool alerted officials to an attempted attack on U.S. Marshals Service’s DSNet system, which facilitates the movement and housing of prisoners with the federal courts, Bureau of Prisons, and within the agency, an agency spokesperson said. Oficials are taking numerous corrective actions before returning DSNet to service, including comprehensive code review/correction and testing.

3. Wichita State University

Number Of Records Exposed: 440,968

An unauthorized person gained access to a Wichita State University computer server used to operate various student and employee web portals between Dec. 3, 2019, and Dec. 5, 2019, the Kansas-based public research university disclosed on March 6, 2020.

A comprehensive review of the server determined that information stored in a historical database on the server contained names, email addresses, dates of birth, and Social Security numbers. Wichita State said it’s offering identity theft protection services through ID Experts to help people resolve issues if their identity has been compromised.

A lawsuit filed in March by a former student alleged Wichita State was negligent in keeping and storing sensitive data, waited too long to alert potential victims about the breach, and “knowingly and deliberately” enriched itself by not paying for security measures that would have guarded against the breach. The university told The Wichita Eagle in March that it didn’t believe the lawsuit had merit.

2. Elkhart Emergency Physicians

Number Of Records Exposed: 550,000

Seven South Bend, Ind.-area health-care facilities contracted with Central Files to provide secure record storage and destruction, entrusting the company with sensitive and legally protected information about their own patients, clients, and/or employees. One of the facilities was Elkhart Emergency Physicians, which worked with Central Files between 2002 and 2010.

The health-care facilities were alerted between April 1 and April 9, 2020, that confidential documents entrusted to Central Files had been improperly dumped in an unsecure South Bend-area location. A probe found the records discovered at the dump site were in poor condition, showing signs of moisture damage, mold and rodent infestation, and damage from being mixed with trash and other debris.

After retaining those records that could be safely salvaged, a document destruction vendor was engaged and the remaining records were removed from the site on May 20 and are in the process of being destroyed. The records found included full names, addresses, telephone numbers, dates of birth, Social Security numbers, insurance information, dates of service, and clinical and diagnostic information.

1. Health Share Of Oregon

Number Of Records Exposed: 654,362

Health Share of Oregon was informed Jan. 2 that the personal information of its members was located on a laptop that was stolen from non-emergent medical transportation vendor GridWorks, the Medicaid coordinated care organization disclosed on Feb. 5. The break-in and theft occurred at GridWorks’ office on Nov. 18, 2019, according to Health Share.

The personal information located on the laptop included names, addresses, phone numbers, dates of birth, Social Security numbers and Medicaid ID numbers. Members’ personal health histories were not exposed, Health Share said.

In response to this incident, Health Share said its expanding annual audits with its contractors, enhancing training policies, and ensuring that all transmission of patient information is kept to the minimum necessary to perform required duties. All members whose information was stored on the computer have been offered one year of free credit monitoring and identity restoration services.