How Much Do Healthcare Data Breaches Really Cost?
Explore how top healthcare data breaches exposed sensitive PII, disrupted patient care, and challenged HIPAA compliance across digital ecosystems.
When a data breach occurs in the healthcare industry, the fallout isn’t just reputational—it can interrupt patient care, expose sensitive Personally Identifiable Information (PII), and violate data privacy regulations. Healthcare organizations store vast amounts of healthcare data, including medical records, biometric data, and digital account information. A single breach can affect millions, leading to regulatory fines, legal action, and years of remediation. Maintaining strong data security practices across your ecosystem is essential.
Here are the top 10 healthcare sector breaches by costs and the lessons they offer security leaders. Some recent breaches with large patient impact are not included, likely because their financial settlements are not as large or not yet finalized.
1. Change Healthcare
What happened: Ransomware attackers infiltrated Change Healthcare, a subsidiary of UnitedHealth Group, disrupting claims, billing, and pharmacy operations nationwide in 2024. The attack exposed highly sensitive PHI—and impacted over 100 million individuals. UnitedHealth Group acknowledged paying a $22 million ransom and later disclosed over $1.6 billion in projected breach-related expenses, including recovery efforts, vendor support, and emergency provider loans. The company said it expects the total to amount to $2.45 billion. Change Healthcare is in ongoing litigation over the breach that could produce additional costs.
Root cause: The attackers, linked to the ALPHV/BlackCat ransomware gang, gained access through an account that lacked MFA.
Lesson: Healthcare organizations and their vendors must continuously monitor access controls and secure remote connectivity. As ransomware tactics evolve, HIPAA covered entities need to prioritize real-time vendor risk monitoring, implement zero trust principles, and implement SCDR-backed breach detection.
2. Anthem
What happened: Attackers gained access to nearly 80 million medical records in 2015, including names, birthdates, Social Security numbers, and financial information. It remains one of the largest breaches of Protected Health Information (PHI) ever reported. Anthem agreed to pay $115 million to settle U.S. lawsuits around the data breach. The company also paid a $16 million HIPAA settlement, bringing its estimated costs to $131 million.
Root cause: Spearphishing was used to obtain employee credentials, which gave unauthorized users access to Anthem’s database.
Lesson: Breached healthcare records often stem from credential misuse. HIPAA covered entities must apply strict access controls and monitor for insider threats. Consistent data security training and role-based access management can help minimize risk.
3. Premera Blue Cross
What happened: A sophisticated cyberattack exposed the sensitive information of 11 million individuals, including Social Security Numbers (SSNs) and bank account numbers. The company agreed to a $74 million settlement to resolve the ensuing class-action lawsuit. Premera also settled a multi-state lawsuit for $10 million and paid a $6.85 million HIPAA fine.
Root cause: The 2015 breach originated from an email-based attack that remained undetected for months. Investigators found outdated security protocols and insufficient data protection.
Lesson: Organizations must implement data security protocols to protect PHI and conduct active threat monitoring. Unsecured protected health information is a recurring vulnerability. Investing in layered data security is critical to regulatory compliance.
4. Excellus BlueCross BlueShield
What happened: Cybercriminals breached records of 10 million members and applicants. Exposed data included direct identifiers and claims history. The 2015 breach resulted in a $17.3 million settlement, a $5.1 million HIPAA fine, and a $4.35 million class-action settlement.
Root cause: Hackers had access to the system for over 18 months without detection. A lack of real-time alerts and legacy systems delayed response.
Lesson: The longer a breach goes unnoticed, the more likely it is that stolen data will be used to create false accounts or target additional systems. Real-time alerts and network visibility are central to modern data security strategies.
5. St. Joseph Health
What happened: In 2012, St. Joseph Health reported a breach that exposed the electronic health records of 31,800 patients. Files containing sensitive data—including diagnoses, medications, and lab results—were made publicly accessible due to misconfigured security settings. The organization agreed to a $15 million settlement in a class action lawsuit in addition to a $2.14 million settlement to address HIPAA violations.
Root cause: St. Joseph Health maintained a file sharing application with default security settings, making PHI accessible to internet search engines.
Lesson: Misconfigurations can lead to large-scale data breaches. Healthcare organizations must conduct regular risk assessments and verify default settings on new systems comply with HIPAA requirements.
6. Banner Health
What happened: Hackers breached the payment processing system of Banner Health’s food and beverage outlet in 2016 and accessed 3.7 million records that included PHI. Banner Health agreed to a $6 million settlement to resolve the claims, a $1.25 million HIPAA fine, and $8.9 million in a class-action settlement.
Root cause: Attackers exploited unpatched systems and poor network segmentation.
Lesson: HIPAA compliance requires ongoing audits and segmentation between operational and patient systems. Building layered data security architecture reduces lateral movement during an attack.
7. Community Health Systems
What happened: An attack by a Chinese cyber-espionage group led to the theft of personal data from 4.5 million individuals, including names and driver’s license numbers. After the 2014 breach, the company agreed to a $3.1 million settlement with the Department of Health and Human Services. Community Health systems also reached a $5 million settlement with multiple states and incurred a $2.3 million penalty for HIPAA violations.
Root cause: A known vulnerability in OpenSSL (Heartbleed) was exploited due to delayed patching and poor vulnerability management.
Lesson: Patch management is crucial. Failing to close known vulnerabilities invites both hacking incidents and regulatory consequences. This case underscores the role of proactive data security hygiene.
8. UCLA Health
What happened: A cyberattack compromised the personal and medical data of 4.5 million patients between 2014 and 2015. UCLA Health paid $7.5 million in a class action settlement related to the breach.
Root cause: Hackers gained network access months before discovery, exploiting weak access controls and unsegmented system permissions. Investigators determined that UCLA Health had not fully implemented encryption across all systems containing PHI.
Lesson: Healthcare organizations must enforce strict identity and access management protocols to limit internal movement and protect PHI. Delayed detection and incomplete encryption can lead to regulatory consequences, reputational damage, and long-term financial exposure.
9. Massachusetts Eye and Ear Infirmary
What happened: Massachusetts Eye and Ear Infirmary experienced a breach when an unencrypted laptop containing patient data was stolen in 2010. The device held personal information including patient prescriptions and clinical information of roughly 3,600 individuals. The Department of Health and Human Services (HHS) levied a $1.5 million HIPAA settlement against the organization for failing to implement appropriate safeguards, including encryption and employee training.
Root cause: The breach stemmed from a lack of device-level encryption and insufficient risk assessments for mobile data storage.
Lesson: Even small-scale breaches can result in large penalties if basic safeguards are missing. Encrypting devices that store PHI is a fundamental security measure for HIPAA covered entities. Regular audits and employee training are essential.
10. New York Presbyterian Hospital and Columbia University
What happened: In 2010, a server jointly maintained by NewYork-Presbyterian Hospital and Columbia University was misconfigured, exposing the electronic PHI (ePHI) of 6,800 patients online. The exposed data included names, vital signs, medications, and lab results. The U.S. Department of Health and Human Services (HHS) determined both entities failed to implement appropriate risk management processes and oversight. The organizations agreed to a HIPAA settlement of $4.8 million.
Root cause: A physician employed by the university attempted to deactivate a personal computer connected to hospital systems, which made the server accessible. The breach was enabled by insufficient technical safeguards.
Lesson: Shared IT environments between institutions demand clearly defined roles, responsibilities, and oversight. Failing to coordinate cybersecurity controls across entities can lead to major security breaches and regulatory penalties.
Why It Matters for Security Leaders
Healthcare breaches put organizational operations, lives, trust, and compliance at risk. Every breach listed highlights the importance of proactively managing third-party vendors, enforcing strict access control, and building layered defenses. Investing in data security is essential.
SecurityScorecard’s platform gives healthcare organizations the tools to:
- Continuously monitor vendor networks for emerging threats
- Benchmark against HIPAA compliance and data privacy regulations
- Respond rapidly when sensitive data is at risk
Securing What You Don’t Control: Your Healthcare Vendor Ecosystem
SecurityScorecard empowers healthcare organizations with complete visibility to secure what they don’t own—their vendor supply chains, external attack surfaces, and third-party risk vectors.
Discover how leading healthcare providers use SecurityScorecard to:
- Identify hidden vulnerabilities across vendor networks
- Detect third-party threats before patient data is compromised
- Streamline compliance with healthcare security regulations
- Protect PHI and sensitive PII throughout your entire ecosystem
See How SecurityScorecard Protects Healthcare Supply Chains
Protect Your Supply Chain with Real-Time Threat Detection
SecurityScorecard’s SCDR solution offers continuous monitoring of your third-party ecosystem, enabling swift identification and mitigation of cyber threats. Enhance your organization’s resilience by proactively managing supply chain risks.
Let’s build a more resilient future for healthcare—together.
