The Biggest Healthcare Data Breaches of All Time (Ranked by Records Exposed)

Healthcare organizations hold an enormous concentration of personal health information (PHI). When attackers gain unauthorized access, the fallout spans identity theft, fraud, and care disruption. This guide examines the biggest healthcare data breaches of all time, ranked by records exposed where counts are confirmed, and flagged where totals remain unverified.

Across these cases, familiar patterns repeat: a spear phishing email that steals credentials, malware installation for persistence, a ransomware attack that exfiltrates and encrypts, and multi-factor authentication failure that turns one mistake into a systemwide crisis. Third-party vendor risk magnifies the blast radius when a single contractor serves many payers and providers.

Change Healthcare Data Breach Overview

What happened

In early 2024, Change Healthcare—one of the nation’s largest clearinghouses for claims, eligibility, and pharmacy services—suffered a crippling ransomware attack. Connectivity was severed across pharmacies and provider revenue cycles, delaying prescriptions and reimbursement nationwide.

Records exposed and impact

As of April 2026, the full count of records potentially exposed has not been publicly confirmed. Given Change Healthcare’s role at the center of U.S. billing and pharmacy networks, the scale is widely viewed as among the largest PHI exposures to date and could surpass all prior incidents once final tallies are released.

Attack path and security gaps

While specific, validated forensics remain limited publicly, the pattern aligned with modern intrusions: credential theft via a targeted spear phishing email or other social engineering, exploitation of remote access, lateral movement, and data exfiltration preceding ransomware deployment. Any multi-factor authentication failure or weak segmentation would have amplified the blast radius.

Risk-reduction moves

• Mandate phishing-resistant MFA for all remote and privileged access; eliminate legacy, push-only approvals.
• Continuously monitor for anomalous data egress; throttle and block mass exfiltration in real time.
• Harden third-party connectivity with zero trust controls, least privilege, and contractually enforced security baselines.
• Maintain offline, tested backups and an exercised ransomware playbook to minimize downtime.

Anthem Blue Cross Data Breach Analysis

What happened

Discovered in February 2015, Anthem’s intrusion began with a sophisticated phishing campaign. Stolen credentials let attackers query high-value databases, ultimately exposing a historic volume of member records.

Records exposed and impact

Anthem remains the largest confirmed single-entity healthcare breach to date, with approximately 78.8 million records impacted. Exposed data included sensitive personal and insurance details that can fuel identity and medical fraud for years.

Root causes and controls

The kill chain featured credential theft, unauthorized access, and extensive data discovery. Controls that would have reduced risk include phishing-resistant MFA, tighter admin segregation, and behavioral analytics to flag abnormal database queries.

Lessons for payers and providers

• Continuously test employees against spear phishing email techniques and measure improvement, not just completion.
• Instrument data stores with query-level monitoring and least-privilege roles.
• Encrypt sensitive identifiers and tokenize where possible to reduce breach value.

Premera Blue Cross Data Breach Details

What happened

In 2015, Premera disclosed that attackers had maintained undetected access for months, aided by malware installation and lateral movement. The dwell time allowed broad reconnaissance before discovery and containment.

Records exposed and impact

Roughly 10.4 million individuals were affected. Exposed PHI included demographic, plan, and potentially clinical or claims-related data—expanding both privacy risk and the surface for fraud.

Root causes and controls

Extended persistence reflected monitoring gaps. Stronger endpoint detection and response, rapid isolation of suspicious hosts, and enforced MFA for administrative interfaces would have materially narrowed exposure.

Key takeaways

• Shorten mean time to detect with high-fidelity telemetry and automated containment.
• Segment networks so data stores cannot be reached from user zones without explicit, verified trust.
• Apply rigorous patch and vulnerability management to shrink exploitable windows.

Optum360 and American Medical Collection Agency Breaches

What happened

In 2019, the American Medical Collection Agency (AMCA)—a third-party debt collector used by multiple healthcare organizations, including Optum360-connected clients—was compromised. A vulnerable payment application and weak monitoring enabled prolonged unauthorized access.

Records exposed and impact

Across impacted AMCA customers, the aggregate number of exposed records exceeded 20 million. One of the largest individual events tied to this compromise involved Quest Diagnostics (via Optum360) at approximately 11.9 million patients.

Root causes and controls

This episode underscored third-party vendor risk: shared processors and collectors can concentrate PHI and payment data. Stronger supplier due diligence, enforced security baselines, and continuous controls monitoring would have curbed exposure.

Practical safeguards

• Impose contractually defined MFA, encryption, and logging requirements on vendors handling PHI.
• Limit data shared with processors to the minimum necessary; rotate and expire access tokens.
• Adopt continuous attack surface monitoring of vendor-facing applications.

LabCorp Data Breach Incident

What happened

Also in 2019, LabCorp reported that the AMCA compromise affected approximately 7.7 million of its patients. Although LabCorp’s core systems were not directly breached, data entrusted to the collector was exposed.

Records exposed and impact

The incident included identifying details and balance information useful for fraud and social engineering. The ripple effect illustrated how a single vendor intrusion can cascade across marquee healthcare brands.

Risk controls that matter

• Tier vendors by inherent risk and require evidence of security maturity before onboarding.
• Use data minimization, field-level encryption, and tokenization to reduce breach utility.
• Continuously validate vendor controls with attestations plus technical tests, not paperwork alone.

Excellus Health Plan Malware Attack

What happened

Excellus disclosed in 2015 that attackers had been present since as early as 2013. Malware installation and stealthy movement enabled access to core systems before the compromise was identified.

Records exposed and impact

Approximately 10.5 million members were affected. Exposed PHI included names, addresses, birth dates, and other policy details, elevating both privacy and fraud risks.

Root causes and controls

Prolonged dwell time and insufficient anomaly detection were central. Threat hunting, privileged access management with robust MFA, and network segmentation would have constrained attacker reach and visibility.

Action checklist

• Deploy EDR with managed detection and 24x7 response to suppress persistence quickly.
• Instrument east–west traffic to detect lateral movement and data staging.
• Regularly rehearse incident response to accelerate triage and legal/regulatory steps.

Kaiser Foundation Health Plan Data Exposure

What happened

In 2024, Kaiser Foundation Health Plan reported that online tracking technologies embedded on certain web pages and mobile properties unintentionally transmitted limited PHI to third parties. This was an exposure—not a classic ransomware attack—but still an unauthorized disclosure under healthcare privacy rules.

Records exposed and impact

Approximately 13.4 million individuals were affected. Shared data commonly included interaction metadata (for example, page views tied to member context), highlighting how modern analytics tags can create hidden leakage paths.

Root causes and controls

Third-party scripts and pixels executed in the client browser without strict governance. Preventive measures include server-side tagging, technical reviews for trackers, content security policies, and privacy-by-design approvals before deployment.

Governance to adopt

• Inventory and continuously scan for tags, SDKs, and pixels across sites and apps.
• Define and enforce a “no PHI to analytics/ads” rule with automated blocking.
• Review business associate agreements and data processing terms for any analytics provider.

Summary: how these breaches stack up (confirmed counts)

• Anthem Blue Cross — about 78.8 million records (largest confirmed single-entity breach).
• AMCA ecosystem (multiple clients, including Quest via Optum360) — cumulative exposures exceeding 20 million; Quest alone ~11.9 million.
• Kaiser Foundation Health Plan — ~13.4 million exposed via tracking technologies.
• Excellus Health Plan — ~10.5 million.
• Premera Blue Cross — ~10.4 million.
• LabCorp (via AMCA) — ~7.7 million.
• Change Healthcare — final record count unconfirmed as of April 2026; potential to exceed all of the above.

Key takeaways

• Most catastrophic losses start with human-targeted entry (spear phishing email) and expand through control gaps such as multi-factor authentication failure and flat networks.
• Third-party vendor risk can multiply impact; constrain shared data, enforce uniform controls, and monitor continuously.
• Prepare for ransomware with hardened identity, rapid detection, proven backups, and practiced response to protect PHI and clinical operations.

FAQs

What was the largest healthcare data breach by the number of records exposed?

By confirmed counts, Anthem Blue Cross remains the largest single-entity healthcare breach at roughly 78.8 million records. The 2024 Change Healthcare incident could ultimately surpass this once an official record count is published, but as of April 2026 that number has not been publicly confirmed.

How do ransomware attacks impact healthcare data security?

A ransomware attack typically steals data before encryption (“double extortion”), turning PHI into leverage while paralyzing clinical and revenue operations. The result is delayed care, costly manual workarounds, and long-term privacy harm. Controls that blunt impact include phishing-resistant MFA, least privilege, robust EDR, network segmentation, offline backups, and tested recovery procedures.

What measures can prevent phishing-related breaches in healthcare?

Adopt phishing-resistant MFA (for example, FIDO2 security keys), disable legacy authentication, and enforce conditional access for all remote and privileged accounts. Pair that with continuous anti-phishing training using realistic simulations, email authentication (SPF/DKIM/DMARC), strict device posture checks, and rapid revocation of tokens when a spear phishing email is reported.

How do third-party vendors contribute to data breach risks?

Vendors often aggregate PHI across clients, so one compromise can spill data at massive scale. Reduce third-party vendor risk by minimizing shared data, segmenting connections, requiring audited security controls and incident reporting, scanning for web trackers, and enforcing contracts that mandate encryption, MFA, logging, and the right to test and terminate if standards aren’t met.