Data Breach Bullseye - Part 1

This series will discuss 2021’s sensitive data breach statistics for three of the most vulnerable industries prone to cyberattacks: healthcare, financial services, and education. We will uncover why breaches occur at high rates in these verticals, and how organizations can best prepare against them. Today, we will explore the full extent of last year’s attacks on healthcare.

Understanding the impact of sensitive data breaches in healthcare

As the number one sector for the most data breaches for the third year in a row, the healthcare industry reported more than 330 incidents or 18% of 2021’s total data compromises according to the Identity Theft Resource Center’s 2021 Annual Data Breach Report.

While the number of industry-related data breaches increased slightly (8%) last year, the volume of healthcare data privacy victims increased almost three-fold (189%) to more than 28 million individuals. Of the total incidents reported by U.S.-based healthcare organizations, 89% involved the sensitive data of more than 24.8 million individuals.

Healthcare was the most vulnerable industry to sensitive data breaches across all major attack vectors in 2021:

#1 for ransomware attacks
#1 for third-party/supply chain attacks
#1 for human and system insider errors

Healthcare’s top attack vectors

Healthcare was the number one industry most vulnerable to sensitive data breaches by ransomware, supply chain attacks, and insider errors. Cyberattacks were responsible for 98% of the industry’s sensitive data victims. While third-party and supply chain vulnerabilities contributed to 195 healthcare data breach incidents, ransomware attacks impacted the greatest number of people, almost 10 million. At the other end of the spectrum, two cyberattacks upon non-secure cloud environments left more than 2 million people’s sensitive data vulnerable. Healthcare organizations continue to make for prime targets because of how critical patient data is to operations.

Healthcare Sensitive Data Cyberattack Victims in 2021

Attack Vector Individuals Impacted Total Incidents
Ransomware 9,836,117 42
Phishing, smishing, business email correspondence 2,629,596 82
Unsecured cloud environment 2,102,436 2
Third party/supply chain 1,816,720 195
Malware 70,268 13

Source: Identity Theft Resource Center notified database January 1-December 31, 2021

The cost of healthcare data breaches

Not only did healthcare experience the most data breaches by sheer volume, but they were also the most expensive at $9.23 million per breach. The 29.5% increase in cost from 2020 is likely due to the significant operational shifts that occurred during the pandemic and outdated healthcare medical record systems that gave attackers easy access to breach dated systems with newer cyberattack methods.

Top ten healthcare data breaches by the numbers

Last year’s top ten healthcare sensitive data breaches compromised the privacy of almost 14 million individuals or 56% of the industry’s total data privacy victims. The largest sensitive data breach (responsible for 13% of the industry’s breach victims) occurred at a managed vision care company, where misconfigured Amazon Web Services security enabled bad actors to access the Social Security numbers and personal health information for 3,253,822 customers.

Healthcare providers were involved in 7 of the top 10 incidents, while hospitals were involved in 2 of the most impactful incidents. All of the year’s top 10 incidents were cyberattacks carried out by external actors. Ransomware proved to be the most common attack vector in 6 of the top 10 incidents. The most targeted sensitive data records included social security numbers (9 out of 10 instances) and personal health information (8 out of 10 instances).

A proactive approach to data breach protection

With an increasing array of infiltration tactics at their fingertips, it’s only a matter of time before any organization is made a target by cyberattackers. The sheer volume of attacks—and the expenses that are incurred by organizations that do not have data remediation processes in place—mean that a proactive approach must be taken to protect your data once hackers breach your security perimeter.

Organizations that utilize a combination of automated data discovery, classification, and remediation processes will mitigate the potentially long-lasting effects of data breaches. In an era where cyberattacks are the norm, Spirion’s solution to sensitive data protection can help turn the tide against cybercrime.

To find out more about the impact of sensitive data breaches in 2021, read our full reports on the financial serviceshealthcare, and education sectors.

Want to dig deeper?

Read more in our new report Healthcare Guide to Sensitive Data Breaches and visit to learn about how to proactively protect your sensitive data and curb the cost of a data breach.

Download now