There’s no sugarcoating the fact that 2015 was a dizzying year for data breaches, and disastrous for many organizations and consumers. In the first half of the year alone, Gemalto found that 888 disclosed incidents compromised nearly 246 million records worldwide.

There were certainly trends in data breaches this year, including the increasing sophistication of hackers, the ever-increasing threat of massive state-sponsored attacks, and the continuing prevalence of large breaches in the healthcare industry. In fact, the average healthcare breach through mid-2015 was 200 percent larger than in the first half of 2014.

With those trends in mind, let’s take a look back at the 10 biggest and baddest breaches of 2015—and then see what consumers and security professionals can do to make 2016 a safer and more secure year.

Less to Spend, More to Lose: Data Breach and the Mid-Market Company

The Five Biggest Breaches of 2015

These were the five biggest breaches of the year in the U.S., based on number of records compromised.

1. Anthem, 80 million

Health insurer Anthem revealed in February 2015 that hackers, likely from China, had accessed a database that included encrypted as well as unencrypted data on patients and employees. According to the Huffington Post, it was the fifth-largest breach of all time.

2. Ashley Madison, 37 million

A hacking group known as Impact Team stole private information on 37 million people who use the Ashley Madison website, which encourages users to cheat on their partners. The hackers are threatening to reveal customers’ personal data unless the website shuts down (it has yet to do so).

3. U.S. Office of Personnel Management, 21.5 million

The U.S. Office of Personnel Management suffered two unrelated breaches in 2015, the largest one affecting over 21 million current and past federal workers. Again, the breaches of the government agency are believed to have originated in China.

4. Experian, 15 million

Experian, the world’s largest consumer credit monitoring firm, suffered its second massive breach in 2015. The breach exposed the sensitive personal data of about 15 million T-Mobile customers who underwent credit checks by Experian. An earlier attack on an Experian subsidiary exposed the Social Security numbers of 200 million U.S. citizens.

5. Premera Blue Cross Blue Shield, 11 million

The records exposed in Premera’s breach may have been more sensitive than those leaked in the far larger Anthem breach, including Social Security numbers and financial information of subscribers and people who do business with the company.

The Five Baddest Breaches of 2015

Now let’s take a look at the five baddest breaches of the year—an admittedly subjective category that highlights breaches that are especially damaging or disturbing because of factors such as who they targeted, how they were carried out, and their lasting ramifications.

1. LastPass, 7 million

We would like to see consumers rewarded for taking smart steps to protect their online security. That’s the troubling aspect of this breach of a leading password management company, which has further undermined consumer confidence and could lead to unsafe practices. It’s a big problem if consumers stop believing in their ability to achieve digital security and fail to take even basic precautions.

2. Planned Parenthood, 333

While “only” 333 employees were affected by the Planned Parenthood attack, the troubling aspect of this breach is that it was done not to achieve financial gain but to pursue ideological agendas and blackmail affected individuals.

3. Securus Technologies, thousands

Prison phone company Securus Technologies had 70 million call records hacked, involving thousands of prisoners across 37 states. The ugliest part? Many of those recorded calls appear to have violated prisoners’ Constitutional rights because they involved confidential conversations between prisoners and their attorneys.

4. IRS, 100,000

Hackers accessed extremely sensitive information through past tax returns, including Social Security data and financial details. The total cost to taxpayers in fraudulent claims will be about $50 million.

5. Harvard University, eight schools and offices

Harvard University joined a long list of other universities to suffer a data breach in 2015. Education is being hit hard, ranking just behind retail with 6 percent of all data breaches in the first half of the year. Budgets are tight in the education sector, but breaches at our most esteemed universities are a reminder that security must be prioritized to protect students and employees.

What Can We Learn From the Big and the Bad?

Want even more bad news? These lists include only U.S. breaches. Two of the largest breaches of 2015—50 million records breached at a Turkish agency and 20 million at Russian dating site Topface—occurred outside the U.S.

Here are a few takeaways that all organizations—big and small—can put into practice now and in 2016:

  • Beware of all sources of attacks. The largest two breaches were state-sponsored attacks, but Gemalto found that type of attack accounted for just two percent of all the data breach incidents in the first half of 2015. The biggest culprit over those six months? Malicious outsiders, with 62 percent of total breaches and nearly half of all records taken.
  • Brace yourself, especially in healthcare and government. According to Gemalto, the healthcare and government sectors accounted for about two-thirds of all compromised data records in the first half of the year.
  • Encrypt. The data stolen from LastPass was heavily encrypted, which may limit the damage done. At the very least, organizations should follow their example and encrypt sensitive data.
  • Learn from mistakes. One breach is bad enough. If your organization suffers a second large attack, as did Experian, the damage to your reputation will grow exponentially.
  • Heed the warnings. According to the Seattle Times, Premera Blue Cross was warned three weeks before its data breach began that it lacked sufficient network security procedures. Ironically, the warning was issued following an audit by the U.S. Office of Personnel Management—which suffered an even larger breach. Premera argues that the vulnerabilities found in the audit may not have been exposed by the hackers. But the point remains: Take any warning seriously, and act as quickly as possible to upgrade your security measures.

Less to Spend, More to Lose: Data Breach and the Mid-Market Company