The biggest credit union breach took place at the $308 million, Winston-Salem, N.C.-based Piedmont Advantage Credit Union, which notified its 46,000 members in early March that a laptop containing PII was missing.

Two data breaches were highly talked up in the media, but did not make the 10 biggest list. First, a misconfigured database exposed the information of 191 million registered U.S. voters for more than a week. Independent security researcher Chris Vickery discovered the 300GB database on Dec. 20 and reported it to DataBreaches.net, which keeps track of online security blunders.

Second, a breach of the online affair website Ashley Madison lit up 37 million usernames, passwords, addresses, phone numbers and credit card transactions on the Dark Web. Four NCUA work email addresses were among those compromised.

Following are the biggest 2015 U.S data breaches, based on confirmed, exposed PII records.

1. Anthem Inc.: 78.8 Million Records

In February at the Indianapolis-based health insurer Anthem Inc., hackers accessed a corporate database. It included a list of current and former U.S. customers and employees, and personal information such as birthdays, medical IDs, Social Security numbers, street and email addresses and employment information, including income data.

2. OPM: 21.5 Million Records

In June and July, the U.S. Office of Personnel Management discovered two separate but related cybersecurity breach incidents, which exposed the personal data of current and former Federal government employees, contractors and others. The OPM blamed the attack on Chinese hackers. Hackers acquired forms submitted by applicants seeking security clearances with the federal government. These 127-page forms contained, among other things, the names of friends, relatives and associates of the applicants as well as financial information.

3. T-Mobile: 15 Million Records

In September, Experian North America discovered an unauthorized party accessed certain servers, exposing Social Security numbers, and other data on people who applied for financing from wireless provider T-Mobile USA. Information included names, addresses, Social Security numbers, birthdates, identification numbers (such as driver's license, military ID or passport numbers) and additional information used in TMobile's own credit assessment.

4. Premera Blue Cross: 11 Million Records

The Mountlake Terrace, Wash.-based Premera Blue Cross disclosed an intrusion into its network might have resulted in a breach of financial and medical records. It indicated that state-sponsored espionage groups based in China might have been the culprits. The company said it learned about the attack on Jan. 29, 2015. However, its investigation revealed that the initial attack occurred on May 5, 2014.

5. Excellus Blue Cross Blue Shield: 10 Million Records

In September, the Rochester, N.Y.-based Excellus Blue Cross Blue Shield and a partner company revealed a breach, which stole Social Security numbers and other identifying information, as well as information related to claims members made to pay for medical care.

6. Georgia Secretary of State: Six Million Records

In November, two women filed a class action lawsuit alleging a massive data breach took place within Georgia Secretary of State Brian Kemp's office involving the Social Security numbers and other private information belonging to voters statewide. The suit alleged the unauthorized information, released in October, contained birthdates and driver's license numbers. In response, Kemp's office blamed a “clerical error” and said it did not consider it a breach of its system. It said 12 organizations, including statewide political parties, news media organizations and Georgia GunOwner Magazine received the file.

7. Scottrade: 4.6 Million Records

In October, the St. Louis-based Scottrade said federal law enforcement officials notified the company about crimes involving the theft of information from Scottrade and other financial services companies. It said all client passwords remained encrypted at all times and did not see any indication of fraudulent activity due to the incident. The company said the unauthorized access appeared to have occurred from late 2013 to early 2014.

8. UCLA Health System: 4.5 Million Records

A July cyberattack on UCLA Health System's computer network exposed data containing personal and medical information, including names, addresses, Social Security numbers and medical data, including information related to conditions, medications, procedures and test results.

9. Medical Informatics Engineering: 3.9 Million Records

In May, the technical team at the Fort Wayne, Ind.-based Medical Informatics Engineering discovered suspicious activity on one of its servers. It determined some protected health information had been exposed, including patient names, home and email addresses, birthdates and some Social Security numbers.

10. Amazon Web Services: 1.5 Million Records

A contractor for the Larkspur, Calif.-based Systema Software inadvertently posted insurance claim data and other highly sensitive information on Amazon Web Services. Data exposed included Social Security numbers, insurance claim information, claimant ID numbers, drug test results, details and dates of medical services provided, billing amounts and payment information.