Scope And Scale Of Healthcare Data Breaches In 2024

The year 2024 witnessed an alarming number of data breaches in the healthcare sector, underscoring the persistent cybersecurity vulnerabilities within the industry. An analysis of the US Department of Health and Human Services Office for Civil Rights (HHS OCR) healthcare breach database reveals a staggering 585 reported incidents between January 1, 2024, and December 31, 2024.

While initial estimates suggest these breaches exposed approximately 180 million individual records, the actual number of affected people is likely lower due to overlapping incidents. Many individuals may have been impacted by multiple breaches, making it more accurate to state that 180 million user records—rather than unique individuals—were compromised.

The Nature of Compromised Data

Healthcare data breaches often expose a vast array of sensitive information. The impacted data in 2024 included:

• Personally Identifiable Information (PII) such as names, addresses, and contact details.

• Social Security numbers, which are particularly valuable for identity theft.

• Health insurance details, including policy numbers and claims information.

• Medical records, posing risks to patient privacy.

• Financial information, including billing details and payment data.

Who Was Affected?

Among the 585 breaches, different types of healthcare entities were targeted:

• Healthcare providers: 440 breaches—the most commonly affected sector.

• Healthcare business associates: Nearly 100 breaches, affecting organizations that handle patient data on behalf of healthcare entities.

• Health plans: Approximately 60 breaches, impacting insurance companies and other payers.

How Did These Breaches Occur?

The majority of incidents fell into two primary categories:

• Hacking/IT Incidents (~500 breaches): This category includes ransomware attacks, unauthorized access, and other cyber intrusions.

• Unauthorized Access or Disclosure: The second most common cause, involving data leaks due to insider threats, misconfigurations, or accidental exposure.

From a technical perspective, network servers were the most frequently compromised assets, being involved in nearly 400 incidents, while email-based breaches—often caused by phishing attacks—were responsible for around 130 cases.

State-by-State Breakdown of Breaches

Certain states experienced a higher concentration of breaches than others. The top 10 states with the most reported incidents were:

1. Texas – 56 breaches

2. California – 43 breaches

3. New York – 34 breaches

4. Illinois – 33 breaches

5. Florida – 28 breaches

6. Ohio – 26 breaches

7. Massachusetts – 22 breaches

8. Michigan – 22 breaches

9. Tennessee – 21 breaches

10. Pennsylvania – 21 breaches

These numbers highlight both the widespread nature of cyber threats in healthcare and the particular risks faced by organizations in highly populated states.

The Largest Healthcare Breaches of 2024

1. Change Healthcare – 100 Million Records Stolen

The largest healthcare data breach of 2024 was a ransomware attack against Change Healthcare, resulting in the compromise of 100 million records. This incident not only disrupted operations across the industry but also exposed massive amounts of sensitive patient data.

2. Kaiser Permanente – 13.4 Million Records

A breach at Kaiser Permanente affected 13.4 million individuals, making it the second-largest incident of the year.

3. Ascension Health – 5.5 Million Records

Ascension Health, one of the largest nonprofit healthcare systems in the U.S., suffered a breach affecting 5.5 million individuals.

4. Other Major Data Breaches

Several other healthcare organizations reported breaches affecting over one million individuals:

• HealthEquity – 4.3 million records

• Concentra Health Services – 3.9 million records

• Centers for Medicare & Medicaid Services – 3.1 million records

• Acadian Ambulance Service – 2.8 million records

• A&A Services (Sav-Rx) – 2.8 million records

• WebTPA – 2.5 million records

• Integris Health – 2.3 million records

• Medical Management Resource Group – 2.3 million records

• Summit Pathology – 1.8 million records

• Geisinger – 1.2 million records

Lessons Learned and Looking Ahead

The scale of healthcare data breaches in 2024 highlights the increasing sophistication of cyber threats targeting healthcare systems. The reliance on cloud storage, third-party vendors, and outdated security measures has created vulnerabilities that cybercriminals continue to exploit.

Key Takeaways for the Healthcare Industry:

1. Enhance Cybersecurity Measures – Organizations must invest in stronger encryption, endpoint protection, and network security to defend against ransomware and other cyberattacks.

2. Implement Multi-Factor Authentication (MFA) – Many breaches occur due to compromised credentials. MFA can significantly reduce the risk of unauthorized access.

3. Conduct Regular Security Audits – Organizations should continuously assess and update their security infrastructure to mitigate emerging threats.

4. Improve Employee Cyber Awareness – Many breaches stem from phishing and social engineering attacks. Healthcare organizations must provide ongoing cybersecurity training to staff.

5. Strengthen Third-Party Risk Management – Many breaches result from vulnerabilities in vendors and business associates. Organizations must establish robust vetting and monitoring protocols for their external partners.

Final Thoughts

The 2024 healthcare data breaches serve as a reminder that cybersecurity must be a top priority for the industry. As cybercriminals refine their tactics, healthcare providers, insurers, and business associates must remain vigilant, adapting to evolving threats and strengthening their defenses.

With the increasing digitization of medical records and reliance on connected systems, the coming years will likely bring more challenges—but also opportunities to enhance resilience through proactive security strategies and stronger regulatory enforcement.