Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

2024 US Healthcare Data Breaches: 720 Incidents, 186 Million Compromised User Records

In 2024 organizations informed the US government about 720 healthcare data breaches affecting a total of 186 million user records.

Hospital cyberattack

In 2024, organizations informed the US government about more than 700 healthcare data breaches affecting a total of over 180 million user records.

SecurityWeek has conducted an analysis of the healthcare breach database maintained by the US Department of Health and Human Services Office for Civil Rights (HHS OCR), which stores information on incidents impacting the protected health information of over 500 individuals.

The OCR was informed about 720 incidents between January 1, 2024, and December 31, 2024. Adding up the numbers from each breach suggests that roughly 186 million people are impacted. 

However, one individual may have been impacted by multiple data breaches disclosed to the HHS, and the actual total number of impacted people is likely smaller than 186 million due to these overlaps. It’s more accurate to say that 186 million user records were compromised in data breaches. 

Impacted information can include names, contact details, dates of birth, Social Security numbers, insurance information, medical information, and even financial information. 

Of the total number of data breaches, approximately 520 affected healthcare providers. Another commonly impacted type of entity was healthcare business associate, which accounted for 120 incidents. Health plans were involved in nearly 100 incidents. 

Advertisement. Scroll to continue reading.

[ Data breaches and other healthcare cybersecurity news ]

Close to 600 incidents were described as ‘hacking/IT incident’, which includes ransomware attacks. The second most common type of incident involved unauthorized access or disclosure. 

Roughly 450 breaches involved network servers, and roughly 160 involved email, which is typically used by threat actors for phishing and malware delivery. 

The OCR database also keeps track of the state where the impacted organization is located. Texas and California accounted for the highest number of incidents (roughly 60 each), followed by New York (46), Illinois (43), Florida (37), Pennsylvania (31), Ohio (29), Massachusetts (29), Tennessee (25) and Michigan (22). 

The biggest healthcare data breach of 2024 impacted Change Healthcare. A ransomware attack aimed at the company resulted in the information of roughly 100 million individuals getting stolen.

The list of organizations impacted by major data breaches also includes Kaiser Permanente (13.4 million), Ascension Health (5.5 million), HealthEquity (4.3 million), Concentra Health Services (3.9 million), Centers for Medicare & Medicaid Services (3.1 million), Acadian Ambulance Service (2.8 million), A&A Services, dba Sav-Rx (2.8 million), WebTPA (2.5 million), and Integris Health (2.3 million).

Other healthcare data breaches exceeding one million victims were reported by Medical Management Resource Group (2.3 million), Summit Pathology (1.8 million), and Geisinger (1.2 million).

*the numbers were revised on January 20 after Axel Wirth, Chief Security Strategist at MedCrypt, pointed out that the data only included the incidents marked as ‘under investigation’, but not the investigations that were closed.

Related: Major Addiction Treatment Firm BayMark Confirms Ransomware Attack Caused Data Breach

Related: Medical Billing Firm Medusind Says Data Breach Impacts 360,000 People

Related: Excelsior Orthopaedics Data Breach Impacts 357,000 People

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.