Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

2024 US Healthcare Data Breaches: 720 Incidents, 186 Million Compromised User Records

In 2024 organizations informed the US government about 720 healthcare data breaches affecting a total of 186 million user records.

Healthcare data breach

In 2024, organizations informed the US government about more than 700 healthcare data breaches affecting a total of over 180 million user records.

SecurityWeek has conducted an analysis of the healthcare breach database maintained by the US Department of Health and Human Services Office for Civil Rights (HHS OCR), which stores information on incidents impacting the protected health information of over 500 individuals.

The OCR was informed about 720 incidents between January 1, 2024, and December 31, 2024. Adding up the numbers from each breach suggests that roughly 186 million people are impacted. 

However, one individual may have been impacted by multiple data breaches disclosed to the HHS, and the actual total number of impacted people is likely smaller than 186 million due to these overlaps. It’s more accurate to say that 186 million user records were compromised in data breaches. 

Impacted information can include names, contact details, dates of birth, Social Security numbers, insurance information, medical information, and even financial information. 

Of the total number of data breaches, approximately 520 affected healthcare providers. Another commonly impacted type of entity was healthcare business associate, which accounted for 120 incidents. Health plans were involved in nearly 100 incidents. 

[ Data breaches and other healthcare cybersecurity news ]

Close to 600 incidents were described as ‘hacking/IT incident’, which includes ransomware attacks. The second most common type of incident involved unauthorized access or disclosure. 

Advertisement. Scroll to continue reading.

Roughly 450 breaches involved network servers, and roughly 160 involved email, which is typically used by threat actors for phishing and malware delivery. 

The OCR database also keeps track of the state where the impacted organization is located. Texas and California accounted for the highest number of incidents (roughly 60 each), followed by New York (46), Illinois (43), Florida (37), Pennsylvania (31), Ohio (29), Massachusetts (29), Tennessee (25) and Michigan (22). 

The biggest healthcare data breach of 2024 impacted Change Healthcare. A ransomware attack aimed at the company resulted in the information of roughly 100 million individuals getting stolen.

The list of organizations impacted by major data breaches also includes Kaiser Permanente (13.4 million), Ascension Health (5.5 million), HealthEquity (4.3 million), Concentra Health Services (3.9 million), Centers for Medicare & Medicaid Services (3.1 million), Acadian Ambulance Service (2.8 million), A&A Services, dba Sav-Rx (2.8 million), WebTPA (2.5 million), and Integris Health (2.3 million).

Other healthcare data breaches exceeding one million victims were reported by Medical Management Resource Group (2.3 million), Summit Pathology (1.8 million), and Geisinger (1.2 million).

*the numbers were revised on January 20 after Axel Wirth, Chief Security Strategist at MedCrypt, pointed out that the data only included the incidents marked as ‘under investigation’, but not the investigations that were closed.

Related: Major Addiction Treatment Firm BayMark Confirms Ransomware Attack Caused Data Breach

Related: Medical Billing Firm Medusind Says Data Breach Impacts 360,000 People

Related: Excelsior Orthopaedics Data Breach Impacts 357,000 People

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Software giant Atlassian has named David Cross as its new CISO.

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

The City of Phoenix has promoted Mitch Kohlbecker to the role of Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.