In 2024, organizations informed the US government about more than 700 healthcare data breaches affecting a total of over 180 million user records.
SecurityWeek has conducted an analysis of the healthcare breach database maintained by the US Department of Health and Human Services Office for Civil Rights (HHS OCR), which stores information on incidents impacting the protected health information of over 500 individuals.
The OCR was informed about 720 incidents between January 1, 2024, and December 31, 2024. Adding up the numbers from each breach suggests that roughly 186 million people are impacted.
However, one individual may have been impacted by multiple data breaches disclosed to the HHS, and the actual total number of impacted people is likely smaller than 186 million due to these overlaps. It’s more accurate to say that 186 million user records were compromised in data breaches.
Impacted information can include names, contact details, dates of birth, Social Security numbers, insurance information, medical information, and even financial information.
Of the total number of data breaches, approximately 520 affected healthcare providers. Another commonly impacted type of entity was healthcare business associate, which accounted for 120 incidents. Health plans were involved in nearly 100 incidents.
[ Data breaches and other healthcare cybersecurity news ]
Close to 600 incidents were described as ‘hacking/IT incident’, which includes ransomware attacks. The second most common type of incident involved unauthorized access or disclosure.
Roughly 450 breaches involved network servers, and roughly 160 involved email, which is typically used by threat actors for phishing and malware delivery.
The OCR database also keeps track of the state where the impacted organization is located. Texas and California accounted for the highest number of incidents (roughly 60 each), followed by New York (46), Illinois (43), Florida (37), Pennsylvania (31), Ohio (29), Massachusetts (29), Tennessee (25) and Michigan (22).
The biggest healthcare data breach of 2024 impacted Change Healthcare. A ransomware attack aimed at the company resulted in the information of roughly 100 million individuals getting stolen.
The list of organizations impacted by major data breaches also includes Kaiser Permanente (13.4 million), Ascension Health (5.5 million), HealthEquity (4.3 million), Concentra Health Services (3.9 million), Centers for Medicare & Medicaid Services (3.1 million), Acadian Ambulance Service (2.8 million), A&A Services, dba Sav-Rx (2.8 million), WebTPA (2.5 million), and Integris Health (2.3 million).
Other healthcare data breaches exceeding one million victims were reported by Medical Management Resource Group (2.3 million), Summit Pathology (1.8 million), and Geisinger (1.2 million).
*the numbers were revised on January 20 after Axel Wirth, Chief Security Strategist at MedCrypt, pointed out that the data only included the incidents marked as ‘under investigation’, but not the investigations that were closed.
Related: Major Addiction Treatment Firm BayMark Confirms Ransomware Attack Caused Data Breach
Related: Medical Billing Firm Medusind Says Data Breach Impacts 360,000 People
Related: Excelsior Orthopaedics Data Breach Impacts 357,000 People
