Healthcare Data Breaches Exposed Record 275 Million Patient Records

Healthcare data breaches continued to plague the industry in 2024, with 725 large incidents reported to the Department of Health and Human Services. While the number of breaches decreased slightly from 2023’s record high, the volume of exposed patient records jumped 63.5% to 275 million, affecting 82% of the United States population.

Plateauing Breach Numbers, Exploding Record Exposure

The healthcare industry has reported an average of 727 large data breaches annually between 2021 and 2024, suggesting breach frequency has plateaued after years of increases. However, the number of records compromised continues rising at an alarming rate.

In 2021, 60 million healthcare records were breached. That number remained relatively stable at 57 million in 2022 before jumping 192% to 168 million in 2023. The 2024 total of 275 million records represents another 63.5% increase, driven largely by the massive Change Healthcare breach affecting 190 million individuals.

Hacking and IT incidents accounted for 81.2% of reported breaches in 2024, with 589 incidents exposing at least 259 million healthcare records. Ransomware attacks remain the primary threat, though OCR reported a slight 2.8% year-over-year decrease in hacking incidents.

The Biggest Breaches of 2024

At least 36 data breaches exposed 500,000 or more healthcare records last year. Change Healthcare’s 190 million-record breach dominated the landscape, but significant incidents also occurred at Kaiser Foundation Health Plan (13.4 million records), Ascension Health (5.6 million records), and HealthEquity (4.3 million records).

The average breach size reached 379,633 records in 2024, though mega-breaches skew this figure. The median breach size provides a more realistic picture at 4,335 records, with 61% of healthcare data breaches involving fewer than 10,000 records.

For healthcare organizations, understanding that most breaches remain relatively small offers little comfort. Even incidents affecting thousands rather than millions of patients can result in significant financial penalties, remediation costs, and reputational damage.

Where Breaches Occur

Network servers remained the most common location for breaches of protected health information, followed by email accounts, with 169 incidents. Unauthorized access and disclosure incidents, while less frequent than hacking, nearly doubled in exposed records from 8.4 million in 2023 to 16.1 million in 2024.

The healthcare sector’s reliance on interconnected systems and third-party business associates creates multiple vulnerability points. When business associates experience breaches, multiple covered entities may be affected simultaneously, amplifying the total impact.

Business associates accounted for 30% of breach locations in 2024, though they only reported 16% of incidents. This discrepancy reflects how covered entities often report breaches that occurred at their business associates, making business associate breach numbers appear artificially low in some analyses.

Common Attack Vectors

Phishing remained the most common initial access vector in ransomware attacks, with 45% of surveyed organizations identifying it as the entry point. Remote Desktop Protocol (RDP) compromise affected 42% of respondents, while exploitation of unpatched vulnerabilities was reported by 19%.

Many 2024 attacks could have been prevented through stronger email security, including AI-based spam filtering, multifactor authentication, and regular employee training. Remote access security improvements—strong passwords, multifactor authentication, and restricted access to remote desktop ports—would have blocked numerous RDP compromises.

For healthcare administrators, these findings underscore the importance of basic cybersecurity hygiene. Organizations don’t necessarily need expensive cutting-edge solutions; consistent application of proven security practices can prevent many breaches.

Geographic Distribution and Entity Types

California and Texas experienced the most breaches with 64 and 59 incidents, respectively, reflecting their large populations and high numbers of HIPAA-regulated entities. Only South Dakota and Vermont avoided reported breaches in 2024.

Healthcare providers reported 73% of breaches, though when calculated by where incidents occurred rather than who reported them, providers accounted for 62% of breaches, business associates 30%, health plans 7%, and healthcare clearinghouses 0.4%.

Enforcement Activity and Financial Impact

The HHS Office for Civil Rights closed 22 investigations with financial penalties in 2024, collecting $12.8 million through seven civil monetary penalties and 15 settlements. Montefiore Medical Center paid the largest settlement at $4.75 million, followed by Solara Medical Supplies at $3 million.

Risk analysis failures appeared in 14 of the 22 enforcement actions, making it by far the most commonly cited HIPAA violation. Other frequent violations included failure to review information system activity logs and violations of patients’ Right of Access.

State attorneys general also imposed significant penalties, with Washington’s action against Allure Esthetic resulting in a $5 million penalty and California’s settlement with Blackbaud totaling $6.75 million for violations of HIPAA and state consumer protection laws.

Looking Ahead to 2025

OCR published cybersecurity performance goals in January 2024 to help healthcare organizations improve their security posture. The voluntary goals include high-impact measures that are likely to yield the greatest security improvements. Organizations implementing these goals will find compliance easier when OCR’s proposed HIPAA Security Rule updates take effect.

However, financial constraints prevent many healthcare organizations, particularly rural providers, from implementing comprehensive security improvements. Congress needs to fund OCR’s proposed financial assistance program for low-resource healthcare providers to ensure industry-wide security improvements.

Until security measures are fully adopted across the healthcare sector, significant reductions in breaches remain unlikely. The Change Healthcare incident and many other 2024 breaches could have been prevented through comprehensive implementation of OCR’s cybersecurity performance goals.

Strategic Cybersecurity Planning

Healthcare organizations must prioritize cybersecurity investments as essential infrastructure, not optional technology spending. The financial impact of breaches—including penalties, remediation costs, legal expenses, and reputation damage—far exceeds the cost of implementing robust security measures.

Organizations benefit from comprehensive risk assessments that identify vulnerabilities before attackers exploit them. Regular security training helps staff recognize and avoid threats. Multifactor authentication, patch management, and access controls provide foundational protection against common attack vectors.

Regulations shift fast—your organization deserves confidence, not confusion. Our team can help you interpret cybersecurity requirements and stay compliant with less stress. Get in touch to discuss how we support healthcare organizations strengthening their security posture while managing compliance obligations.

All content provided in this article is for informational purposes only. Matters discussed in this article are subject to change. For up-to-date information on this subject please contact a James Moore professional. James Moore will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.