2024 Healthcare Data Breaches Exposed 186 Million Records Across 720 Incidents
In 2024, the U.S. healthcare sector faced a staggering 720 reported data breaches, compromising an estimated 186 million user records. These breaches, reported to the Department of Health and Human Services Office for Civil Rights (HHS OCR), highlight the growing cybersecurity risks faced by healthcare organizations. While the number of records exposed is massive, the actual number of impacted individuals may be lower, as some may have been affected by multiple breaches.
The compromised data included sensitive personal and medical information such as names, contact details, Social Security numbers, dates of birth, insurance data, medical records, and financial information. Healthcare providers were the most frequently targeted entities, accounting for approximately 520 incidents. Business associates of healthcare organizations were also heavily impacted, with 120 breaches reported. Nearly 100 incidents involved health plans.
Table of Contents
Hacking and IT Incidents Lead the Pack
The majority of reported breaches—close to 600—were categorized as hacking or IT incidents, which often include ransomware attacks. Unauthorized access or disclosure was the second most common cause of breaches. Network servers were the primary target in roughly 450 incidents, while email systems—often used for phishing and malware delivery—were involved in 160 breaches.
State Breakdown of Breaches
The HHS OCR database revealed that Texas and California experienced the highest number of incidents, with roughly 60 breaches each. Other states with significant breach numbers included New York (46), Illinois (43), Florida (37), Pennsylvania (31), Ohio (29), Massachusetts (29), Tennessee (25), and Michigan (22).
High-Profile Breaches of 2024
Among the reported breaches, a ransomware attack on Change Healthcare stood out as the largest, affecting approximately 100 million individuals. This breach alone accounted for more than half of the compromised records reported in 2024.
Other notable breaches include:
- Kaiser Permanente: 13.4 million records compromised
- Ascension Health: 5.5 million records
- HealthEquity: 4.3 million records
- Concentra Health Services: 3.9 million records
- Centers for Medicare & Medicaid Services: 3.1 million records
- Acadian Ambulance Service: 2.8 million records
- Sav-Rx (A&A Services): 2.8 million records
- WebTPA: 2.5 million records
- Integris Health: 2.3 million records
Other healthcare organizations also faced breaches affecting over one million individuals, including Medical Management Resource Group (2.3 million), Summit Pathology (1.8 million), and Geisinger (1.2 million).
The Rising Threat to Healthcare
The healthcare industry remains a prime target for cybercriminals due to the sensitive and high-value data it stores. Ransomware attacks, phishing campaigns, and exploitation of IT vulnerabilities remain the primary methods used by attackers to gain access to healthcare systems. These incidents highlight the critical need for robust cybersecurity measures in the sector, including enhanced network security, employee training to combat phishing, and stronger authentication protocols.
As healthcare organizations continue to digitize their operations and rely on cloud-based platforms, the risk of data breaches is expected to grow. This underscores the need for proactive security measures, threat monitoring, and quick response plans to mitigate the damage caused by cyberattacks.
The 2024 breaches serve as a stark reminder that even well-known organizations can fall victim to attacks, causing widespread consequences for both patients and providers. With the personal and financial stakes so high, the healthcare industry must prioritize data protection to stay ahead of cybercriminals in the coming years.