Large healthcare data breaches continue to be reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in high numbers. As of January 28, 2025, the OCR data breach portal shows 725 data breaches of 500 or more records in 2024, the third consecutive year that more than 700 large data breaches have been reported to OCR. That total could well change, as there is usually a delay in adding data breaches to the breach portal, as OCR conducts checks of all breach reports before adding them to the breach portal. The current figures indicate a slight (2.95%) year-over-year reduction in healthcare data breaches, 22 fewer data breaches than 2023’s record-breaking number of data breaches.As the above bar chart shows, healthcare data breaches have historically increased each year, with the biggest annual increases between 2018 and 2021, when large data breaches increased by 93.7%, primarily due to a sharp increase in hacking and ransomware incidents. Between January 1, 2028, and September 30, 2023, OCR reported a 278% increase in ransomware attacks, and the percentage of data breaches attributed to hacking increased from 49% in 2019 to almost 80% in 2023. This year’s data suggests that data breaches have plateaued, with an average of 727 data breaches reported per year between 2021 and 2024.While the number of reported data breaches is leveling off, the number of records exposed, stolen, or impermissibly disclosed has increased at an alarming rate since 2022. In 2021, 60 million healthcare records were breached, and 57 million in 2022, but the following year saw a 192% increase to 168 million breached records, followed by a 63.5% increase to 275 million records in 2024. Last year, the records of 82% of the population of the United States were exposed, stolen, or impermissibly disclosed.If you discount the massive data breach at Change Healthcare, around 85 million healthcare records were breached in 2024. Historically, mega data breaches such as the one at Change Healthcare are rare — the last one was reported by Anthem Inc. in 2025 involving 78.8 million records — but there are signs that they may start occurring much more frequently. Last year, the Clop threat group mass exploited a zero-day vulnerability in the MOVEit Transfer solution resulting in data theft from hundreds of healthcare providers and business associates. The number of stolen records from that mass hacking incident is unclear, but it is certainly of the order of tens of millions of healthcare records.The Biggest Data Breaches of 2024———————————As you can see from the table below, there were at least 36 data breaches of 500,000 or more healthcare records in 2024. That number could change as 66 data breaches from last year are still listed as involving 500 or 5001 records — commonly used placeholder figures when the number of affected individuals has yet to be determined. We have covered the [biggest data breaches of 2024 in this post](https://www.hipaajournal.com/biggest-healthcare-data-breaches-2024/), which includes a summary of each incident and links to more in-depth reporting.**Name of Covered Entity** **State** **Covered Entity Type** **Individuals Affected** **Cause of Data Breach** Change Healthcare, Inc. MN Business Associate 190,000,000 Ransomware attack (BlackCat) — Data theft confirmed Kaiser Foundation Health Plan, Inc. CA Health Plan 13,400,000 Website tracking tools disclosed PHI to third parties Ascension Health MO Healthcare Provider 5,599,699 Ransomware attack (Black Basta) — Data theft confirmed HealthEquity, Inc. UT Business Associate 4,300,000 Hacking incident using a business partner’s compromised credentials Concentra Health Services, Inc. TX Healthcare Provider 3,998,163 Hacking incident at a business associate (PJ-&A) Centers for Medicare -& Medicaid Services MD Health Plan 3,112,815 Hacking incident at business associate (Wisconsin Physicians Service Insurance Corporation)- Clop Group exploited MOVEit Transfer vulnerability Acadian Ambulance Service, Inc. LA Healthcare Provider 2,896,985 Hacking incident (Daixin Team — Data theft confirmed A-&A Services d/b/a Sav-Rx NE Business Associate 2,812,336 Ransomware attack WebTPA Employer Services, LLC (‘WebTPA’) TX Business Associate 2,518,533 Hacking incident INTEGRIS Health OK Healthcare Provider 2,385,646 Hacking incident (Hunters International) data theft confirmed Medical Management Resource Group, L.L.C. AZ Business Associate 2,350,236 Hacking incident Summit Pathology and Summit Pathology Laboratories, Inc. CO Healthcare Provider 1,813,538 Ransomware attack (Medusa) data theft confirmed Geisinger PA Healthcare Provider 1,276,026 Unauthorized access by an employee of a business associate after termination Young Consulting LLC GA Business Associate 954,177 Ransomware attack (BlackSuit) — data theft confirmed ConnectOnCall.com, LLC DE Business Associate 914,138 Hacking incident ATSG, Inc NY Business Associate 909,469 Hacking incident (BianLian) Eastern Radiologists, Inc NC Healthcare Provider 886,746 Hacking incident Superior Air-Ground Ambulance Service, Inc. IL Healthcare Provider 858,238 Hacking incident Texas Tech University Health Sciences Center El Paso TX Healthcare Provider 815,000 Ransomware attack (Interlock) — data theft confirmed OnePoint Patient Care AZ Healthcare Provider 795,916 Hacking incident UNITE HERE NY Business Associate 791,273 Hacking incident Ann -& Robert H. Lurie Children’s Hospital of Chicago IL Healthcare Provider 775,860 Ransomware attack (Karakurt) — data theft confirmed Florida Department of Health FL Healthcare Provider 729,699 Ransomware attack (RansomHub) — data theft confirmed Richmond University Medical Center NY Healthcare Provider 674,033 Hacking incident OrthopedicsNY, LLP NY Healthcare Provider 656,086 Hacking incident Texas Tech University Health Sciences Center TX Healthcare Provider 650,000 Ransomware attack (Interlock) — data theft confirmed Risas Dental -& Braces PA Healthcare Provider 618,189 Hacking incident Emergency Medical Services Authority OK Healthcare Provider 611,743 Ransomware attack United Seating and Mobility, L.L.C., d/b/a Numotion TN Healthcare Provider 602,265 Ransomware attack Atrium Health NC Healthcare Provider 585,959 Website tracking tools disclosed PHI to third parties Designed Receivable Solutions, Inc. CA Business Associate 585,035 Hacking incident Consulting Radiologists LTD. MN Healthcare Provider 583,824 Hacking incident The Harris Center for Mental Health and IDD TX Healthcare Provider 545,001 Ransomware attack Group Health Cooperative of South Central Wisconsin WI Health Plan 533,809 Ransomware attack — data theft confirmed North Kansas City Hospital MO Healthcare Provider 502,438 Cyberattack on business associate River Region Cardiology AL Healthcare Provider 500,000 Hacking incidentWith three data breaches of more than 5 million records, including the massive 190 million-record data breach at Change Healthcare, the average data breach size is skewed at 379,633 records, as was the case in 2015 when Anthem Inc. reported its 78.8 million record data breach, increasing the average data breach size to 416,543 records.The median data breach size has been falling from a high of 7,270 records in 2022 to a more respectable 4,335 records in 2024. Last year, 61% of healthcare data breaches involved fewer than 10,000 records.**2024 Healthcare Data Breaches** **Data Breach Size** **Number of breaches** 100,000,000+ 1 10,000,000 — 99,999,999 1 1,000,000 — 9,999,999 11 500,000 — 999,999 23 100,000 — 499,000 65 10,000 — 99,999 181 1,000 — 9,999 291 500 — 999 152 **Total** **725**Causes of 2024 Healthcare Data Breaches—————————————The most common cause of large healthcare data breaches was hacking and other IT incidents, which accounted for 589 data breaches — 81.2% of the year’s large data breaches. The second biggest cause was unauthorized access/disclosure incidents, with 114 incidents reported for the year -15.7% of data breaches. There were 18 loss and theft incidents (2.5%) and 4 improper disposal incidents (0.6%).Hacking and IT incidents also accounted for the majority of breached records, with at least 259,037,984 healthcare records exposed across those incidents. The average size of a hacking/IT incident in 2024 was 439,796 records and the median breach size was 6,020 records. Over the past few years, hacking incidents have been increasing. OCR reported a 239% increase in hacking-related data breaches between January 1, 2018, and September 30, 2023, and a 278% increase in ransomware attacks over that period, although there was a 2.8% year-over-year decrease in hacking incidents in 2024.The number of unauthorized access/disclosure incidents is largely unchanged, with 114 incidents reported in 2024 compared to 121 in 2023 and 115 in 2022; however, the number of records exposed in these incidents almost doubled year-over-year from 8,436,398 records in 2023 to 16,099,437 records in 2024. In 2024, the average data breach size was 141,223 records and the median breach size was 1,987 records.Loss and theft incidents are reported in very low numbers, with only 18 incidents reported in 2024, a slight increase from the 15 incidents in 2023. The average breach size was 4,796 records and the median breach size was 2,968 records. The records of 10,309 individuals were disposed of improperly in 2024, with an average breach size of 2,577 records and a median breach size of 906 records.According to a recent [ransomware report](https://www.hipaajournal.com/cost-of-a-ransomare-attack-study-2024/), phishing was the most common initial access vector in ransomware attacks, with 45% of respondents saying phishing was the entry point in at least one of their ransomware attacks in the past year. Many of 2024’s ransomware attacks and email incidents could have been prevented by strengthening email security, including implementing an advanced, AI-based spam filter or email security gateway, multifactor authentication, and regular employee training to help them identify and avoid email threats.RDP compromise was identified as the initial access vector by 42% of respondents and the exploitation of unpatched vulnerabilities was reported by 19% of respondents. Remote access security can be improved by using strong, unique passwords, multifactor authentication, limiting the users that can log on remotely, setting a lockout policy after a certain number of failed login attempts, and restricting access to remote desktop ports with firewalls. It is also important to promptly apply patches and regularly update software, not just to block initial access but also to make lateral movement more difficult. Vulnerabilities are commonly exploited post-compromise for lateral movement.Location of Breached Protected Health Information————————————————-Network servers were the most common location for breached protected health information, with email accounts in second place with 169 breaches involving email data.Geographical Distribution of Healthcare Data Breaches—————————————————–In 2024, data breaches were experienced by HIPAA-regulated entities in 48 states, the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands. Only two states emerged from 2024 unscathed — South Dakota and Vermont.As a general rule of thumb, the states with the biggest populations and therefore the highest number of HIPAA-regulated entities, experience the most data breaches. The two most populous states — California and Texas — topped the list in terms of the number of data breaches, and the top 7 most populous states all featured in the top 8, with Massachusetts suffering more data breaches than its population would suggest. It is a similar story at the bottom of the list, with the least populous states (and DC) occupying the foot of the table.**State** **Data Breaches** California 64 Texas 59 New York 47 Illinois 43 Florida 36 Massachusetts -& Ohio 29 Pennsylvania 28 Tennessee 25 North Carolina 23 Michigan 22 Indiana 19 Arizona -& Georgia 17 Alabama, Colorado, New Jersey -& Washington 15 Maryland -& Missouri 13 Connecticut -& Minnesota 12 Kentucky -& Oregon 11 Arkansas, Nebraska -& Virginia 10 Oklahoma -& Wisconsin 9 Iowa -& New Hampshire 8 Kansas 7 Nevada 6 Mississippi, South Carolina, -& Utah 5 Idaho, Montana, North Dakota, New Mexico -& Rhode Island 4 Delaware 3 Hawaii, Louisiana, Maine -& West Virginia 2 Alaska -& Wyoming 1 **Others** District of Columbia 5 Puerto Rico 3 Guam 1 U.S. Virgin Islands 1### Healthcare Records Breached in U.S. States in 2024**State** **Breached Records** **State** **Breached Records** **State** **Breached Records** Minnesota 191,042,382 Georgia 1,488,508 Hawaii 147,021 California 15,806,495 Alabama 1,195,456 New Hampshire 132,854 Texas 11,360,259 Delaware 917,461 Rhode Island 79,442 Missouri 6,554,692 Wisconsin 813,086 North Dakota 64,923 New York 4,571,559 Massachusetts 653,939 Nevada 55,165 Utah 4,308,795 Iowa 574,436 West Virginia 35,806 Maryland 3,802,477 New Jersey 543,690 Oregon 33,079 Oklahoma 3,355,817 Indiana 491,033 Montana 23,600 Nebraska 3,278,867 Idaho 478,515 Kansas 20,444 Arizona 3,202,027 Arkansas 431,555 South Carolina 18,466 Pennsylvania 3,191,666 Mississippi 424,550 New Mexico 11,426 Illinois 3,043,780 Ohio 406,129 Wyoming 3,636 Louisiana 2,897,486 Michigan 398,385 Maine 1,313 Colorado 2,802,415 Connecticut 316,246 Alaska 512 North Carolina 2,123,488 Washington 296,501 South Dakota 0 Florida 1,658,747 Virginia 257,937 Vermont 0 Tennessee 1,573,350 Kentucky 213,653Data Breaches at HIPAA-Regulated Entities in 2024————————————————-One of the problems with data breach reporting in healthcare is it is ultimately the responsibility of each HIPAA-covered entity to make sure that a data breach is reported to the HHS’ Office for Civil Rights. When a data breach occurs at a business associate, the business associate must notify each affected covered entity. The covered entity is permitted to delegate the responsibility of issuing notifications to the breached business associate but may choose to issue notifications themselves. This means data breaches at business associates are often underrepresented in healthcare data breach reports.Based on the reporting entity, in 2024, 529 data breaches (73%) were reported by healthcare providers, 115 by business associates (16%), 78 by health plans (11%), and 3 by healthcare clearinghouses (0.4%), When calculated based on where the data breach occurred, 62% of data breaches occurred at healthcare providers, 30% at business associates, 7% at health plans, and 0.4% at healthcare clearinghouses. The charts below reflect where the data breaches occurred rather than the entity reporting the breach.HIPAA Enforcement Activity in 2024———————————-It was a busy year of HIPAA enforcement for the HHS’ Office for Civil Rights, which closed 22 investigations of data breaches and complaints with financial penalties, collecting $12,841,796 in penalties. The enforcement actions include 7 civil monetary penalties and 15 settlements.The most common HIPAA violations specifically mentioned in OCR’s enforcement actions are detailed in the table below, with risk analysis failures by far the most commonly identified HIPAA violations.**Are of HIPAA Noncompliance** **Number of Enforcement Actions** Risk analysis 14 Reviews of records of information system activity 7 HIPAA Right of Access 6 Risk management 3 Technical policies and procedures for modifying/restricting access to systems containing ePHI -& a failure to restrict access to PHI 3 Policies and procedures for responding to an emergency/security incident 2 Breach notifications 1 Business associate agreements 1 Creating logs of activity in information systems 1 Terminating access to PHI when members of the workforce no longer require access/leave the company 1 Workforce HIPAA training 1 Procedures for creating and maintaining retrievable exact copies of ePHI 1### HIPAA Enforcement Actions by the HHS’ Office for Civil Rights#### OCR Settlements in 2024**HIPAA Regulated Entity** **Settlement Amount** Montefiore Medical Center $4,750,000 Solara Medical Supplies $3,000,000 Heritage Valley Health System $950,000 Plastic Surgery Associates of South Dakota $500,000 USR Holdings $337,750 Cascade Eye and Skin Centers $250,000 Inmediata Health Group $250,000 Bryan County Ambulance Authority $90,000 Virtual Private Network Solutions $90,000 Elgon Information Systems $80,000 South Broward Hospital District (Memorial Health System) $60,000 Green Ridge Behavioral Health $40,000 Holy Redeemer Family Medicine $35,581 Phoenix Healthcare $35,000 Northeast Surgical Group $10,000#### OCR Civil Monetary Penalties in 2024**HIPAA Regulated Entity** Civil Monetary Penalty Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute $1,190,000 Children’s Hospital Colorado $548,265 Providence Medical Institute $240,000 American Medical Response $115,200 Essex Residential Care (Hackensack Meridian Health, West Caldwell Care Center) $100,000 Rio Hondo Community Mental Health Center $100,000 Gums Dental Care, LLC $70,000### Enforcement Actions by State Attorneys GeneralWhile OCR is the main enforcer of the HIPAA Rules, state attorneys general also have the authority to impose penalties for HIPAA violations. In some cases, while there may have been violations of the HIPAA Rules, fines and settlements are agreed to resolve equivalent violations of state laws. An enforcement action by a state attorney general for a HIPAA violation does not prevent OCR from also imposing a fine, as was the case with Inmediata, which settled a multistate action in 2023 and settled the same violations with OCR in 2024.**State** **HIPAA-Regulated Entity** **Penalty Amount** **Reason for Penalty** New York HealthAlliance $550,000 Violations of New York Executive -& General Business Law New York Albany ENT -& Allergy Services $1 million in penalties ($500,000 suspended); $2.25 million cybersecurity investment Violations of New York Executive -& General Business Law New York, New Jersey, Connecticut Enzo Biochem/Enzo Clinical Labs $4,500,000 Violations of the HIPAA Security Rule provisions and New York General Business Law Washington Allure Esthetic $5,000,000 Violations of HIPAA and State laws California Adventist Health Hanford $10,000 Violation of the HIPAA Privacy Rule California Blackbaud $6,750,000 Violations of the HIPAA Security Rule, HIPAA Breach Notification Rule, and state consumer protection laws California Quest Diagnostics $5,000,000 Violations of state laws New York Refuah Health Center Inc. $450,000 $1.2 million investment in cybersecurity Violations of the HIPAA Security Rule, HIPAA Breach Notification Rule and New York General Business LawRecommendations and Outlook for 2025————————————In January 2024, OCR published its healthcare and public health sector [cybersecurity performance goals](https://www.hipaajournal.com/hph-cybersecurity-performance-goals/) (CPGs) to help improve cybersecurity across the HPH sector and reduce the number of hacking incidents and ransomware attacks. The voluntary goals include high-impact cybersecurity measures and best practices that are likely to have the greatest impact on security posture. All healthcare organizations should be working toward implementing the essential CPGs, after which a plan should be developed for implementing the enhanced CPGs to mature their cybersecurity programs. Organizations that implement these goals will find it much easier to comply with the requirements of the [proposed HIPAA Security update](https://www.hipaajournal.com/hhs-strengthened-hipaa-security-rule/), which includes several of the measures outlined in the CPGs. Many of this year’s data breaches, including the massive data breach at Change Healthcare, could have been prevented by implementing the CPGs comprehensively.Until these measures are comprehensively adopted across the healthcare industry, it is unlikely that there will be any significant reduction in healthcare data breaches. What is desperately needed is financial assistance for the many healthcare organizations that lack the necessary funding to improve security, especially rural healthcare providers. Congress needs to ensure that funds are made available to ensure that the financial assistance program proposed by OCR to help low-resource healthcare providers improve cybersecurity can be implemented.The post [2024 Healthcare Data Breach Report](https://www.hipaajournal.com/2024-healthcare-data-breach-report/) appeared first on [The HIPAA Journal](https://www.hipaajournal.com).
Related Tags:
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 923 – Administration Of Human Resource Programs
NAICS: 81 – Other Services (except Public Administration)
NAICS: 62 – Health Care And Social Assistance
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 52 – Finance And Insurance
NAICS: 622 – Hospitals
NAICS: 92 – Public Administration
NAICS: 922 – Justice
Public Order
Safety Activities
Associated Indicators:
null