There was a slight fall (1%) in data compromises in 2024, although only 44 fewer than last year’s record-breaking total. There was not a corresponding fall in the number of victims of data compromises, with victim notices increasing by 312% from 419 million notices in 2023 to 1,728,519,397 in 2024, according to the [2024 Annual Data Breach Report](https://www.idtheftcenter.org/publication/2024-data-breach-report/) from the Identity Theft Resource Center (ITRC). The vast majority of data compromises (80%) in 2024 were caused by cyberattacks, with those incidents accounting for 93% of breach notices, followed by system and human error, supply chain attacks, and physical attacks.The massive increase in victim notices was largely due to a handful of mega data breaches. In 2024, 6 data breaches were reported that each involved more than 100 million records. While the data breach at Change Healthcare was the largest healthcare data breach in history, involving 190 million compromised healthcare records, it only ranked in third place last year due to two colossal data breaches. A breach at Advance Auto Parts Inc. took second spot with 380 million consumer notices issued but the data breach at Ticketmaster Entertainment involved an incredible 560 million notices, just 10 million short of the 2^nd^ and 3^rd^ largest incidents combined. The remaining 100 million+ data breaches occurred at DemandScience by Pure Incubation (121.8 million), AT-&T (110 million), and MC2 Data (100 million). Those six breaches accounted for approximately 85% of all breach notices in 2024.It was a particularly bad year for U.S. healthcare data breaches in terms of the number of breached records, although there was a slight fall in the number of [healthcare data breaches](https://www.hipaajournal.com/healthcare-data-breach-statistics/) reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). Currently, 721 data breaches are listed on the OCR breach portal for 2024 compared to the 747 data breaches in 2023 — a 3.5% fall. The number of breached records increased from 168 million in 2023 to more than 247 million in 2024 due to the massive data breach at Change Healthcare.ITRC’s figures for healthcare do not include many data breaches at business associates of healthcare organizations, which fall into other categories. The ITRC data shows a fall in healthcare data breaches from 811 compromises in 2023 (60 million victim notices) to 536 compromises in 2024 (47 million notices). In 2023, healthcare topped the list in terms of the number of compromises but fell to the second spot in 2024 behind financial services, the first time since 2018 that healthcare did not take the top spot. Healthcare took the 10th spot in terms of the number of breached records. Across all sectors, ITRC tracked 3,158 compromises in 2024, including 2,850 data breaches, 18 data exposures, 2 data leaks, and 288 unknown compromises.There were many examples of data breaches that could have easily been prevented by following cybersecurity best practices, including four of the biggest data breaches of the year. The data breaches at Ticketmaster, Advanced Auto Parts, Change Healthcare, and AT-&T saw hackers gain access to their networks using compromised credentials for accounts that did not have multifactor authentication enabled. That’s more than 1.24 billion preventable record exposures across those 4 data breaches alone due to the lack of multifactor authentication. ITRC also identified 29 cyberattacks last year that were the result of credential stuffing, which could also have been prevented with multifactor authentication. The proposed [update to the HIPAA Security Rule](https://www.hipaajournal.com/hhs-strengthened-hipaa-security-rule/) (if passed) will make multifactor authentication mandatory in healthcare. It’s crazy that in such a heavily regulated industry, where vast amounts of highly sensitive and easily misused data are stored, multifactor authentication is not currently specified as a requirement.There has been a growing trend for breached companies to omit important information from their data breach notices. The HIPAA Journal has observed this trend in healthcare data breach notices, where breach victims are often given very limited information about the nature of the breach. The ITRC report confirms that the problem is not confined to healthcare. In 2021, only 7% of breach notices lacked actionable information about the root cause of the data breach. By 2022, that percentage had jumped to 40%, and 45% in 2023. There was a 20% year-over-year increase between 2023 and 2024 when 65% of breach notices lacked actionable information about the root cause of the breach. The lack of information makes it harder for victims of the breach to accurately assess the level of risk they face.The United States has yet to implement a federal data privacy law. While there is bipartisan support for such a law, the devil is in the detail. A comprehensive federal data privacy law has been proposed, but it failed to get across the line in 2024. It is therefore down to individual states to implement laws to protect the privacy of state residents and ensure notifications are mandatory in the event of a data breach. Privacy protections and notification requirements can vary considerably depending on where a person lives. Someone living close to a state border could have vastly different privacy protections than someone living just a couple of miles away.The good news is that the number of states enacting privacy laws has been increasing, with 40% of states now have comprehensive data privacy laws. Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee all have comprehensive privacy laws due to take effect in 2025, and Michigan, Oklahoma, Pennsylvania, and Ohio are expected to pass privacy laws in the 2025 legislative session.The post [More Than 1.7 Billion Individuals Had Personal Data Compromised in 2024](https://www.hipaajournal.com/1-7-billion-individuals-data-compromised-2024/) appeared first on [The HIPAA Journal](https://www.hipaajournal.com).
Related Tags:
NAICS: 44 – Retail Trade – Auto
Food
Home
NAICS: 71 – Arts
Entertainment
Recreation
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 517 – Telecommunications
NAICS: 62 – Health Care And Social Assistance
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 622 – Hospitals
NAICS: 711 – Performing Arts
Spectator Sports
Related Industries
NAICS: 51 – Information
Associated Indicators: