In 2024, organizations informed the US government about more than 580 healthcare data breaches affecting a total of nearly 180 million user records.

SecurityWeek has conducted an analysis of the healthcare breach database maintained by the US Department of Health and Human Services Office for Civil Rights (HHS OCR), which stores information on incidents impacting the protected health information of over 500 individuals.

The OCR was informed about 585 incidents between January 1, 2024, and December 31, 2024. Adding up the numbers from each breach suggests that roughly 180 million people are impacted. 

However, one individual may have been impacted by multiple data breaches disclosed to the HHS, and the actual total number of impacted people is likely smaller than 180 million due to these overlaps. It’s more accurate to say that 180 million user records were compromised in data breaches. 

Impacted information can include names, contact details, dates of birth, Social Security numbers, insurance information, medical information, and even financial information. 

Of the total number of data breaches, 440 affected healthcare providers. Another commonly impacted type of entity was healthcare business associate, which accounted for nearly 100 incidents. Health plans were involved in nearly 60 incidents. 

[ Data breaches and other healthcare cybersecurity news ]

Close to 500 incidents were described as ‘hacking/IT incident’, which includes ransomware attacks. The second most common type of incident involved unauthorized access or disclosure. 

Nearly 400 breaches involved network servers, and roughly 130 involved email. 

The OCR database also keeps track of the state where the impacted organization is located. Texas accounted for the highest number of incidents (56), followed by California (43), New York (34), Illinois (33), Florida (28), Ohio (26), Massachusetts (22), Michigan (22), Tennessee (21), and Pennsylvania (21). 

The biggest healthcare data breach of 2024 impacted Change Healthcare. A ransomware attack aimed at the company resulted in the information of roughly 100 million individuals getting stolen.

The list of organizations impacted by major data breaches also includes Kaiser Permanente (13.4 million), Ascension Health (5.5 million), HealthEquity (4.3 million), Concentra Health Services (3.9 million), Centers for Medicare & Medicaid Services (3.1 million), Acadian Ambulance Service (2.8 million), A&A Services, dba Sav-Rx (2.8 million), WebTPA (2.5 million), and Integris Health (2.3 million).

Other healthcare data breaches exceeding one million victims were reported by Medical Management Resource Group (2.3 million), Summit Pathology (1.8 million), and Geisinger (1.2 million). 

Related: Major Addiction Treatment Firm BayMark Confirms Ransomware Attack Caused Data Breach

Related: Medical Billing Firm Medusind Says Data Breach Impacts 360,000 People

Related: Excelsior Orthopaedics Data Breach Impacts 357,000 People