2024 Healthcare Data Breach Report
Large healthcare data breaches continue to be reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in high numbers. As of January 28, 2025, the OCR data breach portal shows 725 data breaches of 500 or more records in 2024, the third consecutive year that more than 700 large data breaches have been reported to OCR. That total could well change, as there is usually a delay in adding data breaches to the breach portal, as OCR conducts checks of all breach reports before adding them to the breach portal. The current figures indicate a slight (2.95%) year-over-year reduction in healthcare data breaches, 22 fewer data breaches than 2023’s record-breaking number of data breaches.
As the above bar chart shows, healthcare data breaches have historically increased each year, with the biggest annual increases between 2018 and 2021, when large data breaches increased by 93.7%, primarily due to a sharp increase in hacking and ransomware incidents. Between January 1, 2028, and September 30, 2023, OCR reported a 278% increase in ransomware attacks, and the percentage of data breaches attributed to hacking increased from 49% in 2019 to almost 80% in 2023. This year’s data suggests that data breaches have plateaued, with an average of 727 data breaches reported per year between 2021 and 2024.
While the number of reported data breaches is leveling off, the number of records exposed, stolen, or impermissibly disclosed has increased at an alarming rate since 2022. In 2021, 60 million healthcare records were breached, and 57 million in 2022, but the following year saw a 192% increase to 168 million breached records, followed by a 63.5% increase to 275 million records in 2024. Last year, the records of 82% of the population of the United States were exposed, stolen, or impermissibly disclosed.
If you discount the massive data breach at Change Healthcare, around 85 million healthcare records were breached in 2024. Historically, mega data breaches such as the one at Change Healthcare are rare – the last one was reported by Anthem Inc. in 2025 involving 78.8 million records – but there are signs that they may start occurring much more frequently. Last year, the Clop threat group mass exploited a zero-day vulnerability in the MOVEit Transfer solution resulting in data theft from hundreds of healthcare providers and business associates. The number of stolen records from that mass hacking incident is unclear, but it is certainly of the order of tens of millions of healthcare records.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The Biggest Data Breaches of 2024
As you can see from the table below, there were at least 36 data breaches of 500,000 or more healthcare records in 2024. That number could change as 66 data breaches from last year are still listed as involving 500 or 5001 records – commonly used placeholder figures when the number of affected individuals has yet to be determined. We have covered the biggest data breaches of 2024 in this post, which includes a summary of each incident and links to more in-depth reporting.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Data Breach |
| Change Healthcare, Inc. | MN | Business Associate | 190,000,000 | Ransomware attack (BlackCat) – Data theft confirmed |
| Kaiser Foundation Health Plan, Inc. | CA | Health Plan | 13,400,000 | Website tracking tools disclosed PHI to third parties |
| Ascension Health | MO | Healthcare Provider | 5,599,699 | Ransomware attack (Black Basta) – Data theft confirmed |
| HealthEquity, Inc. | UT | Business Associate | 4,300,000 | Hacking incident using a business partner’s compromised credentials |
| Concentra Health Services, Inc. | TX | Healthcare Provider | 3,998,163 | Hacking incident at a business associate (PJ&A) |
| Centers for Medicare & Medicaid Services | MD | Health Plan | 3,112,815 | Hacking incident at business associate (Wisconsin Physicians Service Insurance Corporation)- Clop Group exploited MOVEit Transfer vulnerability |
| Acadian Ambulance Service, Inc. | LA | Healthcare Provider | 2,896,985 | Hacking incident (Daixin Team – Data theft confirmed |
| A&A Services d/b/a Sav-Rx | NE | Business Associate | 2,812,336 | Ransomware attack |
| WebTPA Employer Services, LLC (“WebTPA”) | TX | Business Associate | 2,518,533 | Hacking incident |
| INTEGRIS Health | OK | Healthcare Provider | 2,385,646 | Hacking incident (Hunters International) data theft confirmed |
| Medical Management Resource Group, L.L.C. | AZ | Business Associate | 2,350,236 | Hacking incident |
| Summit Pathology and Summit Pathology Laboratories, Inc. | CO | Healthcare Provider | 1,813,538 | Ransomware attack (Medusa) data theft confirmed |
| Geisinger | PA | Healthcare Provider | 1,276,026 | Unauthorized access by an employee of a business associate after termination |
| Young Consulting LLC | GA | Business Associate | 954,177 | Ransomware attack (BlackSuit) – data theft confirmed |
| ConnectOnCall.com, LLC | DE | Business Associate | 914,138 | Hacking incident |
| ATSG, Inc | NY | Business Associate | 909,469 | Hacking incident (BianLian) |
| Eastern Radiologists, Inc | NC | Healthcare Provider | 886,746 | Hacking incident |
| Superior Air-Ground Ambulance Service, Inc. | IL | Healthcare Provider | 858,238 | Hacking incident |
| Texas Tech University Health Sciences Center El Paso | TX | Healthcare Provider | 815,000 | Ransomware attack (Interlock) – data theft confirmed |
| OnePoint Patient Care | AZ | Healthcare Provider | 795,916 | Hacking incident |
| UNITE HERE | NY | Business Associate | 791,273 | Hacking incident |
| Ann & Robert H. Lurie Children’s Hospital of Chicago | IL | Healthcare Provider | 775,860 | Ransomware attack (Karakurt) – data theft confirmed |
| Florida Department of Health | FL | Healthcare Provider | 729,699 | Ransomware attack (RansomHub) – data theft confirmed |
| Richmond University Medical Center | NY | Healthcare Provider | 674,033 | Hacking incident |
| OrthopedicsNY, LLP | NY | Healthcare Provider | 656,086 | Hacking incident |
| Texas Tech University Health Sciences Center | TX | Healthcare Provider | 650,000 | Ransomware attack (Interlock) – data theft confirmed |
| Risas Dental & Braces | PA | Healthcare Provider | 618,189 | Hacking incident |
| Emergency Medical Services Authority | OK | Healthcare Provider | 611,743 | Ransomware attack |
| United Seating and Mobility, L.L.C., d/b/a Numotion | TN | Healthcare Provider | 602,265 | Ransomware attack |
| Atrium Health | NC | Healthcare Provider | 585,959 | Website tracking tools disclosed PHI to third parties |
| Designed Receivable Solutions, Inc. | CA | Business Associate | 585,035 | Hacking incident |
| Consulting Radiologists LTD. | MN | Healthcare Provider | 583,824 | Hacking incident |
| The Harris Center for Mental Health and IDD | TX | Healthcare Provider | 545,001 | Ransomware attack |
| Group Health Cooperative of South Central Wisconsin | WI | Health Plan | 533,809 | Ransomware attack – data theft confirmed |
| North Kansas City Hospital | MO | Healthcare Provider | 502,438 | Cyberattack on business associate |
| River Region Cardiology | AL | Healthcare Provider | 500,000 | Hacking incident |
With three data breaches of more than 5 million records, including the massive 190 million-record data breach at Change Healthcare, the average data breach size is skewed at 379,633 records, as was the case in 2015 when Anthem Inc. reported its 78.8 million record data breach, increasing the average data breach size to 416,543 records.
The median data breach size has been falling from a high of 7,270 records in 2022 to a more respectable 4,335 records in 2024. Last year, 61% of healthcare data breaches involved fewer than 10,000 records.
| 2024 Healthcare Data Breaches | |
| Data Breach Size | Number of breaches |
| 100,000,000+ | 1 |
| 10,000,000 – 99,999,999 | 1 |
| 1,000,000 – 9,999,999 | 11 |
| 500,000 – 999,999 | 23 |
| 100,000 – 499,000 | 65 |
| 10,000 – 99,999 | 181 |
| 1,000 – 9,999 | 291 |
| 500 – 999 | 152 |
| Total | 725 |
Causes of 2024 Healthcare Data Breaches
The most common cause of large healthcare data breaches was hacking and other IT incidents, which accounted for 589 data breaches – 81.2% of the year’s large data breaches. The second biggest cause was unauthorized access/disclosure incidents, with 114 incidents reported for the year -15.7% of data breaches. There were 18 loss and theft incidents (2.5%) and 4 improper disposal incidents (0.6%).
Hacking and IT incidents also accounted for the majority of breached records, with at least 259,037,984 healthcare records exposed across those incidents. The average size of a hacking/IT incident in 2024 was 439,796 records and the median breach size was 6,020 records. Over the past few years, hacking incidents have been increasing. OCR reported a 239% increase in hacking-related data breaches between January 1, 2018, and September 30, 2023, and a 278% increase in ransomware attacks over that period, although there was a 2.8% year-over-year decrease in hacking incidents in 2024.
The number of unauthorized access/disclosure incidents is largely unchanged, with 114 incidents reported in 2024 compared to 121 in 2023 and 115 in 2022; however, the number of records exposed in these incidents almost doubled year-over-year from 8,436,398 records in 2023 to 16,099,437 records in 2024. In 2024, the average data breach size was 141,223 records and the median breach size was 1,987 records.
Loss and theft incidents are reported in very low numbers, with only 18 incidents reported in 2024, a slight increase from the 15 incidents in 2023. The average breach size was 4,796 records and the median breach size was 2,968 records. The records of 10,309 individuals were disposed of improperly in 2024, with an average breach size of 2,577 records and a median breach size of 906 records.
According to a recent ransomware report, phishing was the most common initial access vector in ransomware attacks, with 45% of respondents saying phishing was the entry point in at least one of their ransomware attacks in the past year. Many of 2024’s ransomware attacks and email incidents could have been prevented by strengthening email security, including implementing an advanced, AI-based spam filter or email security gateway, multifactor authentication, and regular employee training to help them identify and avoid email threats.
RDP compromise was identified as the initial access vector by 42% of respondents and the exploitation of unpatched vulnerabilities was reported by 19% of respondents. Remote access security can be improved by using strong, unique passwords, multifactor authentication, limiting the users that can log on remotely, setting a lockout policy after a certain number of failed login attempts, and restricting access to remote desktop ports with firewalls. It is also important to promptly apply patches and regularly update software, not just to block initial access but also to make lateral movement more difficult. Vulnerabilities are commonly exploited post-compromise for lateral movement.
Location of Breached Protected Health Information
Network servers were the most common location for breached protected health information, with email accounts in second place with 169 breaches involving email data.
Geographical Distribution of Healthcare Data Breaches
In 2024, data breaches were experienced by HIPAA-regulated entities in 48 states, the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands. Only two states emerged from 2024 unscathed – South Dakota and Vermont.
As a general rule of thumb, the states with the biggest populations and therefore the highest number of HIPAA-regulated entities, experience the most data breaches. The two most populous states – California and Texas – topped the list in terms of the number of data breaches, and the top 7 most populous states all featured in the top 8, with Massachusetts suffering more data breaches than its population would suggest. It is a similar story at the bottom of the list, with the least populous states (and DC) occupying the foot of the table.
| State | Data Breaches |
| California | 64 |
| Texas | 59 |
| New York | 47 |
| Illinois | 43 |
| Florida | 36 |
| Massachusetts & Ohio | 29 |
| Pennsylvania | 28 |
| Tennessee | 25 |
| North Carolina | 23 |
| Michigan | 22 |
| Indiana | 19 |
| Arizona & Georgia | 17 |
| Alabama, Colorado, New Jersey & Washington | 15 |
| Maryland & Missouri | 13 |
| Connecticut & Minnesota | 12 |
| Kentucky & Oregon | 11 |
| Arkansas, Nebraska & Virginia | 10 |
| Oklahoma & Wisconsin | 9 |
| Iowa & New Hampshire | 8 |
| Kansas | 7 |
| Nevada | 6 |
| Mississippi, South Carolina, & Utah | 5 |
| Idaho, Montana, North Dakota, New Mexico & Rhode Island | 4 |
| Delaware | 3 |
| Hawaii, Louisiana, Maine & West Virginia | 2 |
| Alaska & Wyoming | 1 |
| Others | |
| District of Columbia | 5 |
| Puerto Rico | 3 |
| Guam | 1 |
| U.S. Virgin Islands | 1 |
Healthcare Records Breached in U.S. States in 2024
| State | Breached Records | State | Breached Records | State | Breached Records |
| Minnesota | 191,042,382 | Georgia | 1,488,508 | Hawaii | 147,021 |
| California | 15,806,495 | Alabama | 1,195,456 | New Hampshire | 132,854 |
| Texas | 11,360,259 | Delaware | 917,461 | Rhode Island | 79,442 |
| Missouri | 6,554,692 | Wisconsin | 813,086 | North Dakota | 64,923 |
| New York | 4,571,559 | Massachusetts | 653,939 | Nevada | 55,165 |
| Utah | 4,308,795 | Iowa | 574,436 | West Virginia | 35,806 |
| Maryland | 3,802,477 | New Jersey | 543,690 | Oregon | 33,079 |
| Oklahoma | 3,355,817 | Indiana | 491,033 | Montana | 23,600 |
| Nebraska | 3,278,867 | Idaho | 478,515 | Kansas | 20,444 |
| Arizona | 3,202,027 | Arkansas | 431,555 | South Carolina | 18,466 |
| Pennsylvania | 3,191,666 | Mississippi | 424,550 | New Mexico | 11,426 |
| Illinois | 3,043,780 | Ohio | 406,129 | Wyoming | 3,636 |
| Louisiana | 2,897,486 | Michigan | 398,385 | Maine | 1,313 |
| Colorado | 2,802,415 | Connecticut | 316,246 | Alaska | 512 |
| North Carolina | 2,123,488 | Washington | 296,501 | South Dakota | 0 |
| Florida | 1,658,747 | Virginia | 257,937 | Vermont | 0 |
| Tennessee | 1,573,350 | Kentucky | 213,653 | ||
Data Breaches at HIPAA-Regulated Entities in 2024
One of the problems with data breach reporting in healthcare is it is ultimately the responsibility of each HIPAA-covered entity to make sure that a data breach is reported to the HHS’ Office for Civil Rights. When a data breach occurs at a business associate, the business associate must notify each affected covered entity. The covered entity is permitted to delegate the responsibility of issuing notifications to the breached business associate but may choose to issue notifications themselves. This means data breaches at business associates are often underrepresented in healthcare data breach reports.
Based on the reporting entity, in 2024, 529 data breaches (73%) were reported by healthcare providers, 115 by business associates (16%), 78 by health plans (11%), and 3 by healthcare clearinghouses (0.4%), When calculated based on where the data breach occurred, 62% of data breaches occurred at healthcare providers, 30% at business associates, 7% at health plans, and 0.4% at healthcare clearinghouses. The charts below reflect where the data breaches occurred rather than the entity reporting the breach.
HIPAA Enforcement Activity in 2024
It was a busy year of HIPAA enforcement for the HHS’ Office for Civil Rights, which closed 22 investigations of data breaches and complaints with financial penalties, collecting $12,841,796 in penalties. The enforcement actions include 7 civil monetary penalties and 15 settlements.
The most common HIPAA violations specifically mentioned in OCR’s enforcement actions are detailed in the table below, with risk analysis failures by far the most commonly identified HIPAA violations.
| Are of HIPAA Noncompliance | Number of Enforcement Actions |
| Risk analysis | 14 |
| Reviews of records of information system activity | 7 |
| HIPAA Right of Access | 6 |
| Risk management | 3 |
| Technical policies and procedures for modifying/restricting access to systems containing ePHI & a failure to restrict access to PHI | 3 |
| Policies and procedures for responding to an emergency/security incident | 2 |
| Breach notifications | 1 |
| Business associate agreements | 1 |
| Creating logs of activity in information systems | 1 |
| Terminating access to PHI when members of the workforce no longer require access/leave the company | 1 |
| Workforce HIPAA training | 1 |
| Procedures for creating and maintaining retrievable exact copies of ePHI | 1 |
HIPAA Enforcement Actions by the HHS’ Office for Civil Rights
OCR Settlements in 2024
| HIPAA Regulated Entity | Settlement Amount |
| Montefiore Medical Center | $4,750,000 |
| Solara Medical Supplies | $3,000,000 |
| Heritage Valley Health System | $950,000 |
| Plastic Surgery Associates of South Dakota | $500,000 |
| USR Holdings | $337,750 |
| Cascade Eye and Skin Centers | $250,000 |
| Inmediata Health Group | $250,000 |
| Bryan County Ambulance Authority | $90,000 |
| Virtual Private Network Solutions | $90,000 |
| Elgon Information Systems | $80,000 |
| South Broward Hospital District (Memorial Health System) | $60,000 |
| Green Ridge Behavioral Health | $40,000 |
| Holy Redeemer Family Medicine | $35,581 |
| Phoenix Healthcare | $35,000 |
| Northeast Surgical Group | $10,000 |
OCR Civil Monetary Penalties in 2024
| HIPAA Regulated Entity | Civil Monetary Penalty |
| Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute | $1,190,000 |
| Children’s Hospital Colorado | $548,265 |
| Providence Medical Institute | $240,000 |
| American Medical Response | $115,200 |
| Essex Residential Care (Hackensack Meridian Health, West Caldwell Care Center) | $100,000 |
| Rio Hondo Community Mental Health Center | $100,000 |
| Gums Dental Care, LLC | $70,000 |
Enforcement Actions by State Attorneys General
While OCR is the main enforcer of the HIPAA Rules, state attorneys general also have the authority to impose penalties for HIPAA violations. In some cases, while there may have been violations of the HIPAA Rules, fines and settlements are agreed to resolve equivalent violations of state laws. An enforcement action by a state attorney general for a HIPAA violation does not prevent OCR from also imposing a fine, as was the case with Inmediata, which settled a multistate action in 2023 and settled the same violations with OCR in 2024.
| State | HIPAA-Regulated Entity | Penalty Amount | Reason for Penalty |
| New York | HealthAlliance | $550,000 | Violations of New York Executive & General Business Law |
| New York | Albany ENT & Allergy Services | $1 million in penalties ($500,000 suspended); $2.25 million cybersecurity investment | Violations of New York Executive & General Business Law |
| New York, New Jersey, Connecticut | Enzo Biochem/Enzo Clinical Labs | $4,500,000 | Violations of the HIPAA Security Rule provisions and New York General Business Law |
| Washington | Allure Esthetic | $5,000,000 | Violations of HIPAA and State laws |
| California | Adventist Health Hanford | $10,000 | Violation of the HIPAA Privacy Rule |
| California | Blackbaud | $6,750,000 | Violations of the HIPAA Security Rule, HIPAA Breach Notification Rule, and state consumer protection laws |
| California | Quest Diagnostics | $5,000,000 | Violations of state laws |
| New York | Refuah Health Center Inc. | $450,000 $1.2 million investment in cybersecurity |
Violations of the HIPAA Security Rule, HIPAA Breach Notification Rule and New York General Business Law |
Recommendations and Outlook for 2025
In January 2024, OCR published its healthcare and public health sector cybersecurity performance goals (CPGs) to help improve cybersecurity across the HPH sector and reduce the number of hacking incidents and ransomware attacks. The voluntary goals include high-impact cybersecurity measures and best practices that are likely to have the greatest impact on security posture. All healthcare organizations should be working toward implementing the essential CPGs, after which a plan should be developed for implementing the enhanced CPGs to mature their cybersecurity programs. Organizations that implement these goals will find it much easier to comply with the requirements of the proposed HIPAA Security update, which includes several of the measures outlined in the CPGs. Many of this year’s data breaches, including the massive data breach at Change Healthcare, could have been prevented by implementing the CPGs comprehensively.
Until these measures are comprehensively adopted across the healthcare industry, it is unlikely that there will be any significant reduction in healthcare data breaches. What is desperately needed is financial assistance for the many healthcare organizations that lack the necessary funding to improve security, especially rural healthcare providers. Congress needs to ensure that funds are made available to ensure that the financial assistance program proposed by OCR to help low-resource healthcare providers improve cybersecurity can be implemented.
