TL;DR
- Data breaches and cyber attacks in the healthcare space aren’t new. In the U.S., 2 such breaches are reported on average everyday.
- Despite the commonality, the fallout is severe. The average healthcare data breach costs organizations over 7 million dollars.
- Hacking is the most common form of attacks in this industry. Ransomware attacks are also prevalent.
- Strong, multi-channel security systems, regular scanning and patching of vulnerabilities and a compliance automation platform to comply with standards like HIPAA, ISO 27001 and SOC 2 are your best defenses.
Healthcare institutions save lives, but they also collect and process an enormous amount of personal health information like names, diagnoses, insurance details, Social Security numbers, and more. This data represents a full picture of someone’s life and health, making it highly valuable and dangerous if exposed.
The danger extends well beyond the immediate disruption. Stolen diagnoses and medical histories can be exploited for blackmail or identity theft, sometimes resurfacing years later to affect credit, employment, and personal relationships.
With 725 large breaches reported in U.S. healthcare in 2024 alone, nearly two a day, the risk is no longer rare. Regulators may issue fines, but it’s patients who bear the lasting consequences.
Read on as we trace how often breaches hit healthcare, what forms they take, why they keep happening, and the real-world costs that follow.
Healthcare data breaches are costly in every possible way
Breaches bleed hospitals on every front.
- In 2025, the healthcare industry topped IBM’s league table for breach costs, averaging $7.42 million per incident in the U.S., more than any other industry.
- Big events dwarf even that: UnitedHealth’s Change Healthcare attack has already run to multi-billion-dollar costs and forced the company to float $9 billion in no-interest advances to keep providers solvent after claims systems froze.
But the real price shows up in operations and care.
- When WannaCry tore through the NHS in 2017, hospitals had to cancel an estimated 19,000 appointments and divert patients, with an overall bill of around £92 million for the week-long chaos.
And yes, lives are on the line.
- Peer-reviewed research found that after a hospital suffers a breach and implements security fixes, door-to-ECG times rise by up to 2.7 minutes and 30-day heart-attack mortality increases by 0.23–0.36 percentage points. This means erasing roughly a year of clinical progress.
In a nutshell, a breach drains budgets, breaks workflows, scares patients, and, when systems stop at the wrong moment, can tip outcomes the wrong way.
Key statistics on healthcare data breaches
- From 2009 to 2024, there were 6,759 healthcare data breaches (≥500 records), exposing or impermissibly disclosing 846,962,011 individuals’ PHI—more than 2.6× the U.S. population.
- In 2018, the rate was about 1 breach per day. By 2023, the rate had more than doubled to 1.99 breaches per day.
- In 2023, an average of 364,571 records were breached each day. In 2024, that average leapt to 758,288 records per day, driven by a few very large incidents.
- In 2024 alone, PHI (Protected Health Information) for 276,775,457 individuals was exposed or stolen.
- In 2024, nearly 400 U.S. healthcare organizations reported cyberattacks.
- From January to October 2024, there were 149 ransomware attacks on healthcare worldwide, and 52% of those were in the United States
- Hacking accounted for 49% of breaches in 2019 and 79.7% of breaches in 2023.
Healthcare data breach trends over the years
Here are the numbers that highlight healthcare data breach trends over the years and show how common they are.
- The OCR’s figures show a long-running upward trend in breaches over the past 14 years. 2021 logged the highest number of reported breaches at that time (the trend continued upward in 2022–2024).
- 2015 saw a massive jump in records exposed (112+ million), largely due to the Anthem, Premera Blue Cross, and Excellus plan breaches. Until 2023, 2015 was the worst year for breached records.
- In 2023, new records were set for both the number of breaches and the number of records exposed. The HIPAA Journal notes 168 million records exposed in 2023, including 26 breaches over 1 million records and four over 8 million; the biggest incident in 2023 impacted 11,270,000 people.
- 2024 saw a slight dip in reported breaches, but the number of records compromised increased again, primarily because of the Change Healthcare ransomware attack.
- The HIPAA Journal highlights supply-chain security (vendors and business associates) as one of healthcare’s biggest cybersecurity challenges in 2023.
Common causes of healthcare data breaches
- According to the HIPAA Journal, hacking is the leading cause of healthcare data breaches today. Earlier years likely undercounted hacking due to weaker detection. Many incidents between 2014 to 2018 went undetected for months or even years.
- OCR reported a 239% increase in hacking-related breaches between Jan 1, 2018 and Sept 30, 2023, and a 278% increase in ransomware attacks over the same period.
- Unauthorized access and disclosure events persist, but organizations are improving at monitoring access and training staff.
- Loss, theft, and improper disposal of PHI have declined over time thanks to encryption, device tracking, and better disposal practices; improper disposal events are relatively infrequent and often involve paper records.
Top healthcare data breaches of all time
The incidents we’ve listed below alone affect approximately 359.7 million records, that’s roughly equivalent to the entire U.S. population. This makes clear how the vulnerable medical and insurance data is at scale.
9 of the 10 events were hacking and IT incidents, and business associates (vendors or partners) account for about two-thirds of the impacted records. The outsized risk cannot be ignored in extended healthcare data ecosystems.
| Rank | Year | HIPAA-Regulated Entity | State | Entity Type | Individuals Affected | Type of Breach |
| 1 | 2024 | Change Healthcare, Inc. | MN | Business Associate | 190,000,000 | Hacking/IT Incident |
| 2 | 2015 | Anthem Inc. | IN | Health Plan | 78,800,000 | Hacking/IT Incident |
| 3 | 2023 | Welltok, Inc. | CO | Business Associate | 14,782,887 | Hacking/IT Incident |
| 4 | 2024 | Kaiser Foundation Health Plan, Inc. | CA | Health Plan | 13,400,000 | Unauthorized Access/Disclosure |
| 5 | 2019 | Optum360, LLC | MN | Business Associate | 11,500,000 | Hacking/IT Incident |
| 6 | 2023 | HCA Healthcare | TN | Business Associate | 11,270,000 | Hacking/IT Incident |
| 7 | 2015 | Premera Blue Cross | WA | Health Plan | 11,000,000 | Hacking/IT Incident |
| 8 | 2019 | Laboratory Corporation of America Holdings dba LabCorp | NC | Healthcare Provider | 10,251,784 | Hacking/IT Incident |
| 9 | 2015 | Excellus Health Plan, Inc. | NY | Health Plan | 9,358,891 | Hacking/IT Incident |
| 10 | 2023 | Perry Johnson & Associates, Inc. (PJ&A) | NV | Business Associate | 9,302,588 | Hacking/IT Incident |
Cost of healthcare data breaches
Healthcare breaches are among the most expensive in any industry, driven by the sensitivity of medical data, regulatory oversight, and rising ransom demands. Both direct costs and enforcement penalties contribute significantly to the financial impact.
Here are some supporting numbers:
- A single healthcare breach averages $3.5 million in total cost.
- Each compromised medical record adds about $398 to the bill.
- Ransom demands in this sector average $7 million.
While we don’t have per-record or per-incident costs, we could source information about some notable settlements and have quantified some enforcement penalties.
- OCR collected $28,683,400 in HIPAA fines and settlements in 2018, a record at the time.
- 2022 was a record year by number of penalties, with 22 OCR penalties announced.
- OCR closed 22 investigations with financial penalties in 2024 (16 were announced in 2024; the rest in early January 2025). Enforcement remained high into 2025.
- The Anthem 2015 breach settlement was $16 million (record at the time). Premera Blue Cross paid $6,850,000 for its 2015 breach, and Excellus Health Plan paid $5,000,000 for its 2015 breach.
- In 2022, 55% of OCR’s financial penalties were imposed on small medical practices.
- From Sept 2019 to Dec 2023, OCR imposed 46 penalties for HIPAA Right of Access violations (these tend to carry lower dollar amounts than large breach settlements).
Ransomware events are reportable even when no PHI is disclosed and systems are restored from backups, because PHI was unavailable for a period.
Note: These facts and figures were sourced from various yearly reports of the HIPAA Journal.
Impact on healthcare delivery and patient safety
Data breaches have a very direct and palpable effect on patients and the way they receive treatment and care. Misconfigurations and unpatched systems stemming from breaches expose hospitals to exploitation, directly threatening operations.
- Ransomware incidents can disrupt the availability of PHI. OCR requires notification even if no exfiltration occurred, specifically because PHI unavailability affects care operations.
- The HIPAA Journal also notes that many hacking incidents from 2014 to 2018 were detected months or years after compromise, which is proof of the operational risk of delayed detection.
- The Change Healthcare incident in early 2024 delayed patient billing and claims processing for weeks, affecting millions of transactions.
Industry comparisons: Healthcare vs other sectors
Between 2015 and 2022, 32% of all recorded U.S. data breaches (across sectors) occurred in healthcare. That is almost double the share seen in the financial and manufacturing sectors.
However, that changed in 2024.
Financial services recorded the most compromises, with healthcare close in second place (both set annual records).
Healthcare remains the costliest industry when a breach happens.
- Healthcare: $7.42M average per breach (2025), and it has been the #1 costliest industry for 14 straight years. Average time to identify + contain = 279 days (longest among industries)
- Financial services: $6.08M average per breach (2024); average time to identify 168 days and contain 51 days
- Industrial and manufacturing: $5.56M average per breach (2024)
The global average breach lifecycle in 2025 was 241 days (down year over year).
Data from the DBIR 2024 shows that the acting cause mix differs sharply by sector:
- Healthcare: There was unusually high insider involvement, with 70% internal and 30% external breaches (1,220 confirmed breaches in the 2024 dataset).
- Financial services: Predominantly external: 69% external, 31% internal.
- Manufacturing: Also external-heavy: 73% external, 27% internal; 35% of breaches involved ransomware.
Healthcare breaches look worse on impact. First, these have higher breach costs than any other industry (see above), and (longer breach lifecycles; healthcare takes around weeks longer than the global average to find and contain an incident, which raises response and disruption costs.
Healthcare data breaches by type of institution
We’ve tracked reported healthcare data breaches across recent years, grouped by the kind of organization involved.
Providers dominate the counts, health plans and business associates rise and fall relative to each other, and clearinghouses rarely appear.
The following table shows reported healthcare data breaches for various years.
Source: HIPAA.
| Year | Providers | Health Plans | Business Associates | Clearinghouses | Total |
| 2023 | 469 | 103 | 172 | 2 | 746 |
| 2024 | 538 | 77 | 118 | 3 | 736 |
| 2025 YTD (to Jun 30) | 284 | 27 | 66 | 2 | 379 |
- Over 93 million records were exposed or stolen in business associate breaches, versus 34.9 million at providers. This is a stark example of vendor-related risk.
- BA incidents are often under-counted in public tallies because affected covered entities frequently file separate reports. For example, the Eye Care Leaders ransomware event (2022) affected ≥39 covered entities and >3.09 million individuals; the AMCA breach (2019) exceeded 25 million individuals.
Regulatory penalties and HIPAA violations
- Penalty tiers and caps exist and are adjusted for inflation; OCR has sought higher caps from Congress to strengthen deterrence.
- 2022 had the most penalties by count (22). 2024 saw 22 closed penalty cases (with 16 public announcements in 2024 and the rest in January 2025). Anthem paid $16M (2018); Premera $6.85M (2020); Excellus $5M (2021) for breaches stemming from 2015 incidents.
- In 2022, small practices accounted for 55% of OCR financial penalties.
Note: These figures above were sourced from various yearly reports of the HIPAA Journal.
Behind the breach: the mechanisms of Healthcare data breaches
Cybercriminals often target the vendors and service providers that support healthcare. Healthcare partners, especially smaller ones, usually have weaker defenses than larger IT systems, making them easier to break into.
When a healthcare supplier is compromised, the damage can ripple across many organizations and expose patient data.
Here’s some data on how cybercriminals get in:
| Note: Each “CVE” is a catalog ID for a specific software flaw (for example, the Windows “PrintNightmare” bugs are CVE-2021-1675 and CVE-2021-34527). The percentages below show the share of hospitals found to have systems exposed to or impacted by these weaknesses during assessment, meaning at least one device or server was vulnerable. This does not necessarily mean every hospital was breached; it means attackers had openings they could use. Several of these issues enable remote code execution or privilege escalation, which is why they’re so widely exploited in healthcare environments that run large Windows estates and complex vendor stacks. |
| CVE | Hospitals affected (%) |
| CVE-2021-1675 | 45% |
| CVE-2021-34527 | 42% |
| CVE-2022-26809 | 40% |
| CVE-2023-21554 | 39% |
| CVE-2022-34721 | 36% |
| CVE-2022-34713 | 36% |
| CVE-2022-30190 | 31% |
| CVE-2022-26923 | 26% |
| CVE-2022-41128 | 22% |
| CVE-2022-21971 | 21% |
- Attackers commonly exploit well-known vulnerabilities such as Log4Shell (CVE-2021-44228), Zerologon (CVE-2020-1472), and Citrix ADC (CVE-2019-19781).
- They also rely on RDP exploitation, phishing, and “living off the land” (LOLBins) techniques.
- Double extortion (encrypting data and threatening to leak it) is common among major groups like LockBit, ALPHV, BlackCat, and BianLian.
Veriti’s 2025 report, The State of Healthcare Cybersecurity, notes what was wrong technically in the healthcare systems that were compromised:
- NTLMv2 authentication is enabled on 1,053 hosts, which can be used for lateral movement and privilege escalation.
- Microsoft Defender SmartScreen is disabled on 1,032 hosts. This increased exposure to phishing.
- MSDT (Follina vector) is enabled on 947 hosts; this offered another foothold for attackers.
- AllowInsecureGuestAuth is enabled on 941 systems. This is notorious for allowing unauthenticated access to shared folders.
- Virtualization-based protections are turned off on 883 systems. This weakened defenses like Credential Guard and Secure Boot.
- 35% of endpoints have “Quarantine on Write” disabled, which raises the odds of successful encryption by ransomware.
- 22% of endpoints have Volume Shadow Copy protections misconfigured. This one makes recovery harder after encryption.
- 21% of endpoints show suspicious process risks relevant to ransomware behavior (e.g., vssadmin, wbadmin, wmic).
- 17% of endpoints lack Force ASLR and reduced protection against exploit-based payloads.
- 12% lack SEH Overwrite Protection and weak safeguards against certain memory-corruption attacks.
Preventive measures for healthcare organizations
The first step is to invest in a compliance automation platform and arrange your attestations and certifications.
For HIPAA, there isn’t a government “certificate,” but you can pursue HIPAA readiness with third-party assessments and pair it with HITRUST, SOC 2 Type II, and ISO 27001 to prove security maturity and keep auditors satisfied year after year.
Healthcare cybersecurity trends (2024–2025)
According to Veriti, IoT will remain the healthcare sector’s Achilles’ heel unless standardized patching protocols are adopted. It also warns that expanding AI can place sensitive data outside hospital-controlled environments.
Also, we expect to see an increase in cloud adoption for PACS and cloud-managed DICOM applications.
Other trends we noted from the HIPAA Journal include:
- 2024 likely had similar breach counts to 2023 but far more records exposed because of a few extraordinarily large incidents (notably Change Healthcare).
- Hacking and ransomware activity surged since 2018, with 239% growth in hacking breaches and 278% growth in ransomware incidents through Q3 2023.
- Vendor-side breaches have been disproportionately large (for instance, 93M+ records at business associates vs 34.9M at providers in 2023), making third-party risk a central focus going into 2025.
- After a high-volume year in 2022, OCR maintained a vigorous pace in 2024 to 2025, closing 22 penalty cases in 2024 with more announcements continuing into early 2025.
When data falls, patients pay
Healthcare runs on trust. When data leaks or systems cease, the damage ripples from the billing desk to the bedside.
The numbers make the stakes obvious: breaches cost millions, derail care, and shake patient confidence.
Protection won’t come from one silver-bullet tool or a once-a-year audit. It comes from steady, boring excellence, which means patching systems on time, segmenting what matters, watching logs like a hawk, and proving that safeguards work.
Sprinto automates security compliance for frameworks like SOC 2, ISO 27001, and HIPAA. It traces controls to your stack, collects evidence continuously, flags gaps, and keeps you ready for auditors.
Since Sprinto handles all the evidence collection and auditor-client back and forth, your security stance automatically improves.
Beyond that, Sprinto protects you against breaches by
- Mapping controls to healthcare frameworks: Sprinto aligns technical and administrative safeguards to HIPAA requirements and supports frameworks like SOC 2, ISO 27001, and HITRUST, so you’re not rebuilding controls for each audit.
- Automating evidence collection: It connects to your cloud, IdP, code, or endpoint tools to pull logs, configs, screenshots, and tests continuously so you’re always audit-ready.
- Monitoring controls 24×7: Drift alerts catch issues like disabled MFA, misconfigured storage, or stale access before they become findings.
- Creating workflows: Use built-in templates, assign owners, collect acknowledgments, and track completion centrally.
- Managing vendor risk: Sprinto also catalogs BAAs, runs assessments, tracks remediation, and keeps a live view of supply-chain risk.
Talk to an expert and get a demo today.
FAQs
The largest healthcare data breach on record is the Change Healthcare attack, disclosed in 2024. After months of analysis, the official tally reached about 192.7 million people affected — making it the biggest healthcare breach in U.S. history.
They’re frequent and stubbornly so. In 2024, U.S. providers reported 725 large breaches (each 500+ records) to HHS, roughly two a day and the third straight year at that level. The FBI’s Internet Crime Report shows healthcare endured 444 reported cyberthreat incidents last year, including 238 ransomware and 206 data breach events, more than any other critical infrastructure sector.
Hacking and ransomware dominate. In 2023, about 79.7% of reported healthcare breaches were due to hacking and IT incidents, a huge shift from the old days of lost laptops and paperwork mishaps.
Business associates and vendors often sit at the blast radius, amplifying the impact when a single service is compromised. Insider mishaps and unauthorized access still happen, but the big growth has been targeted cyberattacks.
Pricey, on every front. IBM’s 2025 study measures the average healthcare breach at $7.42 million, the highest across industries. U.S. breaches overall (all sectors) average $10.22 million, reflecting steeper detection and legal costs. On top of that, hospitals can lose up to $900,000 per day during downtime, when surgeries, prescriptions, and claims are disrupted.
Start with the basics HIPAA requires: do a thorough risk analysis and ongoing risk management, and implement administrative, physical, and technical safeguards for ePHI. Have solid business associate agreements, train your workforce, and maintain audit logs. If a breach occurs, notify without unreasonable delay and no later than 60 days.
Anwita
Anwita is a cybersecurity enthusiast and veteran blogger all rolled into one. Her love for everything cybersecurity started her journey into the world compliance. With multiple certifications on cybersecurity under her belt, she aims to simplify complex security related topics for all audiences. She loves to read nonfiction, listen to progressive rock, and watches sitcoms on the weekends.
Go beyond the surface and uncover the governance, risk, and compliance insights that actually matter.
Win digital goodies for boardroom success
Explore more
research & insights curated to help you earn a seat at the table.
