Healthcare Data Breaches in the US
Visualizing a Growing Crisis
On February 21, 2024, healthcare providers across the U.S. faced widespread disruptions. Hospitals and pharmacies were facing connectivity issues, unable to process claims, fill out prescriptions or manage patient billing. At the centre of it was Change Healthcare and its services, including Optum.
As the chaos unfolded, it became clear that Change Healthcare had been the victim of a cyberattack.
On February 22, The American Hospital Association issued an alert, urging hospitals to disconnect from Optum’s network due to security concerns. By then, it was confirmed: Change Healthcare’s systems had been compromised, leading to significant operational disruptions across its vast network of clients.
On February 26, the ALPHV/BlackCat ransomware group claimed responsibility, claiming to have stolen 6 terabytes of sensitive data, including Social Security numbers, medical records, and military personnel information.
By March 1, a $22 million payment (350 bitcoins) had been paid to the attackers.
Meanwhile, hospitals struggled to manage day-to-day operations, with some reporting losses of millions of dollars daily due to insurance claim processing failures. Pharmacies experienced delays in prescription processing, further impacting patient care.
By March 6, at least five federal lawsuits were filed against Change Healthcare’s parent company, UnitedHealth Group. A federal investigation into HIPAA compliance was initiated on March 13.
On May 1, UnitedHealth’s CEO Andrew Witty testified that a lack of basic cybersecurity measures—specifically, a single password without multi-factor authentication—had allowed hackers to access Change Healthcare’s systems. Witty also estimated the breach could have affected roughly one-third of the U.S. population, or over 110 million individuals.
A survey by the American Medical Association highlighted the widespread impact of the attack, detailing the operational strain on healthcare providers.
Check the details of the survey at: AMA Survey
Other Major 2024 Healthcare Breaches
Sadly, the Change Healthcare incident was not the only major breach in 2024.
On April 12, Kaiser Foundation Health Plan reported a data breach affecting 13.4 million people due to the improper use of tracking technologies on its websites. They notified the impacted individuals had some of their personal data had been disclosed to third parties such as Microsoft (Bing), Google, and X (Twitter) via tracking technologies on its websites and apps.
This is the largest confirmed healthcare data breach to be reported so far in 2024.
On May 9, Ascension—the largest nonprofit health system in the U.S.—faced a cyberattack affecting a large percentage of its 136 hospitals across the United States, with an investigation still underway. It took Ascension around 6 weeks to restore access to its electronic medical record system and resume normal operations.
Visualizing a Growing Crisis
The following visualizations highlight key trends in healthcare data breaches across the U.S., showing the evolving nature of these incidents and the growing number of individuals affected.
1. Breach Categories and Impact Over Time
The primary causes of healthcare data breaches have shifted significantly over the years.
Between 2009 and 2015, the loss or theft of healthcare records was the leading cause of breaches. However, with better device tracking, encryption, and digital record-keeping, these incidents have declined. In contrast, hacking and ransomware attacks have surged, growing from 45% of all breaches in 2018 to 81% in 2023.
The severity of these breaches has also escalated. In 2021, 60 million records were breached, followed by 57.6 million in 2022. But 2023 shattered records with 160 million healthcare records exposed. The largest breach of 2023 impacted 14.76 million individuals, making it the second-largest healthcare breach in history. And well, this again was a hacking incident.
The first visual tracks the number of breach incidents and individuals affected, categorized by breach types such as hacking, theft, and unauthorized access.
Alongside these numbers, the visualization also shows percentage breakdowns that reveal how each breach category has shifted over time, highlighting the increasing dominance of hacking-related incidents.
2. Breach Causes vs. Locations
The second chart presents the distribution of breach causes (hacking, theft, etc.) across different breach locations (network servers, laptops, emails, etc.). Hacking over network servers was the most common and damaging cause in 2023, affecting 114 million individuals. The visual emphasizes the vulnerabilities in digital environments, particularly in critical infrastructure like network servers.
3. Impact Trend Over Time
The third visual—a video chart—illustrates the rising trend of individuals affected by healthcare breaches over the years. The growth of hacking incidents, which now dominate the landscape, has driven this trend. In 2023 alone, hacking was responsible for 602 breaches, impacting 151.6 million individuals—accounting for 95% of all those affected by healthcare breaches that year.
Conclusion
As these visuals demonstrate, the healthcare industry faces an ever-growing challenge in safeguarding sensitive data.
So far, 2023 has been recorded as the worst year for healthcare data breaches with the maximum number of cases and also had the maximum number of individuals impacted. However looking at the major incidents involving Change Healthcare, Kaiser Permanente and Ascension, 2024 looks set to break this record (Note: The full count of individuals impacted by Change healthcare and Ascension breaches are not yet confirmed. Once finalized, this data is likely to surpass 2023's figures, especially with any additional breaches occurring before year-end.)
With hacking attacks driving the bulk of incidents, the scale of affected individuals has reached unprecedented levels. The Change Healthcare attack is a stark reminder of the urgent need for enhanced cybersecurity measures to protect patient privacy in an increasingly digital world, because the means and ways of the attackers keep getting upgraded.
For a more detailed look at these trends, explore the latest statistics in the HIPAA Journal.
Sources:
U.S. Department of Health and Human Services Office for Civil Rights - Breach Portal