Natali_Mis/istock via Getty Imag
10 largest healthcare data breaches of 2024
Upward of 137 million individuals were affected by the 10 largest healthcare data breaches reported to OCR in 2024 combined, with Change Healthcare accounting for 100 million.
Healthcare data breaches continued to disrupt operations and jeopardize patient privacy in 2024, as shown by the record-breaking figures displayed on the HHS Office for Civil Rights data breach portal.
Analysis of OCR's portal showed that, as of Dec. 9, 2024, upward of 168 million individuals were affected by healthcare data breaches reported to OCR this year. That total, while already record-breaking, is likely to rise slightly as OCR continues to receive and post 2024 data breach reports, which pertain specifically to breaches that affected 500 or more individuals.
Most of the data breaches reported to OCR so far in 2024 were attributed to a hacking or IT incident. Looking at the 10 largest breaches alone, which affected 137 million individuals combined, nine were attributed to a hacking or IT incident, and five originated within a HIPAA business associate's network server.
These figures are in line with healthcare data breach trends of years past. Considering these trends, ransomware preparedness and third-party risk management will likely remain key focus areas for healthcare in 2025.
With updates to the HIPAA Security Rule on the horizon and several healthcare cybersecurity legislative proposals under consideration, the 10 largest breaches reported in 2024 speak to the tumultuous year that brought the sector to this point.
Change Healthcare: 100,000,000 individuals affected
The Change Healthcare cyberattack and data breach accounted for the bulk of individuals affected by large healthcare data breaches reported to OCR in 2024.
On Feb. 21, 2024, Change Healthcare, part of UnitedHealth Group (UHG), began experiencing outages, leading to revenue cycle disruptions at healthcare organizations across the U.S.
BlackCat/ALPHV ransomware actors took responsibility for the attack and claimed to have exfiltrated six terabytes of data. UHG later confirmed that it paid a $22 million ransom in an effort to recover system access.
UHG also confirmed that the cyberattack was successful because threat actors used compromised credentials to remotely access a Change Healthcare Citrix portal that was not protected by multifactor authentication (MFA).
As the disruptions continued, providers continued to experience financial and operational hardships for months following the cyberattack.
UHG advanced billions in funds to ease disruption woes. However, in early April, weeks after the initial attack, providers reported continuing to lose revenue due to unpaid claims and even using personal funds to cover their practice's expenses.
As of Oct. 15, 2024, Change Healthcare's clearinghouse services were fully restored, and recipients of the company's funding assistance program had repaid $3.2 billion.
The cyberattack sparked conversations about the effects of consolidation in healthcare, the importance of MFA, single points of failure across the healthcare ecosystem and third-party risk management.
Healthcare organizations and lawmakers will likely continue to reflect on this event in 2025 as the sector faces mounting pressure to effectively reduce cyber-risk and respond to cyberattacks.
Kaiser Foundation Health Plan: 13,400,000 individuals affected
In April, Kaiser Foundation Health Plan notified 13.4 million individuals of a data breach that stemmed from its use of certain technologies within its websites and applications that might have transmitted data to third-party vendors, such as Google, Microsoft and X (formerly Twitter).
The affected data for the Kaiser Foundation Health Plan breach included member names, IP addresses, and information about how members interacted with Kaiser's sites. Upon discovery, Kaiser removed these tools from its websites and applications.
As previously reported, the widespread use of third-party tracking technology on healthcare websites has led to numerous data breaches and regulatory pushback since 2022. The spotlight on this issue also led the American Hospital Association (AHA) to file a lawsuit against HHS over its guidance on the subject. The AHA won the lawsuit, and OCR's guidance was deemed unlawful in June 2024.
HealthEquity: 4,300,000 individuals affected
HealthEquity, a health savings account administrator, first disclosed a multimillion-record data breach in July 2024 via a Securities and Exchange Commission Form 8-K filing.
HealthEquity said it had discovered anomalous behavior on a personal use device belonging to a business partner during its routine monitoring.
The company later determined that an unauthorized party had accessed the partner's user account and transferred some personally identifiable information pertaining to HealthEquity members off the partner's systems.
HealthEquity did not experience any disruptions, nor did it find any malicious code within its systems.
Concentra Health Services: 3,998,163 individuals affected
In January 2024, Concentra Health Services, an occupational medicine provider, reported a data breach tied to a previously reported breach at Perry Johnson & Associates (PJ&A), a medical transcription company.
PJ&A's data breach occurred in May 2023 due to unauthorized system access and was one of the 10 largest breaches reported to OCR in 2023.
The unauthorized party potentially obtained demographic information, admission diagnoses, Social Security numbers, insurance information and clinical information.
Following PJ&A's breach notification, several affected PJ&A clients filed their own breach reports, including Chicago-based Cook County Health and New York-based Northwell Health.
By the end of 2023, the breach had affected nearly 9 million individuals.
After millions had been affected, Letitia James, New York's attorney general, issued a consumer alert to warn New Yorkers about the potential effects of this data breach.
When Concentra added an additional 4 million to the breach tally in January 2024, it directed affected individuals to PJ&A's website for additional information about the breach and steps that they could take to protect their information.
Centers for Medicare & Medicaid Services: 3,112,815 individuals affected
In September 2024, CMS notified affected individuals of a third-party data breach that stemmed from Wisconsin Physicians Service Insurance Corporation (WPS), a CMS contractor that handles Medicare Part A/B claims.
CMS learned of the incident in July 2024, when WPS notified CMS that files containing claims data were compromised during a cybersecurity incident involving Progress Software's MOVEit Transfer file transfer product.
As previously reported, hundreds of organizations were affected by the exploitation of MOVEit vulnerabilities in 2023.
WPS had applied the software patch provided by Progress Software in May 2023 and found no evidence that its systems had been affected at the time. In May 2024, WPS conducted an additional review and discovered that an unauthorized third party had in fact copied files from its systems in May 2023, prompting it to then notify CMS of the incident.
CMS initially reported that the breach had affected approximately 946,000 individuals, but later updated that number to 3.1 million.
Acadian Ambulance Service: 2,896,985 individuals affected
Acadian Ambulance Service suffered a cyberattack in June 2024 that involved the data of nearly 2.9 million current and former patients. Acadian provides ambulance services in Louisiana, Tennessee, Texas and Mississippi.
Acadian discovered suspicious activity within its network on June 21, 2024, and immediately launched an investigation. Acadian determined that an unauthorized party accessed and took certain files and folders.
The data involved in the breach potentially included names, Social Security numbers, dates of birth, medical information and addresses.
Acadian said it would review its security policies to reduce the likelihood of future security incidents.
Sav-Rx: 2,812,336 individuals affected
In May 2024, Sav-Rx, a Nebraska-based pharmacy benefit management company, notified millions of individuals of an October 2023 data breach.
Sav-Rx discovered disruptions within its IT systems on Oct. 8, 2023, but did not notify its health plan customers until April, 2024, when its investigation was completed.
The investigation determined that an unauthorized party was able to access certain nonclinical systems, which included names, dates of birth, email addresses, phone numbers, Social Security numbers, eligibility data, insurance identification numbers and addresses.
Sav-Rx said that the incident did not result in any material disruptions or prescription delivery delays. The company was able to adjudicate pharmacy claims throughout the incident.
Sav-Rx said that it has since implemented MFA, network segmentation, Linux system hardening and enhanced geo-blocking.
WebTPA: 2,518,533 individuals affected
WebTPA, a third-party administrator that processes health plan claims suffered a data breach that began in April 2023, when an unauthorized party obtained access to personal information from WebTPA's systems.
The company reported the breach to OCR in May 2024, more than a year after it occurred.
WebTPA said that it did not detect suspicious activity on its network until December 2023. Upon discovery, the company launched an investigation alongside law enforcement and third-party cybersecurity experts.
WebTPA determined the scope of the affected data in March 2024. The breach involved names, dates of birth, dates of death, Social Security numbers, contact information and insurance information.
Integris Health: 2,385,646 individuals affected
Integris Health, an organization that operates 16 hospitals and other healthcare facilities throughout Oklahoma, suffered a data breach in November 2023 that was reported to OCR in January 2024.
Integris Health confirmed that an unauthorized party accessed Integris files on Nov. 28, 2023. The information involved varied by individual, but potentially included names, contact information, demographic information and Social Security numbers.
In its breach notice, Integris Health also noted that some patients had received communications in December 2023 from a group claiming responsibility for the unauthorized access. Integris Health urged recipients to not respond, follow any instructions, or click any links contained in these communications.
The organization encouraged affected individuals to remain vigilant by reviewing account statements and monitoring credit reports.
Medical Management Resource Group: 2,350,236 individuals affected
Medical Management Resource Group (MMRG), doing business as American Vision Partners, reported a November 2023 data breach in February 2024. MMRG provides administrative services to ophthalmology practices,
MMRG detected unauthorized activity within its network on Nov. 14, 2023, and later determined that the unauthorized party had obtained personal information associated with its patients.
The affected data included names, dates of birth, contact information, insurance information and Social Security numbers.
MMRG said it worked with law enforcement and third-party cybersecurity firms to isolate affected systems and investigate the incident. MMRG encouraged affected individuals to take advantage of its free credit monitoring and identity protection services.
While these 10 breaches are just a few of the hundreds of healthcare data breaches reported to OCR in 2024, they exemplify ongoing cyberattack trends that could continue into 2025, such as the targeting of third-party vendors.
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.
