80+ Healthcare Data Breach Statistics 2024

Statistics for data breaches in healthcare reveal that 30% of all large data breaches occur in hospitals. 51% of healthcare organizations reported an increase in data breaches since 2019.  The first half of 2022 saw 337 breaches which affected 19,992,810 individuals. 

With hospitals now experiencing the largest number of data breaches continuously for the past 12 years, it is high time to take an in-depth look into the statistics revolving around it. In this article, we aim to analyze and study the compiled healthcare data breach statistics 2024. 

Top Healthcare Data Breach Statistics 2024

Here are the top healthcare data breach statistics 2023-2024:

1. According to HIPAA, healthcare data breaches in the U.S. have decreased by 48%. 
2. 36% of healthcare facilities reported an increase in medical complications owing to ransomware attacks. 
3. Only 4-7% of the health system’s IT budget is invested in cybersecurity. 
4. 61% of healthcare data breach threats come from negligent employees.
5. Fortified Health Security’s mid-year report stated that the healthcare sector suffered nearly 337 breaches in the first half of 2022 alone. 
6. According to the U.S. Department of Health and Human Services, the 337 healthcare incidents reported affected 19,992,810 individuals. 
7. 80% of the reported healthcare breaches by U.S. HSS were accounted for by hacking while the remaining 15% was accounted for by unauthorized access. 

Healthcare Data Breach Statistics -2024

This section will take a deep dive into general statistics for a data breach in healthcare, statistics based on the type of incidents as well as statistics of healthcare breaches based on the cost. Lastly, it will also mention detailed statistics of data breaches that rattled the healthcare industry. 

Healthcare Data Breach Statistics By Year

• There is a 75.6% chance of a breach of at least 5 million records in the year 2023.
• The third quarter of 2022 saw 1 in 42 healthcare organizations targeted by ransomware attacks. 
• OneTouchPoint reported a breach in July 2022 that affected nearly 2,651,396 individuals.
• Nearly 93% of healthcare organizations have experienced a data breach in the past three years according to Herjavec Group’s 2020 Healthcare Cybersecurity Report and 57 percent have had more than five data breaches during the same timeframe. 
• 2020 saw nearly 240 million hacking attempts with Cerebro accounting for 58% of threats, Sodinokibi at 16%, and VBCrypt at 14%. 
• A report from the American Journal of Managed Care revealed that hospitals spend 64% more annually on advertising after a breach. 
• Sutter Health, a Northern California healthcare system was hit by around 87 million cyber threats in 2018. 
• More than 2100 healthcare data breaches have been reported since 2009.

How many healthcare records were exposed between March 2021 and February 2022?

95% of all identity theft stems from stolen hospital records. Data breaches exposed at least 42 million records between March 2021 and February 2022. Healthcare statistics by HIPAA revealed that healthcare cybersecurity incidents fell by 8% in February 2022 but still faced 46 incidents affecting 2.5 million people.

Increase in data breaches in healthcare industry between 2019-2021

27% of cyberattacks during COVID-19 targetted banks or healthcare organizations. 2020 saw a 58% increase in healthcare industry targetted data breaches. Data breaches in healthcare went up by 42% since 2020 having the highest breach costs for the 12th year in a row. The Healthcare sector saw a 60% increase in attacks from 2021 with an average of 1426 attacks per week. 

General Stats for Security Breaches in Healthcare 

• 67% of healthcare organizations experienced attacks using lookalike domains. 
• 34% of data breaches in healthcare organizations came in the form of authorized access or disclosure. 
• The chances of another Anthem-sized breach (80+ million records) within the next three years is at 25.7%.
• The report, released by Singapore-based Cyber Risk Management (CyRiM) believes healthcare will be one of the industries most affected by hackers having lost over lost $25 billion alone last two years.
• Nearly 80 million people were affected by the Anthem Breach.
• Globally known medical bodies like the CDC (US’s Centre For Disease Control) and the UN’s WHO (World Health Organization) were impersonated to carry out a variety of scams during the pandemic. 
• The U.S. pharma company Pfizer mistakenly leaked private data of the country’s prescription drug users in a data breach caused due to unsecured cloud storage.
• The National Health Service (NHS) suffered a $100 million loss due to the WannaCry ransomware attack. 

90% of healthcare organizations face at least 1 security breach with 30% of it occurring in large hospitals.

90% of healthcare institutions have experienced at least one security breach in the previous few years. 30% of most data breaches occur in large hospitals with a record of exposing patients’ private health information.

Ransomware and device vulnerabilities resulting in longer hospital stays

Medical devices are on average reported to have 6 vulnerabilities at least 60% of them being at the end-of-life stage. A survey conducted revealed that nearly 70% of healthcare organizations saw longer hospital stays and delays in procedures due to ransomware attacks.

Triggering causes for healthccare-related cyber insurance claims

In the case of healthcare-related cyber insurance claims, the triggering causes were: 

1. Malicious data breach- 18%
2. Accidental data breach- 29%
3. Ransomware- 8%
4. Stolen/Lost devices- 16%

Data breaches in teaching and pediatric hospitals

6 percent of pediatric hospitals reported data breaches. At least 18% of teaching hospitals experienced a data breach. Thus the healthcare and finance industries, remain the most popular targets at 15% and 10% respectively.

47% of healthcare data breaches stem from IT incidents through malicious or third-party insiders with advanced permissions

47% of healthcare data breaches come from hackers or various IT incidents. 66% of organizations consider malicious insider attacks or accidental breaches more likely than external attacks. Third-party insiders are also a risk factor with 94% of organizations working with outsourcing companies having given them system access. 72% have advanced permissions. 

Doctors prone to committing serious data breaches by 50%, 24% can’t identify signs of malware

Doctors in the “risk” category were at 50%, making them likely to commit a serious data breach. 24% of physicians couldn’t identify the common signs of malware. Up 162% over the past three years, unauthorized access is already a massive issue. Nevertheless, it is still growing at an astounding rate.

The healthcare industry gets 54% for cyber assurance, breaches are identified months later by 39% of organizations.

Awareness of an occurrence of a breach happened months after the initial event in the case of 39% of healthcare organizations. The cybersecurity report by Tenable gave the healthcare industry a 54% grade when it came to cyber assurance. 

Healthcare invests less than 6% in cybersecurity, healthcare jobs take 70% longer than IT jobs. 

The healthcare industry invests less than 6% of its budget on cybersecurity while the US spends 16% of its federal budget on cybersecurity. Healthcare cybersecurity jobs take longer to get filled when compared to IT cybersecurity jobs by 70%. 

67% of the public thinks hospitals should be mandated by law to train staff on proper cybersecurity behavior

82% of organizations can’t determine the actual damage from an insider attack according to PwC. A survey conducted by PwC on the public in Germany revealed that 67% thought hospitals should be forced by law to train their staff on cybersecurity and its proper behavior. 

38 million records were exposed online with contact tracing information

The exposed data was stored in Microsoft’s Power Apps portal service. The mistakenly exposed data contained employee databases, vaccination sign-ups, and statuses, as well as people’s addresses and phone numbers. 

Data Breach Statistics Based on Type of Incident

The most common causes of data breaches in the healthcare industry are phishing attacks, ransomware attacks, and business email compromise attacks (BEC). 

Phishing

• 88% of healthcare workers opened phishing emails.
• Phishing and other forms of cyber attacks have seen a 75% increase in 2021.
• The HIMSS survey revealed that 36% of non-acute care organization representatives claimed that their organization did not conduct phishing tests.
• A report analyzed by Health IT revealed that nearly 24% of health employees in the U.S. hadn’t received any cybersecurity awareness training to help identify phishing scams.

Ransomware

•  74% of ransomware attacks were aimed at hospitals, and 26% at secondary institutions like dental services and nursing homes. 
• It was estimated that ransomware attacks would quadruple from 2017 to 2020 and grow 5x by 2021. 
• 2020 saw nearly 560 healthcare facilities fall victim to ransomware attacks. 
• 8% of healthcare data breach claims were triggered by ransomware attacks. 

Business Email Compromise

• A 2019 survey by HIMSS Cybersecurity revealed that nearly 60% of hospital representatives and healthcare IT professionals said that emails were the most common cause of data compromise. 
• Healthcare email frauds have seen exponential growth at 473%. 
• Healthcare organizations were targeted at an average of 96 email frauds every quarter. 
• 70% of the fraud emails to healthcare institutions were sent during office timings between 7 A.M. and 1 P.M. 

Detailed Healthcare Data Breach Statistics

Here are some of the major healthcare data breaches that occurred over 2023-2024. 

1. OneTouchPoint

OneTouchPoint reported a massive data breach that affected over 1,073,316 individuals in mid-July of 2022. 

The breach occurred due to unauthorized access to certain servers that contained information such as names, member IDs, and data from health assessments. 

More than 35 different organizations were affected by the breach including Anthem ACE, Geisinger, Kaiser Permanente, and Humana.  

2. Shields Health Care Group

The Shields healthcare data breach is the largest data breach reported in 2022. Shield Health Care Group, a Massachusetts-based company detected suspicious network activity on March 28th of 2022. 

Further inquiry revealed that a malicious actor gained access to certain Shields systems. It affected major partners like Tufts Medical Center and UMass Memorial MRI.

The data breach affected over 2 million individuals revealing their social security numbers, diagnoses, billing information, medical records, and PII like addresses, dates of birth, patient IDs, and more.

3. Novant Health

Novant Health reported that a misconfiguration in Meta pixel code potentially led to the unauthorized disclosure of protected health information (PHI) of 1,362,296 individuals. 

Meta, Facebook’s parent company faces two lawsuits in lieu of this since the evidence was found that improper configuration of Meta Pixel has led to the disclosure of sensitive information to Meta. 

Novant Health notified its patients and physicians and facilities regarding the possibility of information disclosure. However, there was no reported usage of the disclosed information by Meta or any third party.

4. Broward Health

Broward Health based in Florida reported a data breach affecting 1.35 million people on January 2nd of 2022. 

It was reported that the breach occurred through gaining access from a third-party medical provider. 

The health system said the intruders accessed private data including patient names, dates of birth, and Social Security numbers. 

5. Baptist Medical Center

Tenet Healthcare-affiliate Baptist Medical Center suffered a cyberattack on April 24th, 2022 affecting 1.24 million individuals.

An unauthorized party gained access to certain systems that contained personal information and took some data between March 31 and April 24.

The information may have included dates of birth, Social Security numbers, health insurance information, other medical data, and billing and claims information.

6. Farrer Park Hospital

Singapore-based Farrer Park Hospital had a breach that spanned over two years between March 8, 2018, and Oct 25, 2019. The confidential medical information of 2000 individuals was automatically forwarded to a third party. 

The hospital notified the commission about the breach in July 2020 after receiving a complaint in October 2019.

Among the 3,539 past, present or prospective patients whose personal data was leaked, 1,923 people had their medical information disclosed as well.

7. Texas Tech University Health Sciences Center

This science center was hit by a data breach due to a hacking incident that was reported on June 7, 2022. The breach affected over 1,29 million people. 

The breach involved information held by Eye Care Leaders, Inc., a third-party service provider of an electronic medical records system used by Texas Tech’s health sciences center. 

Some of the records included names, birthdates, Social Security numbers, and other medical record data.

8. Anthem

Anthem disclosed on February 2015 that criminal hackers broke into its servers stealing over 37.5 million records that contain personally identifiable information. 

80 million company records were hacked. The compromised information contained names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses, employment information, and income data.

Healthcare Data Breach Cost Statistics

• A recent study found that the average cost of a data breach is $ 4.24 million. 
• Healthcare data breaches cost an average of $408 per record, which is three times higher than the cross-industry average of $148 per record.
• The total spending on healthcare will rise to $5.61 billion by 2025 through the integration of blockchain technology.

Ransomware cost to the healthcare industry since 2016

Ransomware attacks have healthcare providers in the US causing a total loss of $157 million since 2016. The year 2019 was estimated to have cost $ 25 billion for the healthcare industry due to ransomware attacks. 

What is the average cost of healthcare data breaches?

$10.10 million was the average cost of a data breach in the healthcare industry. 

 The average cost of a healthcare data breach surpassed the general average of $ 9.23 million per incident. An average of $ 9.3 million was the cost of healthcare data breaches per incident in 2021.

 Ransom payout in Q1 of 2022 was 34% less than fourth quarter of 2021

The total ransomware demand for the period accounted for $16.48 million out of which healthcare providers paid only $ 640,000. The average ransom payout in the first quarter of 2022 was $211,259, 34% less than the fourth quarter of 2021.  

$ 7 billion is lost annually due to stolen PHI in the U.S.A. 

An estimated US $7 billion has been lost due to stolen PHI in the US healthcare industry annually. With costs of $408 per record, healthcare data breaches cost the highest in any industry.

Conclusion

This article has provided a detailed compilation of healthcare data breach statistics for 2024. It has included relevant statistics revealing the costs of a data breach, specific incidents, and general healthcare cybersecurity statistics that one needs to consider.