In 2024, major health data breaches continue to be dominated by hacks and vendor incidents, alongside significant breaches involving unauthorized access or disclosure. According to the Department of Health and Human Services’ HIPAA Breach Reporting Tool (HHS OCR), there have been 384 reported breaches affecting 44.8 million individuals in the first half of 2024.
Approximately 77% of these breaches, involving 29.7 million individuals, were attributed to hacking incidents reported by healthcare organizations and their partners. One notable case involved Concentra Health, where nearly 4 million individuals were affected by a hack in January. This incident stemmed from a 2023 data theft involving medical transcription services firm Perry Johnson & Associates, impacting over 14 million individuals across multiple clients.
Beyond hacks, unauthorized access or disclosure incidents accounted for 70 breaches affecting more than 15 million people. Kaiser Foundation reported one of the largest breaches in April, affecting 13.4 million due to online tracker usage. Geisinger also reported an incident involving a business associate, Nuance Communication, affecting nearly 1.3 million individuals, resulting in a federal indictment for obtaining information from a protected computer.
These breaches underscore ongoing vulnerabilities in health data security, necessitating robust measures to safeguard protected health information amidst evolving threats.
10 Largest Health Data Breaches in the first half of 2024
| Breached Entity | Individuals Affected |
| Kaiser Foundation | 13.4 Million |
| Concentra Health | 4 Million |
| Sav-Rx | 2.8 Million |
| WebTPA | 2.5 Million |
| Integris Health | 2.4 Million |
| Medical Management Resource Group | 2.35 Million |
| Geisinger | 1.3 Million |
| Eastern Radiologists | 887,000 |
| Superior Air-Ground Ambulance Service | 858,000 |
| Unite Here | 791,000 |
Source: U.S. Department of Health and Human Services
In 2024, third-party vendors and business associates handling protected health information remain central to numerous major data breaches reported to HHS OCR. Business associates have been implicated in 141 breaches affecting 17.5 million individuals, accounting for 40% of all major health data breaches reported this year.
Notably absent from the midyear report is any mention of the February cyberattack on Change Healthcare, estimated by parent company UnitedHealth Group to have impacted a significant portion of the U.S. population. UnitedHealth Group has taken responsibility for breach notifications on behalf of affected clients, complicating the eventual tally on the HHS OCR website. It remains unclear whether this incident will be reflected as hundreds of separate breaches or a single comprehensive report covering millions of individuals.
Once the impact of the Change Healthcare breach is integrated into the HHS OCR statistics, breach figures for 2024 are expected to surge dramatically, potentially by tens of millions. This underscores ongoing challenges in securing health data amidst evolving cyber threats and the critical role of robust data protection measures across all parties handling sensitive information.
Targeting Larger Entities: A Shift in Healthcare Data Breach Trends
While hacks and breaches involving business associates have long dominated major health data breaches, new trends are emerging in 2024, according to experts.
Mike Hamilton, founder and CISO of Critical Insight, notes a shift towards targeting larger healthcare organizations, whose disruptions have significant sector-wide repercussions. The recent hack of Change Healthcare, where parent company UnitedHealth Group paid a $22 million ransom to BlackCat attackers, exemplifies this trend.
Hamilton emphasizes that stolen records are increasingly used for extortion rather than immediate monetization through sale, posing additional risks such as class action lawsuits. Effective mitigation strategies, he suggests, involve robust network monitoring, endpoint security, and 24/7 analyst oversight to minimize impacts.
Despite evolving breach patterns, there are positive developments noted on the HHS OCR breach website for 2024. Incidents involving theft or loss of unencrypted laptops and servers, historically prominent on the “wall of shame,” have dwindled significantly. Only eight breaches affecting 51,000 individuals have been reported so far this year, contrasting with earlier years when such incidents affected millions annually.
This decline is attributed to widespread adoption of encryption for computing and mobile devices among healthcare organizations. Since September 2009, the HHS OCR website has documented 6,292 major health data breaches impacting over 585.2 million individuals, underscoring ongoing challenges and improvements in data security practices.
Reference: HealthcareInfoSecurity
