Medical data breaches—an alarming trend in healthcare-targeted hacking and ransomware

Over the years, the healthcare industry has become increasingly reliant on electronic systems to store and manage patient information. Along with numerous benefits, this transition has also introduced some risks such as unauthorized access, loss of information, and data leaks. 

Healthcare data breaches occur when unauthorized individuals gain access to protected health information (PHI), including Social Security numbers (SSN), health statuses, prescriptions, payment information, and more. Due to the sensitivity of this information, healthcare data breaches can pose a serious threat to patients. Aside from the psychological impact, they can lead to identity theft, medical fraud, and even health risks. 

The research team at Incogni analyzed medical data breaches in order to highlight the severity of this problem and the risks involved in the exposure of PHI. We looked into reports archived by the Department of Health and Human Services to uncover what kinds of data have been breached, relevant locations (states and storage locations), and affected entities.

Key insights

  • There have been 2,213 breaches since 2020 with 152.1M affected individuals, which corresponds to almost half of the American population.
  • California saw the highest number of healthcare breaches since 2020, at 221.
  • Almost a third of Americans might have had their Social Security number stolen—94.5M people had their SSN breached, which is 28.34% of the US population.
  • A quarter of Americans might have had their treatment information revealed—79.6M people had this data point breached, 23.89% of the US population.
  • Among the entities analyzed, healthcare providers experienced the most data breaches, with 1,572 breaches (71% of all reported), and a combined total of 87.6M healthcare profiles exposed. 
  • The biggest data breach occurred at 20/20 Eye Care Network, where a cyber attack exposed the names, addresses, Social Security numbers, and health insurance and claims information of over 4.1 million people.
  • Hacking and IT Incidents were the most common types of data breaches, with 1,622 breaches recorded affecting 136.8M healthcare profiles.
  • Compared to other types of breaches, network server breaches (50% of all cases) resulted in fewer cases of medical information exposure, while electronic medical records breaches (4.4% of all cases), resulted in more frequent cases of medical information exposure. 
  • The number of ransomware attacks is increasing, with 49 health-data-related incidents recorded in 2023.

General overview:

We analyzed all resolved cases of data breaches from January 2020 to March 2024. To avoid inaccuracies, we excluded open cases as they are still subject to change. 

Altogether, there have been 152.1M confirmed data breaches, meaning that up to half the American population may have been affected—though some individuals may have been involved in more than one breach.  

We found that, since 2020, there have been 2,213 health-related data breaches in the US—34.9M healthcare profiles were affected by healthcare breaches in 2020, followed by 59.5M healthcare profiles in 2021

In 2022, there were 551 data breaches affecting 32.7M people, meaning that an average of 59.3K people were affected per reported incident. There are also 161 cases (involving 22.7M profiles) that are still open and may be added to the total when resolved.

In 2023, there were 275 data breaches, with 24.4M people affected. This means an average of 88.7K people were affected per reported incident. There are also 448 open cases (involving 119.M profiles).

The beginning of 2024 saw 10 healthcare breaches that affected 571.4K people, with an average of 57.1K people affected per reported incident. There are still 293 open cases (involving 36.4M profiles). The biggest investigated breach in 2024 was the cyberattack on North Kansas City Hospital, which resulted in the names, dates of birth, addresses, claims information, diagnoses, and other treatment information of over 500K people being leaked. 

Ransomware statistics

Despite ransomware attacks constituting less than a third of all healthcare breaches (27%), they make up 4 out of the 10 biggest attacks (by number of profiles impacted).  

While the number of healthcare data breaches seems to have stabilized, instances of ransomware are likely to continue to rise. There have been 607 recorded instances of ransomware since 2020, impacting a whopping 58.8M healthcare profiles. 195 instances of ransomware occurred in 2020, followed by 199 in 2021, 151 in 2022, and 62 in 2023. There have been none processed in 2024. As the open cases are resolved over time, instances of ransomware are likely to increase for the years 2022 through 2024. 

The most impactful instance of ransomware in the data set was the 2020 attack on Trinity Health where over 3.3M patients’ names, addresses, dates of birth, email addresses, health insurance information, Social Security numbers, financial information, and treatment information were exposed to hostile actors.

Breakdown by states

We also looked at the reports by state and noticed several differences, including in the number of data breaches and the types of data most commonly affected. We were able to identify these differences as each institution that reports a breach has a state (or DC) assigned as the location of the breach. While we can’t be sure that all people affected in a given breach are residents of the given state, we did note where the breaches occurred.

We found that California saw the highest number of healthcare breaches since 2020 with 221 reported incidents. These breaches involved the healthcare profiles of over 17.1M people and most commonly included names of patients. However, diagnosis and treatment information were also very frequently breached data points, being the 4th and 5th most commonly exposed data points, respectively. California’s biggest breach to date has been the 2023 ransomware attack on Prospect Medical Holdings, where data such as the diagnoses, medications, and SSNs of over 1.3M people were exposed to nefarious actors.  

New York saw the second-highest number of breaches with 174 breaches impacting 8.6M health profiles. In these breaches, the most frequently exposed data were names, with diagnoses and Social Security information also being among the most commonly leaked data points (the 4th and 5th most commonly exposed data points, respectively).  The incident impacting the highest number of people in New York was a successful phishing attack in 2021 where employees of American Anesthesiology inadvertently exposed patient information including SSNs, financial information, diagnostic data, and medications prescribed to the attackers.  

The state with the third-highest number of healthcare breaches since 2020 was Texas, which saw 159 breaches affecting 10.8M healthcare profiles. The most frequently exposed data points in Texas were names, birthdates, and Social Security information. Medication information was the 4th most exposed data point. The biggest healthcare breach in Texas happened in 2021 when NEC Networks (dba CaptureRX) was caught in a ransomware attack, exposing the protected health information of 2.6M patients. The information breached included names, dates of birth, and medications. 

After Texas was Pennsylvania, with 122 breaches affecting 4.6M people, followed by Florida with 121 breaches affecting 20.4M. The most frequently breached data points in Pennsylvania were names, birthdates, and addresses; while in Florida it was names, addresses, and Social Security information.

Breached data points

Our researchers found that names were exposed in the highest number of healthcare profiles126.5M. This data point was included in 85.31% of all the reports and impacted the equivalent of 37.83% of the entire US population.

Addresses were the next-most reported, impacting 106M people (the equivalent of 31.82% of the entire US population) and were mentioned in 58.29% of all reports.

Social Security information was the third-most common, affecting 94.5M (the equivalent of 28.35% of the entire US population), and was mentioned in 48.8% of all reports.

Coming in 4th place were birth dates, which impacted 93.7M (the equivalent of 28.12% of the entire US population). It was mentioned in 59.06% of all reports. 

The 5th most commonly exposed data point was treatment information, which impacted 79.5M (the equivalent of 23.85% of the entire US population) and was mentioned in 51.88% of all reports.

Other, less commonly reported data points include financial information, photos, demographic information, and ethnicity

When considering data breaches caused by ransomware exclusively, the relative frequency of exposed health information changed slightly, but the top 5 data types remained the same. When a healthcare-related entity was breached, the most frequently exposed information was names followed by birthdates, addresses, and Social Security and treatment information. 

Affected entities

To identify which entities may be most susceptible to data breaches, we looked at the number of data breaches healthcare providers, business associates, and health plans experienced. 

Our research found that, since 2020, healthcare providers were reported to have experienced 1,572 breaches with a combined total of 87.6M healthcare profiles exposed. This represents 71% of all reported breaches and 57.6% of all profiles exposed. The most common data points mentioned in breaches affecting healthcare providers include names, birthdates, addresses, Social Security information, and treatment information

Interestingly, of the 10 biggest breaches (by people impacted) in the dataset, just 4 were experienced by healthcare providers. This is fewer than expected, considering they represent 71% of all breaches. As shown by the fact that they comprise just over 50% of all profiles breached, breaches experienced by individual healthcare providers are not as impactful as breaches of other entity types.     

Business associates, individuals or entities that provide services to or perform certain functions involving the use or disclosure of PII on behalf of a covered entity (e.g., a consultant that performs utilization reviews for a hospital), saw 351 breaches and 48.4M health profiles breached. Interestingly, despite these breaches constituting only 15.9% of all breaches, they represent 31.8% of all profiles exposed. The relatively low percentage of breaches combined with the high number of profiles breached implies that business associates hold a lot of people’s sensitive health information. On average, the breach of such entities is more impactful than than other entity types. 

Meanwhile, health plans saw 285 breaches (12.9% of all breaches) and 15.9M healthcare profiles exposed (0.5% of all profiles exposed).

When we look at ransomware attacks specifically, we see a very similar pattern: 76.1% of reports refer to healthcare providers, 14.3% to business associates, and 9.4% to health plans. 

Notably, incidents involving ransomware further underline the aforementioned phenomenon of business associates being more impactful. Despite business associates comprising just over 14% of all ransomware-caused data breaches, they represent 32% of all exposed data profiles. 

Types of breaches

Since 2020, we noticed that hacking and IT incidents have been the most common reasons behind health information data breaches, with 1,622 breaches occurring this way. These types of breaches affected 136.8M healthcare profiles and most frequently exposed birthdates, addresses, Social Security information, and treatment information

The second most common reason for healthcare breaches was unauthorized access or disclosure, which occurred 446 times and affected 13.1M profiles. The most frequently exposed data points in these types of breaches were people’s names, followed by treatment information, birthdates, health insurance information, and medication information. The most notable case of unauthorized access/disclosure happened in Wisconsin in 2022 where electronic medical records were sent to unauthorized recipients. 

Interestingly, it seems that where PHI is shared or disclosed (rather than stolen or exposed through digital means) it is more likely to include treatment information

Theft was the third-most common cause for healthcare breaches, with 88 incidents affecting 1.3M healthcare profiles. This was followed by loss (which has been reported 30 times) and improper disposal (reported 27 times). 

Breach sources

Another interesting insight we can gain from the data is the impact that the medium of the breach has on what data gets exposed, namely, whether the breach occurred on a network server, via email, or through electronic medical records. 

We found that when the breach occurred on a network server (as has been the case in 50% of all breaches) the relative prevalence of medical information, such as diagnoses, treatments or medication prescriptions was less frequent. Instead, the most commonly exposed data points in breaches that occurred on a network server were basic identifying information, contact information, and IDs

When breaches occurred through email (15.4% of all breaches), basic identifying information was exposed the most frequently, followed by IDs and clinical and treatment information

Concerningly, when electronic medical records were breached (4.4% of all cases), the most frequently breached data was contact information, followed by clinical and treatment information, medication and prescriptions, and only then basic identification information

Conclusion

Based on our findings, the prevalence of data breaches is concerning, especially considering the increasing incidents of ransomware attacks. 

Our analysis indicates that California residents may have the most reason to worry, while healthcare providers seem to be most commonly involved in incidents of data breaches. They should watch out for hacking and IT incidents in particular, as these are responsible for the most breaches. However, it’s the PHI that’s shared or disclosed that’s most likely to include medical information, with electronic medical records being the most concerning. 

Not only do these breaches compromise patient privacy, they also pose serious risks to their safety and trust. They can lead to identity theft, medical fraud, and other forms of exploitation. Healthcare organizations also face risks in the form of substantial financial penalties and reputational damage in the aftermath of a breach. Ensuring the security of healthcare data is crucial for protecting patient rights, maintaining public confidence in healthcare systems, and complying with stringent regulatory requirements.

Methodology

To understand the trends and impacts of data breaches in the healthcare industry, Incogni researchers looked at the data published by the US Department of Health and Human Services, Office for Civil Rights. This body collects and investigates reports of protected health information (PHI) being exposed to (or accessed by) unauthorized parties and publishes its findings on the breach portal. 

We collected the data published on the breach portal’s archive on the 14th of May, 2024, and data on reports “under investigation” on the 24th of May, 2024. The research included incidents from January 2020 to March 2024. Outside of tracking some changes year over year, the analysis was performed on aggregated data since there are hundreds of reports that have yet to be processed, meaning the full details of each year are not yet known. 

We looked at which types of entities and data locations were breached at what rates, and what PHI was exposed. The same breakdown was applied for types of breaches. 

Some breaches were also identified as being a result of ransomware attacks, we paid special attention to these, analyzing them through the same lenses as the broader dataset. 

To enable a comprehensive overview of the impact that data breaches have on people’s privacy, we used the report descriptions to identify what data was exposed in each breach. This was done with the use of AI to accurately capture and classify the described data as the terms used varied slightly from report to report. 

Notes on data:

We cannot guarantee that the state identified in a given breach report matches the state of residence of all those affected by the breach. 

Individuals affected by a breach might overlap across several breaches, hence our use of the term “healthcare profile” rather than “patient” or “individual.”

Outside of understanding potential future trends, we have excluded reports that have not yet been resolved.  

Our public dataset is available here

Visuals

We welcome the reuse of our images if proper attribution is given to Incogni. The charts, graphs, and tables used in this research can seamlessly embed into your website. Use the menu that appears at the top right of the visual when you hover over it with your mouse. When embedded, these visuals maintain their interactivity and preserve their original quality.

Healthcare data breaches in the US_1200x800
Is this article helpful?
YesNo
Scroll to Top