U.S. healthcare data breaches surge to record highs since 2009
MICHIGAN, UNITED STATES — Over the past 14 years, the United States healthcare sector has experienced a notable rise in data breaches.
Since the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) began publishing summaries of healthcare data breaches in October 2009, the number of reported incidents has steadily increased.
The year 2021 saw a record number of breaches, which were subsequently surpassed in both 2022 and 2023. While 2024 has four months to go, 435 breaches were already reported as of August 23, which is more than half of the previous year’s record.
Yearly breakdown of data breaches
Below is a breakdown of the number of healthcare data breaches affecting 500 individuals or more reported to the HHS Office for Civil Rights:
- 2024 – 435
- 2023 – 744
- 2022 – 720
- 2021 – 715
- 2020 – 663
- 2019 – 511
- 2018 – 369
- 2017 – 358
- 2016 – 328
- 2015 – 270
- 2014 – 314
- 2013 – 277
- 2012 – 218
- 2011 – 200
- 2010 – 199
- 2009 – 18
Highest number of breaches in 2023
In 2023, the healthcare industry faced an unprecedented number of data breaches, with 744 incidents reported, affecting over 133 million records. This marked a significant increase from the 720 breaches reported in 2022 and 715 in 2021.
The severity of breaches also intensified, with 26 incidents in 2023 involving more than one million records each.
Hacking and ransomware as primary threats to patient data
The surge in data breaches is primarily driven by hacking incidents and ransomware attacks. Between January 1, 2018, and September 30, 2023, hacking-related breaches increased by 239%, while ransomware attacks surged by 278%.
Notable incidents include the cyberattack on Change Healthcare, which disrupted medical claims processing across the United States, and the ransomware attack on Ascension, which highlighted vulnerabilities in healthcare systems.
In 2023, hacking accounted for 79.7% of all reported breaches, a significant rise from 49% in 2019.
This trend underscores the growing sophistication and frequency of cyberattacks targeting healthcare organizations.
Digital transformation and vulnerabilities
The transition to digital record-keeping has played a dual role in the evolution of data breaches. While it has enabled more accurate tracking and improved data encryption, it has also made healthcare organizations more vulnerable to cyber threats.
The early years of data breach reporting, from 2009 to 2015, were dominated by the loss or theft of physical records. However, advancements in technology and security practices have shifted the focus to electronic breaches.
Challenges and future outlook
Despite efforts to enhance cybersecurity measures, healthcare organizations continue to face significant challenges in protecting sensitive patient information.
The OCR’s backlog of investigations remains substantial, with 857 breaches still under review as of January 2023. This backlog highlights the need for increased funding and resources to address the growing threat landscape effectively.
The statistics compiled by the HIPAA Journal emphasize the critical need for healthcare entities to bolster their defenses against cyberattacks.
As the frequency and severity of data breaches continue to rise, the healthcare industry must prioritize robust security protocols to safeguard patient data and maintain trust in the digital age.
Additionally, new regulations and initiatives, such as the U.S. government’s $50 million UPGRADE program, aim to strengthen cybersecurity across the sector.
