US healthcare data breaches are out of control – over 400 million patient records have been exposed in the last two years
There's been a huge surge in the number of healthcare data breaches in recent years


Two new reports have highlighted the immense scale of US healthcare data breaches, with 409 million personal records exposed over the last two years.
According to research from application security firm Indusface, there were 1,200 breaches in the US healthcare sector in the last 24 months, with 83% of incidents leaving patient records exposed.
Texas recorded 66 data breaches, the most of any state, as well as the most people affected, at 14,371,828. The state’s biggest breach was that of Concentra Health Services in January 2024, which saw data belonging to nearly four million people accessed or stolen.
California had the second-highest number of individuals affected by data breaches, at 9,218,788. Notably, it also experienced the largest healthcare data breach in the study, affecting 4,700,000 people, when Blue Shield of California’s member data was shared with Google for advertising.
At the other end of the scale, Ohio saw 45 incidents affecting the data of 3,767,504 people, and Massachusetts just 28, exposing data belonging to 3,743,999.
"The healthcare sector is vulnerable to these breaches due to both the vast amount of sensitive patient data, which is often sold to third parties for a high price, and weak or outdated software and systems," said Venky Sundar, founder and president of Indusface.
"According to Verizon’s latest DBIR, vulnerability exploits have now overtaken phishing as a leading cause of data breaches. What is particularly concerning is how patching an average vulnerability takes 200-plus days."
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Ransomware contributing to healthcare data breaches
The figures come after a study from Michigan State University, Yale University, and Johns Hopkins University found that ransomware-related breaches have become a key issue for healthcare providers.
Researchers found that although ransomware accounted for just 11% of breaches in 2024 by number, those attacks alone were responsible for 69% of all patient records compromised that year.
The number of attacks has also been rising steadily over the last decade. While in 2010 there were no ransomware breaches, there were 222 in 2021, accounting for nearly a third of all major healthcare breaches that year.
Similarly, the overall share of breaches caused by hacking or IT incidents surged from 4% in 2010 to 81% in 2024.
Researchers said these numbers probably underestimate the true extent of the problem thanks to underreporting, reluctance to disclose ransom payments, and the fact that the study didn't look at smaller breaches affecting fewer than 500 individuals.
"Ransomware has become the most disruptive force in healthcare cybersecurity,” said John Jiang, Eli Broad endowed professor of accounting and information systems in the MSU Broad College of Business and lead author of the study.
"Healthcare providers have limited cybersecurity resources, so it’s essential to focus protection on the most sensitive types of information. The solutions are within reach — what we need now is coordination, transparency and urgency."
MORE FROM ITPRO
- Healthcare systems are rife with exploits — and ransomware gangs have noticed
- Five ways cyber criminals target healthcare and how to stop them
- More than 5 million Americans just had their personal information exposed
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
US healthcare firm postponed procedures after cyber attack knocked systems offline
News The incident at Kettering Health disrupted procedures for patients
-
More than 5 million Americans just had their personal information exposed in the Yale New Haven Health data breach – and lawsuits are already rolling in
News A data breach at Yale New Haven Health has exposed data belonging to millions of people – and lawsuits have already been filed.
-
Healthcare organizations are turning a blind eye to phishing attacks
News A survey reveals that most attacks go unreported, putting patient data at risk
-
Healthcare systems are rife with exploits — and ransomware gangs have noticed
News Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
More than 300,000 US healthcare patients impacted in suspected Rhysida cyber attacks
News Two US healthcare organizations have warned threat actors were able to breach their internal systems, exposing more than 300,000 individuals.
-
‘It’s your worst nightmare’: A batch of €5 hard drives found at a flea market held 15GB of Dutch medical records – and experts warn it could’ve caused a disastrous data breach
News Robert Polet made a startling discovery after finding hard drives on sale for €5 each in a flea market.
-
Cyber attack delayed cancer treatment at NHS hospital
News A cyber attack at Wirral University Teaching Hospital in 2024 delayed critical cancer treatment for patients, documents show.
-
Healthcare data breaches are out of control – here's how the US plans to beef up security standards
News Changes to HIPAA security rules will require organizations to implement MFA, network segmentation, and more