Two new reports have highlighted the immense scale of US healthcare data breaches, with 409 million personal records exposed over the last two years.
According to research from application security firm Indusface, there were 1,200 breaches in the US healthcare sector in the last 24 months, with 83% of incidents leaving patient records exposed.
Texas recorded 66 data breaches, the most of any state, as well as the most people affected, at 14,371,828. The state’s biggest breach was that of Concentra Health Services in January 2024, which saw data belonging to nearly four million people accessed or stolen.
California had the second-highest number of individuals affected by data breaches, at 9,218,788. Notably, it also experienced the largest healthcare data breach in the study, affecting 4,700,000 people, when Blue Shield of California’s member data was shared with Google for advertising.
At the other end of the scale, Ohio saw 45 incidents affecting the data of 3,767,504 people, and Massachusetts just 28, exposing data belonging to 3,743,999.
"The healthcare sector is vulnerable to these breaches due to both the vast amount of sensitive patient data, which is often sold to third parties for a high price, and weak or outdated software and systems," said Venky Sundar, founder and president of Indusface.
"According to Verizon’s latest DBIR, vulnerability exploits have now overtaken phishing as a leading cause of data breaches. What is particularly concerning is how patching an average vulnerability takes 200-plus days."
Ransomware contributing to healthcare data breaches
The figures come after a study from Michigan State University, Yale University, and Johns Hopkins University found that ransomware-related breaches have become a key issue for healthcare providers.
Researchers found that although ransomware accounted for just 11% of breaches in 2024 by number, those attacks alone were responsible for 69% of all patient records compromised that year.
The number of attacks has also been rising steadily over the last decade. While in 2010 there were no ransomware breaches, there were 222 in 2021, accounting for nearly a third of all major healthcare breaches that year.
Similarly, the overall share of breaches caused by hacking or IT incidents surged from 4% in 2010 to 81% in 2024.
Researchers said these numbers probably underestimate the true extent of the problem thanks to underreporting, reluctance to disclose ransom payments, and the fact that the study didn't look at smaller breaches affecting fewer than 500 individuals.
"Ransomware has become the most disruptive force in healthcare cybersecurity,” said John Jiang, Eli Broad endowed professor of accounting and information systems in the MSU Broad College of Business and lead author of the study.
"Healthcare providers have limited cybersecurity resources, so it’s essential to focus protection on the most sensitive types of information. The solutions are within reach — what we need now is coordination, transparency and urgency."
MORE FROM ITPRO
- Healthcare systems are rife with exploits — and ransomware gangs have noticed
- Five ways cyber criminals target healthcare and how to stop them
- More than 5 million Americans just had their personal information exposed
-
US healthcare firm postponed procedures after cyber attack knocked systems offlineNews The incident at Kettering Health disrupted procedures for patients
-
More than 5 million Americans just had their personal information exposed in the Yale New Haven Health data breach – and lawsuits are already rolling inNews A data breach at Yale New Haven Health has exposed data belonging to millions of people – and lawsuits have already been filed.
-
Healthcare organizations are turning a blind eye to phishing attacksNews A survey reveals that most attacks go unreported, putting patient data at risk
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
More than 300,000 US healthcare patients impacted in suspected Rhysida cyber attacksNews Two US healthcare organizations have warned threat actors were able to breach their internal systems, exposing more than 300,000 individuals.
-
‘It’s your worst nightmare’: A batch of €5 hard drives found at a flea market held 15GB of Dutch medical records – and experts warn it could’ve caused a disastrous data breachNews Robert Polet made a startling discovery after finding hard drives on sale for €5 each in a flea market.
-
Cyber attack delayed cancer treatment at NHS hospitalNews A cyber attack at Wirral University Teaching Hospital in 2024 delayed critical cancer treatment for patients, documents show.
-
Healthcare data breaches are out of control – here's how the US plans to beef up security standardsNews Changes to HIPAA security rules will require organizations to implement MFA, network segmentation, and more
