In 2024, the health care sector reported 14 data breaches that involved more than 1 million patient records, representing almost 70% of the U.S. population, according to an AIS Health analysis of data from the HHS Office for Civil Rights (OCR).

In total, there were 734 health care data breaches that were large enough to report to OCR in 2024, a slight decrease compared to 747 breaches in 2023. However, 2024 was the worst-ever year in terms of the number of patients affected, as a data breach targeting UnitedHealth Group subsidiary Change Healthcare affected an estimated 190 million individuals.

In recent years, some of the biggest breaches targeted health care providers and business associates, such as third-party administrators that assist plans with claims processing or consultants that perform utilization reviews for hospitals. In 2024, more than 221 million health care records were exposed or stolen in data breaches at business associates compared to 40 million records in breaches at health care providers.

Breaches caused by hacking and IT incidents have skyrocketed since 2019, reaching 598 incidents in 2024 and becoming the leading cause of data breaches in the health care industry.

The largest health care data breach of 2024 — and of all time — occurred at Change Healthcare. In February, a hacking gang operating as ALPHV/BlackCat breached a server using stolen credentials and moved within the system for several days exfiltrating data before deploying ransomware. The attack then set off weeks of provider payment disruptions nationwide. UnitedHealth spent $3.1 billion responding to the attack in 2024, according to its financial results released in early January.

The second-largest health care data breach of 2024 involved Kaiser Foundation Health Plan, potentially affecting up to 13.4 million people’s protected health information. In May 2024, the health plan notified its members that certain online technologies on its websites and mobile apps may “have transmitted personal information to third-party vendors Google, Microsoft Bing, and X (Twitter),” according to the company.

In September 2024, CMS reported that the health information of almost 1 million individuals was potentially compromised in connection with a data breach affecting its contractor WPS, which handles Medicare Parts A and B claims for beneficiaries in multiple states. The notification came almost 16 months after a security vulnerability was discovered in MOVEit, a third-party file-transfer software used by the contractor. CMS later reported on HHS’s breach portal that the total number of affected people was 3,112,815.

This infographic was reprinted from AIS Health’s weekly publication Health Plan Weekly.