25+ Alarming Healthcare Data Breaches Statistics 2024 [& The Largest Healthcare Data Breaches]

Healthcare facilities and databases are ripe with helpful information and valuable data. Due to this, cybercriminals target these facilities, causing data breaches. 

Healthcare data breaches have been rampant over the past several years. Over the last decade, 2,550 of these have affected millions of records. 

Even though none ranks among Marriott's 505 million personal data breaches, the nature of the stolen information makes them considerably more severe than most.

Let’s look at the trending healthcare data breach statistics as of 2023.

Alarming Healthcare Data Breaches Statistics for 2023

2020 saw 39 high-profile breaches in the healthcare sector, costing this sector $6 trillion in one month. 

Data also suggests that hackers prefer to attack larger hospitals due to the significant amount of data they hold. At the same time, smaller hospitals gather less attention.

Here are more on healthcare data breach statistics: 

1. As of 2023, data breaches in healthcare cost businesses an average of $9.3 million per incident.

(CompliancyGroup) 

That’s a 29.5% rise compared to 2020. All other industries had a combined median loss of $3.86 million in 2020 and $4.24 million in 2021.

Data breaches make healthcare damages 2 to 3 times higher than other sectors.

2. 95% of identity theft comes from stolen healthcare records.

(Get Astra) 

Healthcare has the highest number of security breaches.

This is no surprise, as stealing data from medical records is among the easiest ways to commit identity theft. This menace in healthcare is 25 times higher than with credit cards.

Medical companies should have better personal identity security practices to protect their consumers’ data from identity thieves.

3. There were 46 data breaches in February 2022.

(HIPAA Journal)

Incidents fell by 8% in February 2022 compared to January 2022. Nonetheless, these 46 incidents affected a whopping 2.5 million people. 

Additionally, the healthcare sector accounted for more than a quarter (27%) of data breaches.

4. The average ransomware payout in Q1 2022 is $211,259.

(UpGuard)

Ransomware payments decreased by 34% compared to the fourth quarter of 2021. 

The decrease is due to hackers targeting smaller organizations and demanding lower payments, as attacks on large enterprises bring more severe investigations.

5. The most popular targets among hackers are the healthcare and finance industries, at 15% and 10%, respectively.

(Get Astra)

The healthcare sector alone lost $25 billion in the last two years. The report believes healthcare will be one of the industries most affected by hackers.

Healthcare data breaches can be very hazardous, leading to data theft, reputational and financial losses, and, most importantly, patient safety risks.

General Healthcare Data Breaches Statistics

Healthcare firms reported 145 data breaches in the first three months of 2023. 

In 2022, 707 data breach incidents occurred, in which 51.9 million records were stolen. It is no surprise that the healthcare sector is such a common target.

Read on to find out the extent these cybercriminals have gone in the healthcare sector.

6. Data breaches exposed 42 million records between March 2021 and February 2022.

(Independent.Co.UK & HIPAA)

Hackers exposed around 4.1 million records in March 2021 and 2.2 million in February 2022 – a reduction of roughly 1.8 million.

Yahoo experienced a data breach affecting nearly 1 billion individuals due to a malicious outsider who gained access through identity theft.

These records include sensitive information such as;

• first names
• email addresses
• passport copies
• sensitive healthcare information
• financial details

7. It has been estimated that lost or stolen PHI may cost the US healthcare industry up to $7 billion annually.

(Bluefin) 

PHI stands for protected health information, and the lack of security has resulted in a monetary loss. Healthcare breaches data statistics can put things in perspective - one that will allow us to manage the situation.

8. There is a 75.6% chance of a breach of at least 5 million records in the next year.

(Get Astra)

The third quarter of 2022 saw 1 in 42 healthcare organizations targeted by ransomware attacks. A reported breach in July 2022 affected nearly 2.6 million individuals.

9. Nearly 80 million people were affected by the Anthem Breach.

(CNN)

The breach occurred on February 4, 2015, but was only discovered a few weeks later. Anthem later settled for $116 million while admitting no wrongdoing. 

Looking at this settlement as “price per person affected,” the total totals $1.45 per affected record. 

10. Within the next 3 years, there is a 25.7% chance of another Anthem-sized breach.

(Get Astra) 

Anthem Inc. (Currently Elevance Health) was breached in 2015, causing the company to lose over 80 million personal data records. Due to this, the company was required to pay $115 million for damages to clients.

Within the next 3 years, there is a 25.7% chance of another Anthem-sized breach of over 80+ million records.

The news of the Anthem breach faded as quickly as it surfaced. Security breaches in healthcare do happen quite often nowadays. 

Experts and companies should start addressing their security issues before another attack happens.

11. Between 60% and 80% of data breaches go unreported.

(Cleaver Fulton Rankin) 

While this statistic isn’t specific to healthcare data breaches, it still puts things in perspective. 

The figure for breaches related to medical institutions is likely to be similar. 

12. Healthcare data breach costs are the highest at $408 per record in any industry.

(HIPAA Journal)

Data also shows that the average cost of a data breach is $4.24 million.

Marketing and Advertising are part of healthcare data breach costs due to the cost of repairing the hospital’s image and minimizing patient loss to competitors. Hospitals reported spending 64% more annually on advertising after a data breach over the following two years.  

The best way to reduce the costs of a data breach is by proferring solutions and suggestions on detecting a data breach early. 

Quick identification could also save millions of dollars as a hospital rebuilds its business and image following a breach.

13. About 78% of healthcare data breaches come from hackers or IT incidents.

(Security Intelligence) 

In 2018, the percentage was only 45%. Many hospitals don’t know how to build their servers; instead, they use outdated systems and structures.

These systems are loopholes for hackers to find ways to infiltrate hospital systems.

14. 34% of healthcare data breaches come from unauthorized access or disclosure.

(UpGuard) 

This is up 162% over the past 3 years; unauthorized access is already a massive issue. Nevertheless, it is still growing at an astounding rate. 

34% of healthcare data breaches come from unauthorized access or disclosure of PHI. In comparison, 18% of teaching hospitals reported enduring a data breach.

15. 1,400 breaches occurred due to negligence, twice as often as malicious ones.

(Academic.OUP) 

Negligent breaches occur due to internal mistakes. 66% of organizations consider insider or accidental breaches more likely than external attacks. 

In contrast, external forces like hacking would fall into the “malicious.” category. The study found that over 1,400 breaches were negligent, and about 700 were malicious.

Another serious threat is malicious intent. Disgruntled staff acting on emotion poses the most significant risk, causing 14% of data breaches. 88% of data breach threats come from negligent employees.

This could be via helping a hacking group compromise a system or doing it themselves. 

16. 39% of healthcare organizations became aware of a breach months after it happened.

(Get Astra)

Detecting a breach takes months and needs human resources like the services of professional cybersecurity analysts and financial resources to mitigate the damages. 

A breach with a lifecycle of 200 days will cost the affected company $4.87 million. Hackers exploit 39% of breaches, taking months or more to discover, while victims remain unaware.

17. 15% of industry data breaches are classified as theft and loss, while 32% of healthcare breaches fall under this category.

(Humanize Security) 

Statistics for data breaches in healthcare reveal that 30% of all significant data breaches occur in hospitals.

On the other hand, 18% of teaching hospitals experienced a data breach. Thus the healthcare and finance industries remain the most popular targets at 15% and 10%, respectively.

18. 24% of physicians couldn’t identify the common signs of malware.

(Get Astra) 

This could be due to the age of many medical professionals. Older generations need help adapting to new tech. 

As a result, they’re less aware of how cyber attacks work, how to spot the different types of malware, and how to neutralize them.

19. In 2022, healthcare suffered close to 849 million hacking attempts.

(Parachute.Cloud) 

There were at least 849 million known healthcare cybersecurity incidents and 571 data breaches in 2022. 

 The FBI has found at least 16 cases of attempted break-ins into US Healthcare using CONTI ransomware in 2021. 

The average financial loss due to data breaches in healthcare has skyrocketed, increasing from around $9 million to $10.10 million. 

20. The healthcare industry invests less than 6% of its budget on cybersecurity.

(Beckers Hospital Review) 

For comparison, the US spends 16% of its federal budget on cybersecurity. The healthcare industry could put extra effort into solving these issues well.

Healthcare cybersecurity professionals allocate 6% or less of IT budgets to cybersecurity, compared to the 21% industry average.

Backend office technologies often use outdated, legacy systems, requiring upgrades and cybersecurity investments. These consume significant budgets for upgrading and cybersecurity tools.

21. 88% of healthcare workers opened phishing emails.

(Get Astra)

Phishing is a common way for data thieves to pull off attacks. Statistics show that 14% of victims were attacked through business emails to company employees. Health information security breaches occur because hackers use this approach to find victims. 

However, healthcare workers opening these emails doesn’t mean they all fell prey to these attempts. Still, it raises a red flag when such emails find their way through to the workers.

22. 50% of doctors were in the “risk” category, making them likely to commit a severe data breach.

(Get Astra) 

The change should start by educating doctors and future medical professionals on proper data security measures. 

50% of medical practitioners in the risk category translate into an extremely high chance of breach that no cybersecurity specialist can prevent.

23. Healthcare data breaches cost $408 per record, three times higher than the cross-industry average of $148.

(Bluefin)

The cost per record for healthcare data is $408, 3x higher than the cross-industry average of $148 per record. 

The average cost of a data breach for healthcare was $10.10 million in 2022, compared to the global average price of a data breach at $4.35 million.

Most record sources from other sectors often need to be completed, therefore, are not the target for identity theft; in comparison, healthcare data contain complete patient information. 

24. Tenable Network Security’s cybersecurity report gave the healthcare industry a grade of 54% when it came to cybersecurity assurance.

(Tenable Network Security)

The only passing grade given, a C or above, was given to healthcare data centers. 

Independent data and cybersecurity professionals often run data centers, leading to better scores. 

25. Healthcare cybersecurity roles take 70% longer to fill than IT jobs in other industries.

(Info Security)

In a survey to understand why health information security breaches keep occurring, researchers found that talent shortage in the sector could be a huge contributor. 

The findings show that these roles take an average of 70% longer to fill due to the functions they require hires to cover. 

26. Healthcare data breaches in the US fell by 48% in January 2021.

(HIPAA Journal)

Healthcare in America experienced a nearly 50% reduction in data breaches in January 2021, dropping from 62% in December 2020 to 32% in January 2021.

That translates to about one incident daily, a considerable improvement compared to 2020. In 2022, September had the highest number of data breaches at 95, translating to about three per day.

27. 82% of organizations can’t determine the damage from an insider attack.

(Ekran System)

The repercussions from these can be costly. Overall, 21% resulted in legal liabilities, 40% in critical data loss, and 33% in operational disruption.

Here’s a healthcare data breaches list for 2021 due to insider attacks:

• An American Pharmaceutical company employee left to work for a competitor after downloading 12,000 confidential files to the cloud.
• A hospital employee from Texas recorded himself creating an HVAC unit backdoor that could affect employees and medication if shut down. 
• After quitting, a South Georgia Medical Center employee downloaded patient data into a USB drive. The security system sent an unauthorized access alert notifying the cyber team.

28. 59% of healthcare organizations invested more on cybersecurity in 2022.

(PWC) 

Data breaches have become commonplace, and cybercriminals continue to target healthcare companies. When they occur, businesses cannot function and suffer a negative reputation. 

Additionally, they must hire cyber professionals to clean up the damage, pay ransoms, and provide victims' compensation.

The Largest Healthcare Data Breaches in History

Let’s review the healthcare companies attacked and data breached by cybercriminals, causing the biggest data breaches in the health industry.

1. Anthem Blue Cross

Year: 2015 

Impact: 78.8 million patient records stolen

Currently, Anthem is still the most significant healthcare data security breach. 

A total of 78.8 million patient records were stolen. The type of data taken was susceptible and included records like social security numbers, dates of birth, and addresses. 

Despite most victims being Anthem plan members, some were not. Anthem also managed its paperwork with several independent insurance companies to mitigate this.

2. Premera Blue Cross

Year: 2015 

Impact: 11+ million people

Premera Blue Cross experienced a cyberattack in the middle of March 2015. 

11 million customer data were affected as attackers managed to access financial and medical information, dates of birth, and social security numbers. 

The leading cause of the cyberattack is insurance fraud over personal data.

3. Excellus BlueCross BlueShield

Year: 2015

Impact: 10 million people

Excellus discovered the cyberattack on August 5, 2015, but it could have begun as early as December 2013, 2 years after the attack. Within 2 years, hackers have been able to access all patient records.

They exfiltrated names, Social Security numbers, addresses, financial information, medical claims information, credit card numbers, birth dates, and names.

4. TRICARE

Year: 2011

Impact: 4.9 million patients affected

Late 2011 saw a vast medical and personal data breach for families and military patients. The breach occurs when a data contractor transferred records from one facility to another, leaving data tapes within the vehicle. 

When parked and unattended, the records were stolen. These include personal information, prescriptions, clinical notes, and lab test data. Luckily, they contained no financial information.

5. University of California, Los Angeles Health

Year: 2015 

Impact: 4.5 million patients affected

Someone hacked the UCLA Health System’s computer network, causing 4.5 million patient records to be exposed.

They exposed highly confidential information like health plan identification numbers, patient procedures, and diagnoses. They also leaked sensitive records like social security numbers, dates of birth, and names. 

Wrap-Up

There are many talks about blockchain applications in healthcare and the security boost. The total spending on integrating blockchain into healthcare will rise to $5.61 billion by 2025. Still, so far, the healthcare data of most people is a highly lucrative sitting duck.

Fortunately, companies can find ways to safeguard information; at the same time, users can also protect their data from breaches. 

People working in highly informative fields should opt for cybersecurity measures such as malware protection, applying VPN services to keep data private, password managers, and encrypting data and messages to avoid theft.