2024 Healthcare Data Breaches Reported to HHS OCR Set New Records
Data breaches reported in 2024 set new cost and impact records, with healthcare breaches affecting nearly 180 million individuals
2024 may be in our rearview mirror, but let’s not dismiss it just yet. There are valuable lessons to be learned from HIPAA violations and healthcare data breaches against the backdrop of general security incident reports published by leaders in the information technology industry. In 2024, the number of data breaches across the globe reached a record high of 10,000, and the average cost of a data breach rose 10% to a record $4.88 million (USD).
The majority of data breaches resulted from cybercriminal exploitations of employee errors and human susceptibility to phishing and other social engineering schemes. The exploitation of unpatched software vulnerabilities tripled from 2023. The HHS Office for Civil Rights (OCR) cited incomplete compliance with HIPAA Security Rule requirements as the primary reason for security failures that led to data breaches among healthcare providers, business associates, and health insurance plans.
The next three sections review data breach volumes, data breach costs, and healthcare data breach facts from 2024, offering lessons in cybersecurity that should not be ignored.
Data Breach Numbers Hit All-Time High in 2024
Each year, the Verizon Data Breach Investigations Report reveals known details and insights about data breaches occurring across the globe. According to the latest report, 2024 saw data breaches at a record high, with more than 10,000 breaches affecting victims in 94 countries.
According to the 2024 Verizon report, the first step in 14% of all data breaches involved the exploitation of vulnerabilities—almost triple the number from 2023. Failure among organizations to promptly patch vulnerabilities when software updates are released continues to present an irresistible opportunity for hackers. According to the Verizon report, once critical patches are made available by software firms, it takes user organizations roughly 55 days to remediate just 50% of the vulnerabilities. As a result, company data is placed at risk unnecessarily for a period of almost two months.
More than two thirds of data breaches (68%) resulted from a non-malicious human failure, such as an individual falling victim to a phishing scheme or other social engineering attack or making an error that affected security. Consistently, employees are the weakest link in the security chain in virtually all industries, including healthcare, and hackers actively exploit that weakness. All of which continues to make the case for frequent and effective cybersecurity awareness training for every organization, large and small. 
Most data breaches resulting from hacking and unauthorized access are motivated by financial profit, with cybercriminals using their ill-gotten gains to develop more advanced malware, more sophisticated hacks, and more effective vulnerability exploits. In 2024, almost two thirds of financially motivated data breaches (62%) leveraged ransomware or other extortion schemes—with an average loss of $46,000 per data breach. Ransomware remains a top threat across 92% of all industries, including healthcare.
As another point of interest, third parties or suppliers were responsible for 15% of all data breaches in 2024, including data custodians, hosting partners, and software supply chains. This number held true in the healthcare sector as well, where 16% of all data breaches were reported by business associates who supply goods and services to hospitals, medical centers, private practices, and other healthcare providers.
For additional information, refer to the 2024 Verizon DBIR.
Average Data Breach Cost Sets New Record in 2024
The average cost of a data breach has been climbing since 2017, and in 2024 the global cost reached $4.88 million (USD), topping the previous record of $4.45 million in 2023. The annual Cost of a Data Breach Report published by IBM tracks this average over time, describing the 2024 cost as a 10% increase over 2023 and the highest cost ever.
Other findings from the 2024 IBM report:
- 75% of the 10% increase in average breach costs in 2024 was due to the cost of lost business and after-breach response activities, spotlighting how important it is for every organization to have a tested Incident Response Plan in place. As the adage goes, suffering a data breach is not a matter of if, but when.
- 40% of breaches involved data stored across multiple environments, with data stored in public clouds incurring the highest average cost at $5.17 million (USD).
Also contributing to the rise in the financial impact of data breaches are (1) the adoption of generative AI models and third-party applications across the organization, and (2) the ongoing use of Internet of Things (IoT) devices and Software as a Service (SaaS) applications. These factors have expanded the attack surface and applied increasing pressure on security teams. According to the report, organizations who applied AI to security strategies were able to reduce the cost of a breach by $2.22 million on average.
For healthcare organizations, HHS OCR analysis of recent investigations into HIPAA violations points to incomplete HIPAA compliance as the primary reason for rampant security failures.
Facts About 2024 Healthcare Data Breaches
Throughout 2024, 588 data breaches were reported to the OCR, as required by HIPAA. And while that number didn’t set a record, the scope of impact certainly did, with nearly 180 million people affected by those breaches.
Reporting requirements of the HIPAA Data Breach Notification Rule are based on when the breach is discovered. Breaches affecting 500 or more individuals must be reported to the OCR within 60 calendar days of discovery. Those under 500 can be reported anytime during the calendar year, with a 60-day grace period. The requirements apply to all regulated healthcare entities, which include healthcare providers, health insurance plans, business associates, and clearinghouses.
Who was Responsible? Of the 588 reports of security incidents affecting 500 or more individuals in 2024, three quarters (75%) were reported by and attributed to healthcare providers (443). Business associates took primary responsibility for 16% of the total (93), while health plans or insurers were responsible for just 9% (52) of the reported breaches. (In the sole clearinghouse incident, Regional Care Inc., of Nebraska, reported a breach of 225,728 records.) Data breaches reported by healthcare providers ran the gamut from the smallest impact (500 patients) to the largest (5.6 million affected), suggesting that incomplete HIPAA compliance and ongoing untreated vulnerabilities are systemic problems.
Who was Affected? In all, 179,842,051 individuals were affected by the 588 data breaches reported in 2024. This represents an all-time record for healthcare data breaches. More than half (55.5%) were victims of the massive Change Healthcare data breach.
Below is a summary of the Top Five breaches in terms of human impact:
These five breaches accounted for 70% of all individuals affected by all healthcare data breaches in 2024. Not surprisingly, healthcare industry leaders are prime targets for cybercrime because they yield the biggest payday when protected health information (PHI) and personally identifiable information (PII) are sold by the millions to eager buyers on the dark web.
What Caused these Data Breaches? The great majority of 2024 healthcare data breaches (85%) were categorized as “Hacking/IT Incident.” In OCR reporting, hacking includes ransomware attacks and phishing schemes, but no further breakdown is available. In 2024, five HHS OCR press releases detailed the resolutions of HIPAA violations leading to ransomware attacks and announced more than $2 Million in penalties paid by the non-compliant organizations.
The offending providers were Bryan County Ambulance Authority (BCAA) in Oklahoma, Plastic Surgery Associates of South Dakota, Providence Medical Institute in Southern California, Cascade Eye and Skin Centers in Washington State, and Heritage Valley Health System in Pennsylvania, Ohio, and West Virginia. Recently, the OCR has been levying its highest financial penalties for data breaches resulting from ransomware schemes, sending a serious message to those who fail to protect their data appropriately, including failing to perform regular data backups.
Where was the Data Located? In the main, breached data was located on network servers in 384 of these incidents (65%), which corresponds fairly closely to the prominence of hacking as a root cause. In another 131 incidents (22%), the breached data was located in emails and email systems. Of the email breaches, 82% were reported by healthcare providers, 11% by business associates and 7% by health plans. At the other end of the spectrum, 21 breaches targeted data in electronic medical records, 20 in paper and film records, and ten in laptops and other electronic portable devices. These also tended to result in smaller impacts.
Many Healthcare Data Breaches Are Avoidable, If Only...
The OCR routinely publishes press releases presenting the details about each healthcare security failure they investigate and resolve. In 2024, more than 20 press releases announced settlements with covered entities and their business associates for failures to comply with HIPAA Security Rule, Privacy Rule, and Patient Right of Access requirements. The HIPAA violations cited in these announcements reflect a core of common failures that are found across countless organizations, year after year—indicating that other covered entities are not learning from the mistakes of violators. This is one of the primary drivers of the Notice of Proposed Rulemaking, published by the HHS Office for Civil Rights on January 6, 2025, which will update HIPAA Security Rule requirements and enforcement.
Based on these “common deficiencies in Security Rule compliance” the OCR has repeatedly urged HIPAA-regulated entities to “take the following steps to mitigate or prevent cyberthreats.”
- Ensure business associate agreements are in place with all vendors and contractors as appropriate and that they address breach/security incident obligations.
- Integrate risk analysis and risk management into business processes; incorporate lessons from security incidents and data breaches into the overall security management process.
- Conduct risk assessments regularly, and also when preparing to implement new technologies, install new hardware or software, and introduce business operations.
- Ensure audit controls are in place to record and examine information system activity; conduct regular reviews of information system activity to detect suspicious activity promptly.
- Employ multi-factor authentication to ensure only authorized users are accessing protected health information, and encrypt PHI to guard against unauthorized access.
- Provide training specific to employees’ roles and job responsibilities on a regular basis and reinforce with employees their crucial role in protecting data privacy and security.
Summary
2024 was a year of firsts, including a record volume of data breaches across the globe, a record number of individuals affected by healthcare data breaches, and a new record for the average cost of a data breach. As industry leaders continue to monitor and report on data breaches in the larger market, in the healthcare sector the HHS Office for Civil Rights continues to actively investigate, enforce, and penalize violations of the HIPAA Security Rule and other HIPAA requirements.
In this new year, healthcare providers, business associates, and health plans would be well-served to dedicate themselves to achieving complete HIPAA compliance before cybercriminals target them for hacks, phishing exploits, and ransomware schemes. A security risk assessment will reveal the gaps in HIPAA compliance and describe the actions required to resolve them, and experts are available to assist organizations in implementing those actions.
