In just the first few months of 2025, the healthcare industry has already faced some of the most devastating cybersecurity incidents in its history. If you work in the healthcare industry, here’s something you can’t afford to ignore: healthcare data breaches are happening at an unprecedented rate. Moreover, current trends and those of last year suggest the landscape is more vulnerable than ever. These ongoing threats are a wake-up call for every provider, administrator, and IT professional in the field.

Why Should You Care About Healthcare Data Breaches?

Every time there’s a breach, patients lose trust, providers lose money, and the industry as a whole takes a hit. If you think it’s something that only happens to large hospital systems or insurance companies, think again. Breaches are targeting everyone – from small private practices to national networks.

“The hack cost UnitedHealth around $3.09 billion in response and business disruption expenses,” revealed Andrew Witty, CEO of UnitedHealth Group.

According to HIPAA Journal, healthcare data breaches have steadily increased since 2009, with 2023 recording an average of nearly 2 large breaches per day. More than 725 data breaches were reported in 2023, affecting millions of individuals – and early 2024 trends suggest this pace is continuing.

To emphasize the critical nature of cybersecurity in healthcare, Anahi Santiago, CISO at Christiana Care Health Systems said, “When I talk to my leaders and speak to the industry, I speak in terms of information security in healthcare is not a technology problem. It’s a patient safety issue and we have to think of that each and every day.”

Healthcare Data Breach Statistics You Need to Know

Here’s a snapshot of how widespread the issue has become based on the latest available data:

Metric	Latest Available Figures
Total reported breaches (500+ records)	725 in 2023
Average breaches per day	~1.99
Records exposed (since 2009)	385 million+ (as of EOY 2023)
Records breached in 2023	168 million

While full 2024 figures are pending, the year began with several major incidents that indicate an equally concerning outlook.

Notable Healthcare Breaches from Late 2023 to Early 2024

You might have seen headlines about these breaches:

• Change Healthcare: In February 2024, a ransomware attack exposed data from approximately 190 million individuals, making it the largest healthcare data breach in U.S. history.
• Kaiser Foundation Health Plan: A separate 2024 breach impacted 13.4 million individuals, underscoring how even major healthcare organizations remain vulnerable.
• Sunflower Medical Group (Kansas City): In December 2023, a ransomware attack compromised data from nearly 221,000 individuals. A lawsuit claims the company failed to implement basic security controls, including encryption and timely breach notification.
• Health Fitness Corporation: The OCR settled with the company over HIPAA Security Rule violations after 500+ individuals had their protected health information (PHI) exposed. The breach stemmed from a failure to implement appropriate administrative and technical safeguards.

These cases serve as powerful reminders that even moderate-sized organizations and wellness service providers are not immune.

What’s Causing These Breaches?

The HIPAA Journal reports that the majority of breaches are caused by hacking/IT incidents, often involving ransomware or email phishing. In 2023, 79.7% of reported breaches were attributed to hacking.

Cause of Breach	Share
Hacking/IT Incidents	79.7%
Unauthorized Access/Disclosure	17.5%
Theft, Loss, Improper Disposal	2.8%

What this tells you is clear: cybersecurity needs to be your top priority. These attacks often exploit outdated software, human error, or a lack of endpoint protection.

State-Level Trends: Who’s Most at Risk?

The same HIPAA Journal report looked at data breaches across Georgia, Washington, and New Hampshire:

• Georgia: Large breaches impacted several providers, with millions of records exposed.
• Washington: Saw multiple major breaches affecting healthcare IT vendors.
• New Hampshire: Experienced a statewide impact due to a third-party vendor breach.

These trends show that no region is safe. A breach in one system – especially through a shared IT vendor – can ripple through entire states.

A Regulatory Wake-Up Call: OCR Takes Action

The HHS Office for Civil Rights (OCR) continues to investigate and fine organizations that violate HIPAA Security Rules. In 2024, it reached a settlement with Health Fitness Corporation following a breach caused by poor access controls.

OCR’s message is clear: “Organizations must recognize the importance of safeguarding electronic protected health information.”

A separate legal update from JD Supra reiterates this stance, emphasizing the agency’s focus on risk analysis and mitigation plans.

Rising Concerns Around CMS Data Access

An emerging issue in 2024 is the U.S. government’s proposal to allow the Department of Energy (DOE) access to Centers for Medicare and Medicaid Services (CMS) health data for research. Experts, such as those cited in BankInfoSecurity, warn this could open new doors to potential HIPAA violations if strict safeguards aren’t in place.

While the move is intended to improve health insights and AI modeling, it also raises red flags about cross-agency data exposure and unclear access boundaries.

Long-Term Impact of Healthcare Breaches

Beyond fines and lost data, data breaches have deep operational consequences:

• Delays in care due to locked EHR systems
• Legal costs and ongoing lawsuits
• Higher insurance premiums for providers
• Loss of business reputation and partnerships

These are not temporary disruptions – they’re business-altering events.

What You Can Do Now: Actionable Steps

So, what can you do to stay ahead of these threats? Here are steps you should be taking right now:

1. Invest in Cybersecurity Infrastructure
   • Firewalls, endpoint protection, intrusion detection systems
2. Employee Training
   • Most breaches start with human error (e.g., clicking phishing links)
3. Regular Risk Assessments
   • Don’t wait for a breach to find out where you’re vulnerable
4. HIPAA-Compliant Cloud Storage
   • Use encrypted, secure systems with limited access controls
5. Follow OCR Guidance Closely
   • Stay up to date with enforcement trends and corrective action plans

The Role of HIPAA-Compliant Medical Virtual Assistants

Apart from the aforementioned actionable steps, there is one more potential solution that is both promising and innovative.

“”With healthcare data breaches on the rise, organizations must take proactive steps to strengthen security and compliance. One effective strategy is leveraging HIPAA-trained medical virtual assistants,” says Aurora Penalosa, HIPAA Compliance Officer from My Mountain Mover.

Not all medical VAs are created equal. At My Mountain Mover, all our virtual talent are not only guaranteed to be the industry’s top 2% but are also rigorously trained in HIPAA compliance, data privacy, and healthcare-specific protocols.

Our VAs don’t just handle scheduling, billing, and EHR management – they help close the security gaps created by overworked staff and outdated processes. And because they are closely monitored by our in-house HIPAA compliance officers and account managers, you gain peace of mind without compromising patient care.

“By integrating skilled VAs into daily operations, healthcare providers can reduce human error, enhance data protection, and maintain patient trust in an increasingly vulnerable digital landscape,” Ms. Penalosa adds.

Final Thoughts

From Sunflower Medical Group to CMS data access concerns, the message is clear: data security is no longer optional – it’s foundational. Organizations of all sizes must act now to protect patient information and avoid becoming the next cautionary headline.

Whether you’re managing a clinic, scaling a telehealth startup, or leading a hospital system, cybersecurity should be a strategic priority. And that includes the people you hire, the tools you use, and the protocols you put in place.

 

———————————–———————————–———————————–———————-

FAQs

1. What is a healthcare data breach?

A healthcare data breach occurs when protected health information (PHI) is accessed, disclosed, or stolen by unauthorized individuals. This often includes names, Social Security numbers, medical histories, billing details, and insurance information.

2. How many healthcare data breaches occurred in 2023 and 2024?

In 2023, over 725 healthcare breaches involving 500+ records were reported, affecting 168 million individuals. Early 2024 trends show the frequency of breaches continuing at a similar—if not higher – pace.

3. What was the largest healthcare breach in 2024?

The Change Healthcare ransomware attack in 2024 affected approximately 190 million individuals, making it the largest healthcare data breach in U.S. history.

4. What are the main causes of healthcare data breaches?

According to HIPAA Journal, the top causes are:

• Hacking/IT incidents (79.7%)
• Unauthorized access/disclosure (17.5%)
• Loss, theft, or improper disposal (2.8%)

5. What are the consequences of a healthcare data breach?

Breaches can result in:

• HIPAA violations and federal fines
• Lawsuits and class-action claims
• Operational disruptions
• Loss of patient trust and reputation damage

6. Which states are most affected by healthcare breaches?

In 2024, states like Georgia, Washington, and New Hampshire reported major breaches. New Hampshire, in particular, was heavily impacted due to a vendor breach that affected multiple healthcare providers statewide.

7. How does the government respond to healthcare data breaches?

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) investigates breaches and enforces penalties. For example, Health Fitness Corporation faced regulatory action for failing to implement appropriate safeguards.

8. How can healthcare organizations prevent data breaches?

Key prevention strategies include:

• Implementing strong cybersecurity tools
• Conducting regular risk assessments
• Staff training on phishing and security practices
• Using HIPAA-compliant service providers

9. What role do VAs play in breach prevention?

HIPAA-trained remote staff – like those from My Mountain Mover – help reduce human error, improve documentation, manage EHRs securely, and streamline workflows, decreasing your risk exposure.

10. Is there a government resource for breach tracking?

Yes. The HHS Breach Portal (also known as the “Wall of Shame”) publicly lists reported healthcare breaches involving 500+ individuals. It’s updated regularly by the OCR.