Healthcare cybersecurity challenges

Cyberattacks have targeted large companies, small businesses, and individuals for years. Recently, healthcare has become one of the prime targets. Since these organizations operate 24/7 and store a lot of patient data, like medical records and financial details, they may prioritize avoiding disruptions and be more willing to pay a hacker's ransom. Hacking/IT incidents can stop medical staff from accessing data and providing care, which can be distressing and dangerous for patients, especially those in intensive care or needing urgent treatment.

Key insights

• Hacking/IT incidents emerged as the most prevalent type of breach in the United States within the healthcare sector in 2024. Over 80% of reported healthcare data breaches affecting 1,000 or more individuals fall into this category — including both resolved cases and those still under investigation. It should be noted that some changes may occur after investigations are completed, as the majority of cases are still under review. However, the overall trend is unlikely to shift significantly. Compared to 2023, with nearly 70% of cases already resolved, most reports were also classified as hacking/IT incidents. In contrast, the United Kingdom presents a different situation according to the Information Commissioner's Office (ICO). Their data reveals that breaches affecting 1,000 or more individuals and categorized as cyber incidents¹ account for 25% of all reported breaches in the health sector in 2024. Understanding these differences may allow to shape cybersecurity strategies that are more effective and suited to each region.
• Despite the number of reported breaches classified as hacking/IT incidents remaining steady at around 500 cases each year in the United States for both 2024 and 2023, the impact scale on individuals has increased. Approximately 170 million Americans were affected in 2024 by this type of breach, compared to 160 million in 2023. If smaller breaches — those affecting fewer than 1,000 individuals — were included, the total number of affected individuals would likely be higher. However, the numbers may not represent unique individuals, as it's possible for multiple breaches to affect the same person. In contrast, data from the ICO in the United Kingdom shows that the number of cyber breaches affecting 1,000 or more individuals in the health sector more than doubled, rising from 25 in 2023 to 56 in 2024.
• Network servers were the most vulnerable location for American healthcare data, featuring in nearly 80% of analyzed hacking/IT incidents in 2024. Email was the second most frequently identified location, appearing in more than 20% of breaches. It's important to note that while some cases involved multiple locations of breached information, this was relatively uncommon, occurring in about 2% of the total hacking/IT incidents. Notably, the ICO does not provide such information.
• Based on the number of affected individuals in the United States, the largest hacking/IT incident among resolved healthcare breaches in 2024 occurred in Arizona. The business associate, Medical Management Resource Group, reported that it experienced a cyberattack that affected the protected health information of 2 million individuals. This information included names, birth dates, addresses, diagnoses, medications, claims, and financial information. In response to the breach, Medical Management Resource Group provided complimentary credit monitoring services and implemented new technical safeguards. The largest breach overall in 2024 was reported in July and may have affected 100 million individuals, according to the report. However, this hacking/IT incident is still under investigation. The ICO provides data on affected individuals only in certain ranges, which limits the ability to identify the largest cyber breaches.
• Minnesota would lead the list among the 50 states and the District of Columbia when counting affected individuals per state population in 2024. A Minnesota resident could theoretically be counted as affected by hacking/IT incidents approximately 17 times, but largely due to the reported breach in July that accounted for 100 million individuals. However, this approach has its limitations. Even though a breach is assigned to a specific state, it may not exclusively affect residents of that state. In contrast, Alaska, Maine, Vermont and South Dakota reported no hacking/IT incidents within the healthcare sector during the same period.

Methodology and sources

This study used publicly available data from the Breach Portal, provided by the U.S. Department of Health and Human Services Office for Civil Rights. A dataset collected on February 28, 2025, includes a detailed list of breaches involving unsecured protected health information that affect 1,000 or more individuals, whether these cases have been resolved or are still under investigation. Healthcare data breaches are assigned to a specific year based on the submission date.

Additionally, data on breaches in the health sector affecting 1,000 and more individuals, provided by the Information Commissioner's Office (ICO) in the United Kingdom, were used to highlight regional differences.

Note: The study did not include smaller breaches due to the lack of publicly available detailed information on them and certain constraints in data granularity that prevent perfect alignment of both datasets.

Data was collected from:

References: