Healthcare Data Breaches Affected 170 Million People in 2024: Study

Researchers indicate ransomware attacks have impacted more than half of all healthcare patients annually since 2020, highlighting serious questions about the safety of sensitive health data in the U.S.

New research shows that the number of data breaches involving sensitive health information has surged by 162% over the past 13 years, rising from 216 incidents in 2010 to 566 in 2024, with an estimated 170 million people impacted by healthcare data breaches last year.

However, according to a report published in JAMA Network Open on May 14, more than 10%, or 61 out of those 566 data breaches in 2024 were the result of ransomware attacks, compared to zero healthcare data-related ransomware attacks in 2010.

Data breaches involve various forms of online hacking incidents, which compromise individuals’ sensitive data, such as their names, addresses, social security numbers and other personal information. This can lead to identity theft, financial fraud and other negative consequences for those affected.

In a ransomware attack, hackers encrypt the victim’s files, data or network, making them inaccessible until the attackers receive a ransom payment, often in the form of cryptocurrency, which will release the information back to the original owner.

One of the largest healthcare-related ransomware attacks on record occurred in February 2024, when Change Healthcare, a subsidiary of UnitedHealth Group, announced a cyberattack that exposed the personal data of at least 100 million Americans. The breach compromised highly sensitive information, including names, addresses, Social Security numbers, medical histories and insurance details.

In this new study, researchers analyzed publicly available, non-identifiable data from the U.S. Department of Health and Human Services’ (HHS) Breach Portal. The data, compiled by the Office for Civil Rights (OCR), categorized healthcare data breaches by year and cause—ranging from hacking incidents and unauthorized access to improper disposal, data loss or unknown reasons.

Led by Dr. John Xuefeng Jiang of Michigan State University, the research team focused specifically on identifying ransomware attacks within these incidents, since previous reports had not separated ransomware from other forms of healthcare data breaches.

Their analysis revealed a dramatic rise in breach incidents over time, with 566 healthcare-related data breaches reported in 2024, compared to only 216 in 2010. Ransomware attacks in particular saw a sharp increase, from zero reported incidents in 2010 to a peak of 222 in 2021, before declining to 61 in 2024.

Between 2010 and 2024, more than 732 million healthcare records were exposed due to hacking. Of those, 88%, approximately 643 million, were compromised in general hacking events, while 39%, about 285 million, were the result of ransomware attacks specifically.

Notably, ransomware has affected more than half of all healthcare patients annually since 2020. In 2024 alone, 69% of patients impacted by a breach were affected by ransomware.

The researchers concluded that better surveillance practices, refined classifications for breach severity, and improved tracking of cryptocurrency transactions could help reduce the scope and impact of these cyberattacks in the future.

“Hospitals, clinics, health plans, and other HIPAA-covered entities are particularly vulnerable to ransomware attacks due to limited cybersecurity resources and the urgency of system recovery for patient care,” Jiang said. “Mitigation strategies should include mandatory ransomware fields in OCR reporting to improve surveillance clarity, revising severity classifications to account for operational impact, and monitoring cryptocurrency to disrupt ransom payments.”

Change Healthcare Data Breach Lawsuits

Given the scope and scale of the Change Healthcare data breach, which affected at least 100 million Americans in February 2024, a series of Change Healthcare data breach lawsuits have been filed over the past year.

Due to the growing number of claims brought throughout the federal court system, the U.S. Judicial Panel on Multidistrict Litigation (JPML) centralized all federal Change Healthcare lawsuits into a multidistrict litigation (MDL) in the District of Minnesota, where Judge Donovan Frank has been assigned to oversee coordinated pretrial proceedings. 

The MDL aims to streamline the discovery process, avoid duplicative rulings, and facilitate potential settlement discussions for individuals and healthcare providers impacted by the breach.

Earlier this month, Judge Frank issued a letter urging cooperation between federal and state courts, as more than 70 lawsuits have been centralized in the MDL and at least 26 others remain active in state courts. These efforts are intended to coordinate parallel litigation paths and lay the groundwork for unified settlement negotiations to compensate those who have been impacted by the data breach.