A healthcare data breach is any incident in which protected health information (PHI) is accessed, disclosed, or stolen without authorization, and it’s happening at a rate of roughly 2 per day in the United States. Between 2009 and 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) logged 7,418 breaches affecting 500 or more individuals, exposing the health data of more than one billion Americans, nearly three times the country’s population. This guide explains why healthcare is the most breached and most expensive industry to attack, what the real numbers look like, and what actually stops the next incident.
What Is a Healthcare Data Breach?
A healthcare data breach occurs when protected health information is accessed, used, or disclosed in a way that compromises its privacy or security, without the patient’s authorization. That can range from a hacker exfiltrating an entire hospital database to an employee glancing at a record they had no clinical reason to view.
How Healthcare Data Breaches Differ From Other Industries
Healthcare data is worth more on the black market than almost any other type of stolen data because a single patient record often bundles a Social Security number, insurance details, billing history, and medical history in one place, everything needed for insurance fraud, identity theft, or medical fraud in a single package. That combination is also why healthcare organizations remain the costliest industry to breach: IBM’s 2025 Cost of a Data Breach study put the average healthcare breach at $7.42 million, more than any other sector tracked. Unlike a retail breach, where a stolen card number can be canceled in minutes, a stolen medical record can’t be reissued; it’s permanently compromised.
What Counts as a HIPAA Breach
Under HIPAA, a breach is presumed to have occurred whenever PHI is impermissibly used or disclosed, unless the covered entity can demonstrate a low probability of compromise through a documented risk assessment. That assessment weighs the nature of the data exposed, who accessed it, whether it was actually viewed or acquired, and whether the exposure was mitigated. Not every security incident meets this bar; a lost laptop that was encrypted and never accessed, for example, may not qualify. But the rule’s default assumption is that exposure counts as a breach.
Types of Data Exposed in Healthcare Breaches
Healthcare breaches typically expose a combination of PHI: full names, Social Security numbers, dates of birth, medical record numbers, diagnosis and treatment history, insurance ID numbers, billing and claims information, and increasingly, financial account details tied to patient billing. The 2025 Conduent Business Services breach, for instance, exposed names, Social Security numbers, financial account numbers, driver’s license numbers, and health insurance information together, the exact combination that makes healthcare breaches so valuable to attackers and so damaging to patients.
Healthcare Data Breach Statistics (2024–2026)
The headline number: healthcare data breaches affecting 500 or more people are now being reported to OCR at a rate of roughly two per day, more than double the pace seen in 2018.

Number of Breaches Per Year
Large healthcare data breaches climbed steadily from 2018 through 2021, then plateaued in the 700–780 range annually. 2025 set a new record with 772 large breaches reported, a roughly 4% increase over 2024’s 742, and the third consecutive year OCR logged more than 700 major incidents.
Records Exposed Year-Over-Year
The number of breaches has leveled off, but the number of people affected has not, and that’s almost entirely due to a few catastrophic events. 2024 set a record of roughly 289.8 million individuals affected, driven overwhelmingly by the single Change Healthcare ransomware attack, which alone accounted for about two-thirds of that year’s total. With no comparable mega-breach in 2025, the number of affected individuals dropped by more than 78% year-over-year, even as breach incidents hit a new high. The lesson isn’t that risk went down; it’s that record counts can swing wildly based on a single vendor.
Which Healthcare Sub-Sectors Are Hit Hardest
Hospitals get the headlines, but they’re not where most of the exposed data actually comes from. More than 80% of stolen PHI records in 2024 and 2025 originated from third-party vendors, business associates, software services, and non-hospital providers and health plans, not directly from hospital systems. That third-party concentration is a direct result of how consolidated healthcare’s back-office infrastructure has become: a handful of clearinghouses, billing platforms, and claims processors control a large share of the industry, so a single breach at one vendor can cascade across hundreds of downstream organizations.
What Causes Healthcare Data Breaches
Hacking and IT incidents now account for the overwhelming majority of large healthcare breaches, having climbed from about 49% of reported incidents in 2019 to nearly 80% by 2023.

Ransomware and Cyberattacks
Ransomware remains the dominant attack method, frequently paired with data theft in a “double extortion” model. Attackers simultaneously encrypt systems and steal data, then threaten to leak the stolen records if the ransom isn’t paid. The Change Healthcare attack in February 2024 was a ransomware incident that didn’t just expose data; it disrupted claims processing and billing across the U.S. healthcare system for weeks, showing how a cyberattack on one company can ripple into a near-nationwide operational crisis.
Third-Party and Vendor Breaches
Because so much of healthcare’s data infrastructure runs through a small number of shared vendors, clearinghouses, EHR platforms, and billing services, a breach at any one of them can expose patient data belonging to dozens or hundreds of unrelated healthcare organizations that never suffered a breach of their own systems. This is why vendor risk has become one of the largest blind spots in healthcare security: an organization’s own defenses can be airtight, yet it still ends up notifying patients because a business associate didn’t.
Insider Threats and Human Error
Not every breach involves an external attacker. Employees accessing records without a legitimate reason, misdirected faxes or emails, and misconfigured systems still account for a meaningful share of reported incidents, even as targeted cyberattacks have become the dominant cause overall.
Unpatched Systems and Legacy Software
Healthcare runs an unusually high volume of legacy systems, older medical devices, outdated operating systems, and software that can’t easily be patched without disrupting patient care. Attackers routinely exploit known, unpatched vulnerabilities rather than developing new techniques, because the systems are often left exposed for months or years after a fix becomes available.
Types of Healthcare Data Breaches
OCR categorizes reported breaches into a handful of recurring types, and the mix has shifted dramatically over the past decade toward digital intrusion and away from physical loss.

Hacking and IT Incidents
This category, unauthorized access via network intrusion, ransomware, phishing-enabled credential theft, or exploited software vulnerabilities, now represents close to 80% of all large breaches reported to OCR, making it by far the leading cause.
Unauthorized Access or Disclosure
This covers cases where PHI is viewed, used, or shared by someone without proper authorization, even without a technical hack, for example, an employee accessing records outside their job duties, or data mistakenly sent to the wrong recipient.
Theft and Loss of Devices
Stolen or lost laptops, phones, and USB drives containing unencrypted PHI were once the leading cause of healthcare breaches. That share has fallen sharply as encryption has become standard practice, though it hasn’t disappeared entirely, especially among smaller practices.
Improper Disposal
Paper records or old hardware disposed of without properly destroying the PHI they contain can still trigger a reportable breach, even though this is now one of the least common causes compared to digital incidents.
Notable Healthcare Data Breaches (Real-World Examples)
Every large healthcare breach follows a similar arc: initial intrusion, delayed detection, a lengthy investigation, and a notification that arrives months after the actual compromise. A few incidents stand out for just how far that pattern can scale.

Change Healthcare: What Happened and Why It Mattered
In February 2024, a ransomware attack on Change Healthcare, a clearinghouse that processes roughly a third of all U.S. medical claims and serves as a business associate to nearly every major payer and provider, ultimately exposed the data of about 192.7 million individuals, making it the largest healthcare breach ever reported to OCR. Because Change Healthcare sits behind so much of the industry’s claims and billing infrastructure, the incident didn’t just expose records; it froze payment processing for thousands of healthcare organizations nationwide for weeks, illustrating how a single point of failure in shared infrastructure can threaten the operational stability of the entire sector, not just its data security.
UnitedHealth, HCA, Ascension, and Other Major Incidents
UnitedHealth Group owns Change Healthcare, but it’s far from the only major health system to appear on OCR’s breach list in recent years. HCA Healthcare, Ascension, Norton Healthcare, and numerous regional health systems and insurers have all reported significant breaches, several involving millions of patient records and ransomware attacks that disrupted clinical operations. In 2025 alone, incidents at organizations such as Conduent Business Services, Aflac, Yale New Haven Health, and Kettering Health affected well over a million individuals, and several triggered class-action settlements totaling tens of millions of dollars.
Common Threads Across Major Breaches
Look across the largest incidents of the past several years, and the same pattern repeats: a business associate or third-party vendor is compromised rather than the hospital itself, detection takes weeks or months longer than the initial intrusion, and the resulting notification arrives long after patients could have taken protective action. Detection windows of 80 to 90 days between compromise and discovery are common even in 2025’s incidents, a gap that gives attackers ample time to monetize stolen data before anyone knows it’s gone.
The True Cost of a Healthcare Data Breach
Healthcare has been the most expensive industry to breach for over a decade, and the gap isn’t closing.
Average Cost Per Incident
IBM’s 2025 Cost of a Data Breach report puts the average healthcare breach at $7.42 million, the highest of any industry measured, working out to roughly $398 per exposed record. The largest cost drivers are detection and escalation ($1.47 million), lost business ($1.38 million), and post-breach response activities ($1.2 million), indicating the cleanup and reputational fallout often outweigh the incident response itself.
Regulatory Fines and Legal Exposure
Beyond direct breach costs, healthcare organizations face HIPAA enforcement penalties from OCR and a growing wave of class action litigation. OCR closed 22 HIPAA investigations with financial penalties in 2024, collecting over $12.8 million, and enforcement activity rose again in 2025. Class action settlements tied to specific breaches have become faster and larger. Yale New Haven Health reached an $18 million settlement roughly 7 months after its breach, and a 2022 ransomware attack on Heritage Provider Network resulted in a multistate settlement of nearly $50 million.
Long-Term Reputational and Patient Trust Impact
The financial hit doesn’t stop when the investigation closes. Organizations that suffer a breach commonly take over 100 days to fully recover operationally, and nearly half raise prices to offset breach costs, with almost a third raising prices by 15% or more. For a sector built entirely on patient trust, a breach that becomes public knowledge can affect patient retention and referrals long after the technical incident is resolved.
How to Prevent Healthcare Data Breaches
Most large healthcare breaches trace back to a small set of preventable gaps: unmonitored third-party access, unpatched systems, and compromised credentials long before anyone notices.
Employee Training and Access Controls
Limiting PHI access strictly to what each role requires, combined with regular phishing and security awareness training, closes off the human-error and insider-access pathways that still account for a meaningful share of reported breaches.
Continuous Dark Web and Attack Surface Monitoring
Because more than 90% of hacked healthcare records in recent years were stolen using compromised credentials rather than exploited through the electronic health record system directly, continuous monitoring for exposed credentials and leaked data on dark web marketplaces and forums has become one of the highest-leverage prevention measures available. Platforms like DeXpose scan dark web markets, breach dumps, and threat actor forums in real time, giving healthcare organizations an early warning when employee or patient credentials surface before they’re used in an attack, closing the detection gap that currently averages over 240 days across the industry.
Patch Management and System Hardening
Given how frequently attackers exploit known, unpatched vulnerabilities rather than novel techniques, a disciplined patch management program, including for legacy medical devices that are harder to update, remains one of the most effective and underused defenses available.
Vendor Risk Management
Since more than 80% of stolen PHI now originates from third-party vendors and business associates rather than the healthcare organization itself, vetting vendor security practices, contractually requiring breach notification timelines, and continuously mapping an organization’s external attack surface, including every vendor connection, has become as important as securing internal systems.
Incident Response Planning
A documented, regularly tested incident response plan shortens the gap between detection and containment, which directly affects both regulatory exposure and total breach cost. Organizations with lengthy or ad hoc response processes consistently take longer to contain incidents and pay more to do so.
Regulatory Requirements When a Breach Occurs
Once a healthcare organization confirms a breach, HIPAA’s Breach Notification Rule sets strict, non-negotiable deadlines for who must be told and by when.
HIPAA Breach Notification Rule
Covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovering the breach. Breaches affecting 500 or more individuals also require notifying HHS and, typically, local media, within that same 60-day window. Breaches affecting fewer than 500 people can be reported to HHS annually rather than immediately, but individual notification still follows the 60-day standard.
OCR Enforcement and Penalties
OCR investigates every reported breach affecting 500 or more people and can pursue civil monetary penalties or settlements for underlying HIPAA violations, separate from the breach itself. Risk analysis failures remain the most commonly cited violation in OCR enforcement actions, meaning organizations are frequently penalized not just for the breach but also for failing to identify the vulnerability that led to it in the first place.
State-Level Notification Laws
State breach notification laws layer on top of HIPAA and can impose shorter deadlines, broader definitions of covered data, or additional notification requirements on state attorneys general. A HIPAA-compliant response doesn’t automatically satisfy every applicable state law, which is why multistate breaches often trigger separate state-level enforcement actions alongside federal OCR investigations.
Frequently Asked Questions (FAQ’s)
What is considered a healthcare data breach?
Any unauthorized access, use, acquisition, or disclosure of protected health information is presumed to be a breach under HIPAA, unless a documented risk assessment shows a low probability that the data was actually compromised.
What is the main cause of healthcare data breaches?
Hacking and IT incidents, including ransomware and phishing-enabled credential theft, now account for close to 80% of all large healthcare breaches, making them by far the leading cause, well ahead of lost devices, insider access, or improper disposal.
How much does a healthcare data breach cost on average?
The average healthcare data breach costs $7.42 million, the highest of any industry, according to IBM’s 2025 Cost of a Data Breach report, driven mainly by detection and escalation costs, lost business, and post-breach response activities.
How can healthcare organizations prevent future breaches?
The most effective measures address the sector’s specific weak points: continuous dark web and credential monitoring to catch compromised access before it’s exploited, rigorous vendor risk management given how much exposure originates from third parties, disciplined patching of legacy systems, and a tested incident response plan that shortens the gap between detection and containment.



