Health & Behavior
Editorial Research

By · Published · Updated

The Numbers Behind the Surge: Healthcare Data Breaches in an Era of Rising Threats

A deep look at how healthcare data breach statistics have shifted over the past decade reveals both the scale of the challenge and the quiet resilience of an industry learning to respond.

Key Takeaways · Quick Answers
How much does a healthcare data breach cost on average?
As of 2026, the average cost of a healthcare data breach is $10.22 million per incident, making healthcare the most expensive industry for breaches for 14 consecutive years. This is roughly 2.65 times the cross-industry average of $3.86 million.
What percentage of healthcare breaches are caused by hacking?
Hacking accounted for just 4% of HIPAA-reported healthcare data breaches in 2010. By 2024, that figure had risen to 81%, according to a May 2025 study published in JAMA Network Open. Ransomware alone affected 69% of all breached records in 2024.
How many healthcare records were breached in 2024?
Approximately 275 million healthcare records were breached in the United States in 2024, according to The HIPAA Journal's 2024 report. The Change Healthcare breach was the largest single incident, affecting over 100 million individuals.
Did healthcare data breaches improve in 2025?
Yes, 2025 showed a 4.3% decline in the number of healthcare data breaches compared to 2024, with approximately 61.6 million individuals affected a 78.7% decrease from 2024's record total. However, researchers caution that late additions to the OCR portal due to the 2025 federal government shutdown may affect the final count.
What can healthcare organizations do to reduce breach costs?
Organizations with fully deployed security automation saved $2.8 million per breach compared to those without, according to the 2026 data. Faster detection also matters: the average time to identify a healthcare breach is 213 days, and reducing that window limits the damage. Investing in security automation and breach detection capabilities are the two most evidence-backed steps an organization can take.

The Morning Everything Changed

On a Tuesday in early 2024, the billing systems at a major American healthcare network went dark. Not gradually all at once. Staff members stared at screens that had become mirrors of themselves. Patient appointment records, insurance claims, prescription histories: all of it, encrypted and held hostage. The attackers had not broken in through a window. They had walked through the front door of a digital infrastructure that, like so many in healthcare, had grown faster than its defenses.

The Change Healthcare breach that followed would become the largest single healthcare data breach in American history, affecting over 100 million individuals. It was not an anomaly. It was a data point one that sits at the end of a long, steep curve traced by healthcare data breach statistics going back more than a decade.

Those numbers, compiled by The HIPAA Journal, OCR breach portal filings, and independent research organizations, tell a story that is both alarming and, in its later chapters, quietly instructive. They reveal an industry that spent years building digital infrastructure faster than it could secure it, and that is now in the difficult, expensive work of catching up. They also reveal something about resilience: the same data that shows the scale of the problem shows where the response is taking hold.

The Cost of a Breach: Why Healthcare Pays More

Healthcare data breaches cost an average of $10.22 million per incident in 2026, according to Medha Cloud's 2026 breach statistics compilation. That figure is not a projection or an estimate it is the measured average across hundreds of incidents, and it makes healthcare the most expensive industry for data breaches for the fourteenth consecutive year.

The reasons are structural. Healthcare organizations store protected health information (PHI), which carries a per-record value roughly 2.75 times higher than the cross-industry average. A stolen credit card number can be canceled. A stolen Social Security number combined with a medical record number and a diagnosis code is a identity that can be exploited for years before anyone notices. The cost per stolen healthcare record stands at $408, compared to $148 for records in other industries.

The environments that house this data are also unusually complex. A hospital system might run legacy equipment running older operating systems alongside cutting-edge imaging software, all connected to insurance clearinghouses, pharmaceutical suppliers, and patient portals. Uptime is not optional a ransomware attack that locks down a hospital's systems is not merely a financial emergency; it is a patient safety emergency. Attackers know this, and they price it accordingly.

The 9.2% year-over-year increase from the previous year's average of $9.36 million reflects both the growing sophistication of attacks and the expanding attack surface of a healthcare sector still mid-transition to comprehensive digital operations. But there is a counterpoint buried in the same data: organizations with fully deployed security automation saved $2.8 million per breach compared to those without. The cost is high, but it is not inevitable.

The Shift Nobody Predicted: From Lost Laptops to Ransomware Gangs

The most striking thing in the healthcare data breach statistics is not the numbers themselves it is the shape of the curve. In 2010, there were 216 reported data breaches involving PHI, according to HIPAA University's analysis of HIPAA-reported incidents. Most of those breaches were not cyberattacks in any recognizable sense. They were lost laptops. Misfiled paper charts. A staff member who emailed a patient list to the wrong address. Hacking and IT issues accounted for just 4% of reported incidents.

By 2024, that picture had inverted entirely. Hacking now plays a part in 81% of all HIPAA-reported healthcare data breaches, according to a May 2025 study published in JAMA Network Open and cited by HIPAA University. Ransomware once unheard of in healthcare affected nearly 7 in 10 breached records by 2024, representing 69% of all patient data involved in breaches. The shift is not gradual. It is a cliff.

The numbers trace a clear arc. From 2018 to 2021, large breaches nearly doubled, rising 93.7%. Hacking-related breaches jumped 239% from 2018 to 2023. Ransomware surged 278% over the same period. In 2019, 49% of breaches were due to hacking. By 2023, that figure had reached 80%. The industry did not just face more attacks it faced a completely different kind of attack.

The significance here goes beyond numbers. Ignoring these HIPAA statistics doesn't just mean risking fines from regulators. It can erode patient trust something that's hard to rebuild after a breach makes headlines. HIPAA University analysis

The reasons for the shift are not mysterious. Healthcare data became more valuable as digital records became more comprehensive. The COVID-19 pandemic accelerated the adoption of telehealth and remote work, expanding the digital perimeter of healthcare organizations. And the rise of ransomware-as-a-service gave criminal actors who had no background in healthcare the tools to execute sophisticated attacks that once required nation-state-level capabilities.

2024: The Year the Curve Bent

For all the grim momentum in the trend lines, 2024 brought a moment of pause. As of January 28, 2025, the OCR data breach portal showed 725 data breaches of 500 or more records in 2024, according to eDiscovery Today's analysis of The HIPAA Journal's 2024 report. That total represented a slight 2.95% year-over-year reduction, 22 fewer breaches than 2023's record-breaking number. It was the first decline in years.

But the headline number obscured a more complicated picture. While the number of breaches was leveling off, the number of records exposed was not. In 2021, 60 million healthcare records were breached. In 2022, 57 million. Then the curve bent sharply upward: 2023 saw a 192% increase to 168 million breached records, followed by a 63.5% increase to 275 million records in 2024. The Change Healthcare breach alone affected over 100 million individuals roughly a third of the American population.

The 2024 report noted that if you set aside the Change Healthcare breach, approximately 85 million healthcare records were still breached in 2024. Historically, mega data breaches of that scale were rare the last comparable incident was the Anthem Inc. breach in 2015, involving 78.8 million records. The report warned that signs pointed to these mega breaches becoming more frequent, not less.

What this means for Snip2Go readers is practical: the question is no longer whether a healthcare organization holds data worth attacking. It is whether that organization has built the infrastructure to detect an intrusion fast enough to limit the damage. The average time to identify a healthcare breach is 213 days 16 days longer than the cross-industry average. By the time a breach is discovered, the data may have been sitting in an attacker's hands for seven months.

2025 and the First Signs of Plateau

The 2025 data, still being finalized as of early 2026, shows the first meaningful decline in breach impact in years. According to the HCI Innovation Group's coverage of The HIPAA Journal's 2025 report, at least 61,556,256 individuals had their protected health information exposed or impermissibly disclosed in 2025 a 78.7% decrease from 2024's record-setting total.

The decline is real, but researchers caution against premature relief. The late additions in 2026 could be considerably higher than in previous years, given the 43-day federal government shutdown in late 2025 during which no breaches were added to the OCR portal. The report found that data breaches are plateauing in the 700 to 750 range still around two large healthcare data breaches per day, twice the rate in 2018.

The breakdown of breach types in 2025 tells a story of continued evolution. While small decreases occurred in hacking/IT incidents, loss/theft incidents, and improper disposal incidents compared to the previous year, there was a 17.4% increase in unauthorized access/disclosure incidents. Most breaches involved exposed or stolen PHI stored on network servers (61.5%), followed by compromised email accounts (24.9%), physical PHI such as paper documents (5.6%), and unauthorized access to electronic medical records (4.6%).

The largest healthcare data breach of 2025 was a hacking attack at Aflac insurance, impacting over 22.6 million people worldwide unauthorized access to the PHI of nearly 14 million individuals in the United States. The second-largest was reported by Yale New Haven Health System, the largest health system in Connecticut, affecting 5,556,702 individuals. Hackers breached its network on March 8, 2025, and while the intrusion was detected the same day, it was not detected in time to prevent the exfiltration of patient data.

The Human Side of the Numbers

Behind every data point in the breach statistics is a patient whose information is now in unknown hands. The scale of 275 million records breached in 2024 more than 82% of the U.S. population, accounting for individuals who may have been affected by multiple breaches is difficult to process as a human story. But the individual cases are not abstract.

In 2023, OCR fined four hospitals approximately $1.3 million total for failing to prevent staff from snooping on celebrity patients' records. The fines were not for a cyberattack. They were for the mundane, human failure to maintain appropriate access controls on records that should have been restricted. In Brazil in 2020, 16 million COVID-19 patient records leaked after a GitHub configuration error. In Canada in 2019, 15 million patient records were stolen from LifeLabs. In Australia in 2022, 9.7 million Medibank records were leaked.

The patterns are not uniform. Some breaches are the work of sophisticated criminal enterprises seeking financial gain. Others are the result of insider threats in 2024, 70% of breach actors were internal, according to Verizon's Data Breach Investigations Report, compared to 39% in 2022. Some are accidents. Some are negligence. The common thread is that healthcare data, once compromised, cannot be un-compromised.

Where the Response Is Taking Hold

The same data that documents the problem also documents the response. Organizations that deployed security automation saved $2.8 million per breach. The 2025 decline in total individuals affected even accounting for reporting delays suggests that some of the infrastructure investments made after the 2023 surge are beginning to take effect.

Business associate breaches, which increased 337% since 2018, are now receiving more systematic attention as healthcare organizations extend their security requirements outward to the vendors and partners who handle PHI. The OCR data breach portal currently lists 523 data breaches at healthcare providers, 56 at health plans, and two at healthcare clearinghouses, along with 128 reported by business associates a distribution that reflects the complexity of the healthcare data ecosystem.

The cybersecurity workforce gap remains acute. Healthcare organizations compete with every other industry for security talent, and the specialized knowledge required to secure clinical environments where systems cannot simply be taken offline for patching adds a layer of difficulty that other sectors do not face. But the gap is being addressed, slowly, through a combination of automation, managed security services, and a new generation of health IT professionals who came into the field with cybersecurity as a core competency rather than an afterthought.

What This Means for Snip2Go Readers

The healthcare data breach statistics are not just a story about hospitals and insurance companies. They are a story about the infrastructure of trust that makes modern healthcare possible. When a patient walks into a clinic and hands over their Social Security number, their medical history, their insurance card, they are placing a kind of trust that has no equivalent in most other transactions. A credit card can be canceled; a medical identity can be used for years before it is detected.

For readers researching healthcare providers, the statistics offer a practical framework: ask about security automation, ask about breach history and response times, ask about business associate agreements. The organizations that have invested in detection speed reducing the 213-day average are the ones that limit the damage when an attack succeeds. That is not a guarantee of safety; no framework is. But it is a signal of seriousness.

For readers who are patients, the statistics are a reminder that the security of your health data is not entirely in your own hands. It is in the hands of systems that are improving, unevenly, year by year. The good news embedded in the 2025 data is that the curve is not inevitably upward. The bad news is that it took a record-setting crisis to bend it, and the plateau is still far above where it was a decade ago.

Looking Ahead: The Trends to Watch

Several threads in the data warrant attention as 2026 unfolds. The unauthorized access/disclosure trend up 17.4% in 2025 suggests that as external hacking defenses improve, insider threats and improper access controls are becoming a relatively larger share of the problem. This is not a simpler problem to solve; it involves workforce culture, access management, and the difficult balance between clinical efficiency and data security.

The growing trend of entities involved in data breaches not disclosing the root cause whether it involves data theft, extortion, malware, or ransomware makes it harder to track the precise evolution of attack methods. Researchers at The HIPAA Journal have noted this opacity as a challenge for public understanding and organizational preparedness.

And the question of mega breaches whether Change Healthcare was an anomaly or a preview remains open. The 2024 report's warning that these events may start occurring much more frequently has not been contradicted by the 2025 data. If anything, the Aflac breach's scale 22.6 million individuals suggests that the infrastructure to execute a massive breach is no longer the exclusive capability of the most sophisticated actors.

What the statistics make clear is that healthcare data security is not a problem that will be solved by any single technology, regulation, or initiative. It is a condition of operating in a digital age, one that requires continuous investment, continuous adaptation, and a willingness to learn from each incident before the next one arrives.

Where to Read Further

The primary sources behind these statistics are updated regularly and offer deeper dives into specific topics. Medha Cloud's Healthcare Data Breach Statistics 2026 compiles cost benchmarks, HIPAA penalty data, and OCR enforcement trends in a format designed for compliance planning and leadership briefings. Bright Defense's 60+ Healthcare Data Breach Statistics for 2026 offers a curated collection covering breach volume, common causes, year-over-year trends, and geographic distribution. The HCI Innovation Group's coverage of The HIPAA Journal's 2025 report provides the latest year-over-year analysis and emerging trend commentary. For the full 2024 report with its detailed breakdowns of breach types and affected populations, eDiscovery Today's analysis of The HIPAA Journal's 2024 Healthcare Data Breach Report is a thorough starting point.

The OCR breach portal itself, maintained by the Department of Health and Human Services, is the authoritative source for individual breach reports and is updated as investigations conclude. Readers who want to track the ongoing evolution of healthcare data breach trends will find no substitute for the primary data.

Sources reviewed

Atlas Research Network