Of the 421 hacking/IT incidents and unauthorized access/disclosure incidents attributed to healthcare providers across the United States reported to the U.S. Department of Health and Human Services this year, the top 15 data breaches affected 24,755,791 individuals.

WHY IT MATTERS

This year's top two largest healthcare data breaches are Change Healthcare, with 100 million individuals affected, and Kaiser Foundation Health Plan, with 13.4 million individuals affected, according to a list of the 10 largest U.S. health data breaches in 2024. While these breaches far exceeded the impact across all types of HIPAA-covered entities, healthcare providers' network servers were still a prime target for hacking or unauthorized access/disclosure, based on a search of the breach portal's data through December 30.

According to the HHS list of cases currently under investigation, the following 15 healthcare provider organizations suffered catastrophic health data breaches this year:

1. Ascension Health, affecting 5,599,699 patients.
2. Concentra Health Services, Inc., affecting 3,998,163 patients.
3. Acadian Ambulance Service, Inc., affecting 2,896,985 patients.
4. Integris Health, affecting 2,385,646 patients.
5. Summit Pathology/Summit Pathology Laboratories, Inc., affecting 1,813,538 patients.
6. Geisinger, affecting 1,276,026 patients.
7. Eastern Radiologists, Inc., affecting 886,746 patients.
8. Superior Air-Ground Ambulance Service, Inc., affecting 858,238 patients.
9. Texas Tech University Health Sciences Center El Paso, affecting 815,000 patients.
10. OnePoint Patient Care, affecting 795,916 patients.
11. Ann & Robert H. Lurie Children's Hospital of Chicago, affecting 775,860 patients.
12. Florida Department of Health, affecting 729,699 patients.
13. OrthopedicsNY, LLP, affecting 656,086 patients.
14. Texas Tech University Health Sciences Center, affecting 650,000 patients.
15. Risas Dental & Braces, affecting 618,189 patients.

Of note, the federal health data breach portal does not yet contain information on an alleged massive breach of a recent cyberattack on PIH Health. The California-based health system is posting regular website updates after a December 1 cyber incident, but declined to comment on an alleged circulating ransom letter, as reported by the Whittier Daily News.

In the typewritten letter, the hackers claimed to have stolen about two terabytes of data, including 17 million patient records that contain personal and medical information, photos, patient notes and other information, according to the December 14 story.

If a forensic investigation determines that data has indeed been exposed, that would push the number of individuals affected in the top 15 data breaches targeting U.S. healthcare providers in 2024 to more than 40 million individuals.

THE LARGER TREND

UnitedHealth Group said in May that it's rebuilding Change Healthcare with cloud-based security after it was devastated by a far-reaching ransomware attack by the ALPHV ransomware gang on February 21. 

However, the massive payments clearinghouse outage not only exposed the most electronic protected health information of any healthcare data breach in history, but also dramatically hobbled patient care, leaving healthcare providers seeking to avoid treatment delays with overwhelming financial burdens.

To address the growing threat of healthcare cyberattacks, HHS and the Office for Civil Rights announced a Notice of Proposed Rulemaking on Friday to modify the Security Standards for the Protection of Electronic Protected Health Information under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009.

Included are several new proposals that would require HIPAA-covered entities to encrypt ePHI with few exceptions, implement multifactor authentication and inventory its technology assets.

"Cyberattacks continue to impact the healthcare sector, with rampant escalation in ransomware and hacking causing significant increases in the number of large breaches reported to OCR annually," OCR Director Melanie Fontes Rainer said in a statement about the first HIPAA Security Rule update since 2013.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.