Healthcare Data Breach Statistics

Healthcare organizations deal with a huge volume of sensitive data as part of their operations. Not only do these organizations deal with protected health information that is subject to HIPAA, but they also have access to patients’ financial and insurance information.

Because these organizations have such a wealth of personal data stored in their digital systems, they are a common target for cyberattacks. In this article, we’ll take a look at the broader impact of data breaches and cyberattacks on the healthcare sector through statistics.

Key Takeaways

• The healthcare industry is one of the industries most likely to be targeted by cyber attacks.
• This is because healthcare organizations store a huge volume of protected health information.
• Most healthcare cyber attacks happen in the United States, but they can happen anywhere in the world.
• The severity of healthcare data breaches is increasing. The largest data breach so far in 2023 compromised more than 8 million records.
• Healthcare data breaches are very expensive to remedy, with the average breach costing more than $11 million.
• Ransomware is one of the most common attack vectors against healthcare organizations.

Why is Healthcare a Data Breach Target?

Cybercriminals are particularly interested in healthcare records due to the massive amount of personal data they contain. In addition to protected health information, hospitals often store patients’ full names, dates of birth, and even social security numbers.

Additionally, healthcare providers often store their patients’ financial information, such as insurance providers, credit card numbers, and more.

By accessing the information that healthcare providers store, hackers are easily able to conduct identity theft. They can also sell this data to other cybercriminals because it is so valuable.

Additionally, many healthcare organizations have been very slow to transition from paper to digital medical records. While the vast majority of healthcare systems today do have digital systems, many of them use outdated technology or haven’t kept up to date with cybersecurity best practices.

While HIPAA does have cybersecurity requirements for healthcare providers, many companies struggle to implement them properly. Additionally, healthcare companies based outside of the United States are subject to their own local laws, which may be less comprehensive than HIPAA.

Because of this, healthcare organizations are particularly prone to both external hacking incidents and internal data breaches. Hackers often target healthcare organizations specifically because their systems have so many vulnerabilities.

Common Types of Healthcare Data Breaches

There are several different types of data breaches that happen in the healthcare industry. When most people think of a data breach, they think of cybercriminals operating outside the target organization. However, many healthcare industry breaches actually come from within the organization.

These internal breaches usually happen by accident, but they can also happen on purpose as the result of a disgruntled employee. Here are the types of data breaches that happen most often in the healthcare industry.

Hacking and IT Incidents

The vast majority of healthcare data breaches happen as the result of hacking or other IT incidents. Ransomware and other forms of malware are particularly common among healthcare organizations. 

Ransomware is a type of malicious software that steals sensitive data and holds it for “ransom,” threatening to release or delete the data if the victim does not pay a specific sum of money.

Unauthorized Access or Disclosure

The second-most common type of healthcare data breach is unauthorized access or disclosure. This happens when a healthcare employee shares patient data or other secure information with someone outside of the organization who isn’t authorized to access it. It can also happen when an employee shares access to internal systems with someone outside the company.

While these breaches can be malicious, they are more likely to be unintentional mistakes. This is because many healthcare employees are not properly educated on HIPAA cybersecurity requirements.

Physical Theft

Physical theft of healthcare records is another possible cause of healthcare data breaches. While healthcare providers store today’s patient records digitally, they may still have some paper records in storage that are vulnerable to physical theft.

Additionally, cybercriminals could steal computers and mobile devices that are used to store healthcare data. This theft can also happen unintentionally when healthcare professionals work remotely. 

If a remote employee keeps a computer or mobile device that contains healthcare data after leaving the organization, this would be a form of physical theft.

Improper Disposal of Records

HIPAA has very strict standards for the disposal of healthcare records. Even if these records are no longer in use at your organization, they could be very valuable to hackers. Disposing of these records in a way that violates HIPAA standards results in a data breach, often with harmful consequences.

Healthcare Phishing Data Breach Statistics

Phishing is an extremely common type of cyber attack across all industries. Phishing happens when a cyber criminal poses as a trusted contact, tricking the victim into sharing secure login information or other sensitive data. 

This often happens via email, particularly in the healthcare industry, but could also happen via text message or social media message as well.

Although phishing attacks are extremely common, many healthcare professionals don’t know how to spot them, resulting in compromised data. Many cybercriminals will also target healthcare executives specifically in a practice known as whaling. This particular type of phishing attack can be extremely devastating, as executives typically have access to very high volumes of data.

• 88% of healthcare workers open phishing emails. (Get Astra, 2023)
• 74% of data breaches in 2023 involved a human element, whether that be phishing and other forms of social engineering or human error. (Verizon)
• Phishing accounted for 45% of all cyber attacks in the healthcare industry in 2021. (Statista)
• The average cost of a phishing attack in the United States is $14.8 million. (HIPAA Journal)
• 81% of healthcare organizations reported an increase in phishing attacks between 2020 and 2021. (IRONSCALES)

The Cost of Healthcare Data Breaches

Healthcare breaches are devastating to patients, as they can potentially result in identity theft and other long-term security issues. However, they are also extremely expensive to mitigate and recover from.

In the initial aftermath of a data breach, companies will need to spend extra time and resources to re-secure the data, communicate with those affected, and eventually resume normal operation. 

After a data breach, companies also experience damage to their reputation and ultimately a loss of patients, which is also very costly.

• Healthcare data breaches cost organizations almost $11 million on average. This makes data breaches in healthcare the most expensive of any industry. (Ponemon Institute/IBM, 2023)
• Data breaches in the healthcare industry cost an average of $408 per record. (Ponemon Institute/IBM, 2018)
• Most healthcare organizations dedicate only 6% or less of their IT budget to cybersecurity. (Healthcare Information Management Systems Society, 2023)
• The average cost of a healthcare data breach has risen by more than 50% since 2020. (Ponemon Institute/IBM)
• US companies lose 65,343 hours per year due to phishing attacks. (HIPAA Journal)

US Healthcare Data Breach Statistics

The United States experiences more cyber attacks and data breaches than any other country in the world, particularly when it comes to healthcare. This is largely due to the size of the US economy.

• So far in 2023, there have been 904 breaches of unsecured protected health information, each of which affected 500 or more individuals. (US Department of Health and Human Services, Office for Civil Rights)
• One in 42 healthcare organizations were targeted by ransomware attacks during the third quarter of 2022 alone. This represented a 5% increase from the previous year. (Check Point)
• 81% of healthcare cybersecurity incidents happen as a result of provider or employee negligence. (PurpleSec, 2023)
• The largest healthcare data breach in the world was the Anthem breach in 2015, which happened in the United States. 78.8 million people were affected by this breach. (Wall Street Journal, 2015)
• Ransomware attacks targeting healthcare delivery organizations doubled between 2016 and 2021. (US Dept. of HHS)

Global Healthcare Data Breach Statistics

The US isn’t the only country that experiences healthcare data breaches – unfortunately, this is a global phenomenon. Cyber threats affect both public and private healthcare organizations around the world.

• 81% of UK healthcare organizations suffered a ransomware attack between 2020 and 2021. (Obrela Security Industries)
• The US is the country that experiences the highest number of data breaches relative to the population, followed by France, South Sudan, the Czech Republic, and Germany. (Proxyrack, 2022)
• In terms of continents, Europe experienced 58% of all healthcare attacks in 2022, while North American experienced 42%. (Security Intelligence)
• Keralty, a Colombian healthcare group, suffered a significant data breach in 2022 that resulted in 3TB of data stolen. Keralty has operations in Latin America, Spain, the United States, and Asia. (Bleeping Computer)
• Indian healthcare organizations were targeted by 1.9 million cyberattacks from January to November 2022. (Healthcare IT News)

Biggest Healthcare Data Breaches 2022-2023

Unfortunately, many significant healthcare data breaches have happened over the last year. Here are some of the largest healthcare breaches that have happened in 2022. (HIPAA Journal/US Dept. of HHS)

• In April 2022, a printing and mailing company called OneTouchPoint experienced a ransomware attack that resulted in a data breach. OneTouchPoint had many clients in the healthcare space, including many Blue Cross Blue Shield affiliates. The attack ultimately affected over 4.1 million people.
• Advocate Aurora Health is a healthcare system based in Illinois and Wisconsin. In October 2022, Advocate Aurora revealed that their system was compromised by tracking pixels. The breach potentially affected up to 3 million people, although the total impact of the breach is unknown.
• Connexin Software is a provider of electronic health record and practice management systems. In August 2022, the company experienced a ransomware attack that targeted protected health information, including medical, personal, and financial information. The attack affected over 2.2 million people.
• In March 2022, Shields Health Care Group experienced a hacking incident that resulted in stolen data. Shields is based in Massachusetts and runs imaging and outpatient surgical clinics throughout New England. This data breach affected an estimated 2 million people.
• Professional Finance Company is a debt collection agency based in Colorado that works with many clients in the healthcare industry. In spring 2022, the company experienced a ransomware attack that affected 657 healthcare providers who were clients. Ultimately, the breach affected approximately 1.9 million people.

Here are some of the largest healthcare data breaches that have happened so far in 2023.

• Managed Care of North America is a provider of dental care plans based in Florida. In March, a third party hacked into the company’s systems and injected them with malicious code, which ultimately resulted in the theft of protected health information. Ultimately, 8.9 million individuals were affected, making it the largest healthcare breach of 2023.
• PharMerica, a pharmacy services company based in Kentucky, has experienced the second largest data breach so far in 2023. In March, the company’s systems were targeted by a major ransomware group. Thousands of pharmacies across the US were affected, which ultimately resulted in compromised records for over 5.8 million individuals.
• Regal Medical Group is a healthcare group based in southern California. The company experienced a ransomware attack in December 2022, but did not report the attack until February 2023. Roughly 3.3 million people were affected by this data breach.
• Cerebral is a telehealth company that offers online mental health services to patients throughout the US. The company inadvertently shared data for years with advertisers and large technology companies via web pixels and other tracking methods. They estimate that at least 3.1 million people were affected by the breach.
• NationsBenefits is a healthcare service provider that focuses on supplemental benefits for insurance plans. In February 2023, they experienced a data breach that ultimately affected more than 3 million people.