Data breaches cost healthcare organizations large fines as well as exposing patients’ privacy. An unhealthy scenario.
- cincinnatibrett
- Apr 11
- 4 min read
04/11/2025
Professor Harnett

Healthcare institutions are classified as “Covered Entities” and fall under the Federal law, Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires covered entities to report data breaches to the government if it affected more than 499 people. These incidents are posted publicly on the U.S. Department of Health and Human Services/Office of Civil Rights website, what is referred to as the HHS “Wall of Shame”. This ranges from small practices - to academic health centers - to Level 1 Trauma Centers and even insurers. There are thousands of reported incidents every year.
Just in March of this year, there were 44 incidents affecting over 1.5 million people. The nefarious use of social engineering, algorithms, brute force, and now AI have enabled bad actors to find methods to identify system and organizational weaknesses to steal and exploit patient data. Sometimes it is a technical issue, lack of institutional policy, or internal users who just don’t adhere to safe practices. These sites are then audited, and large fines are often assessed, but the horses had already left the barn.
In 2024, the United States witnessed an unprecedented surge in healthcare data breaches, profoundly impacting millions of individuals and raising significant concerns about identity theft. The magnitude of these breaches not only exposes sensitive personal and medical information but also underscored the vulnerabilities within the healthcare sector's cybersecurity infrastructures.
The Scale of Healthcare Data Breaches in 2024
Throughout 2024, the healthcare industry experienced a staggering number of data breaches. According to the HIPAA Journal, approximately 276,775,457 individuals had their protected health information (PHI) exposed or stolen during the year. This equates to an average of 758,288 records compromised daily. Such figures represent a significant increase compared to previous years, highlighting a troubling trend in the frequency and scale of cyberattacks targeting healthcare organizations.
Major Incidents Contributing to the Surge
Several large-scale breaches significantly contributed to the high number of affected individuals. Notably, the Change Healthcare cyberattack emerged as one of the most consequential incidents. Initially reported to have affected 100 million individuals, subsequent analyses revealed that the breach's impact extended to approximately 190 million people (I was personally affected). This breach not only disrupted healthcare operations but also exposed a vast amount of sensitive patient data.
Statistical Insights into Identity Theft Cases
While exact numbers of identity theft cases resulting specifically from healthcare breaches in 2024 are challenging to ascertain, the correlation between data breaches and subsequent identity theft incidents is well-documented. The Identity Theft Resource Center reported a near-record number of data compromises in 2024, with five mega-breaches accounting for 83% of victim notices. Given that healthcare data is highly sought after in the black market due to its comprehensive personal details, it is reasonable to infer a substantial uptick in identity theft cases linked to these breaches. Furthermore, resolving issues stemming from medical identity theft is often a complex and prolonged process, causing significant distress and financial burden to the victims.
The Appeal of Healthcare Data to Cybercriminals
Healthcare data is particularly valuable to cybercriminals because it encompasses a wide range of personal information, including Social Security numbers, insurance details, and medical histories. This information can be exploited for various fraudulent activities, such as creating fake identities, procuring medical services, or filing fraudulent insurance claims. Unlike financial data, which can be quickly changed or canceled, medical data is immutable, making it a long-term asset for illicit use.
Preventative Measures and Industry Response
In response to the escalating threats, healthcare organizations are increasingly investing in robust cybersecurity measures and assessment. Implementing advanced encryption protocols, conducting regular security audits, and providing comprehensive staff training on data protection are becoming standard practices. Additionally, there is a growing emphasis on developing rapid response strategies to mitigate the impact of breaches and minimize fines.
Regulatory Actions and Legal Implications
Regulatory bodies have also intensified their scrutiny of healthcare organizations' data protection practices. HIPAA mandates stringent safeguards for PHI. Non-compliance can result in substantial penalties, as well as legal actions from affected individuals. For instance, in the aftermath of significant breaches, several class-action lawsuits have been filed, seeking compensation for damages incurred by victims.
The Role of Individuals in Protecting Their Data
While organizations bear the primary responsibility for securing data, individuals can take proactive steps to protect themselves. Regularly monitoring medical records for unfamiliar activities, promptly reporting discrepancies to healthcare providers, and being cautious about sharing personal information can help mitigate risks. Additionally, enrolling in credit monitoring services can provide alerts to potentially fraudulent activities.
Conclusion
The risk of data loss caused by breaches will continue. Consumers need to understand the gravity of personal data being compromised. Federal Law is in place that outlines requirements. Organizations that implement independent corrective action plans after a reported breach characterize a strategy that highlights improvements in compliance. This proactive approach may be considered by government investigations during the assessment and penalty phase.
“Data is a precious thing and will last longer than the systems themselves.” Tim Berners-Lee
Comments