Top 10 Recent Healthcare Data Breaches in 2024

The healthcare industry ranks fourth in the highest number of data breaches, as evidenced by the 556 incidents reported in 2024 according to HIPPA Journal. Nearing year’s end, the healthcare sector has endured some of its most impactful breaches, exposing vast amounts of personal and medical data. These breaches have implications far beyond personal privacy, empowering cyber criminals and revealing critical system vulnerabilities. 

This year’s major cyberattacks, such as those on Change Healthcare and Kaiser Permanente, have affected millions and jeopardized protected health information. To combat these mounting threats, healthcare organizations must adopt resilient cybersecurity solutions and strategies across their systems. 

This blog explores the top 10 healthcare data breaches of 2024, detailing their occurrences and impacts. 

The stats from 2024 are frightening and have shown no signs of decay. 

Recent Healthcare Data Breaches: 10 High-Profile Cases 

1. Change Healthcare Cyberattack 2024 

On February 21, 2024, Change Healthcare discovered a ransomware attack that led to the theft of 4TB of data and 100 million affected individuals. Despite a $22 million ransom payment, the data was not deleted, and the stolen data was handed over to another group, demanding an additional ransom. 

During a House Committee hearing on May 1, 2024, the CEO of UnitedHealth Group, Change Healthcare’s parent company, revealed that protected health information was exposed, potentially impacting up to one-third of Americans. The full scope of the breach remained undetermined. 

By March 7, 2024, Change Healthcare confirmed substantial data exfiltration, but analysis began only on March 13, 2024, upon obtaining a safe data copy. On July 10, 2024, Change Healthcare issued a breach notice and started notifying affected individuals on July 20, 2024. 

The OCR listed the breach on its portal on July 30, 2024, noting ongoing assessments and potential updates on the affected individuals’ counts. Change Healthcare indicated that the data analysis was 90% complete but did not provide a timeline for the final report. 

2. Kaiser Permanente 

In late April 2024, Kaiser Permanente experienced a significant data breach potentially exposing the personal and medical information of 13.4 million individuals. The California-based organization notified the federal government and the news was reported by major outlets. The breach involved data being sent to third parties, such as Google, Microsoft Bing, and X (formerly Twitter), when patients accessed Kaiser Permanente’s websites or mobile apps. This was the third-largest data breach in the healthcare sector, surpassing previous incidents in terms of the number of individuals affected. 

Kaiser Permanente has notified all affected current and former health plan members. They announced that there was no exposure of Social Security numbers, financial account information, or credit card numbers. Although there is no evidence of misuse of the exposed data, the organization is taking precautionary measures. Kaiser Permanente has removed the involved online technologies from its platforms and is consulting experts to prevent future incidents. 

3. Sav-Rx 

Sav-Rx, a prescription management company, experienced a cyberattack on October 3, 2023, which led to the exposure of sensitive information of nearly 3 million individuals. The breached data included names, addresses, eligibility data, insurance identification numbers, and Social Security numbers. The attack was discovered on October 8, when network disruptions occurred. Despite the breach, the company’s IT system was restored within 24 hours, ensuring timely prescription shipments. 

The investigation, completed on April 30, 2024, revealed that hackers accessed non-clinical systems related to Sav-Rx’s medication benefits management services. The breach did not affect pharmacy systems, including mail order services. Sav-Rx informed regulators that 2,812,336 people were affected. All impacted individuals were offered two years of credit monitoring services by Equifax. The company assured that data acquired by the hackers was destroyed and not disseminated further. 

4. WebTPA 

WebTPA, a Texas-based provider of administration services to health insurance and benefit plans, detected a network intrusion on December 28, 2023. The breach, which occurred between April 18 and April 23, 2023, potentially exposed the protected health information (PHI) of 2,429,175 benefit plan members. Compromised data included names, contact information, birthdates, and insurance information. Financial and health information were not affected. 

WebTPA notified affected benefit plans and insurance companies, including The Hartford, Transamerica, and Gerber Life Insurance, and reported the breach to the HHS Office for Civil Rights and state attorneys general on May 8, 2024. Although there is no evidence of misuse, WebTPA offered two years of complimentary credit monitoring and identity theft protection services to the affected individuals. In response to the breach, WebTPA implemented additional security measures to prevent future incidents. The breach led to at least seven class action lawsuits alleging negligence and delayed notifications. This breach is the third largest healthcare data breach of 2024, following those at Kaiser.  

5. INTEGRIS Healthcare  

INTEGRIS Health suffered a cyberattack in November 2023, affecting 2,385,646 individuals. The breached data included names, dates of birth, contact information, demographic details, and Social Security numbers. Importantly, employment information, driver’s licenses, financial/payment information, and usernames/passwords were not compromised. INTEGRIS Health promptly secured its network and conducted an extensive review, leading to enhanced security policies and procedures. 

The breach has resulted in multiple class action lawsuits alleging negligence for inadequate data protection. Plaintiffs claim the company failed to implement appropriate safeguards despite known risks. While INTEGRIS Health has not confirmed misuse of the compromised data, they have been criticized for delayed transparency. Legal actions are seeking damages and improved security measures. This incident underscores the critical need for robust cybersecurity in healthcare. 

6. Medical Management Resource Group 

In January 2024, Medical Management Resource Group (MMRG), operating as American Vision Partners, reported a significant data breach affecting 2,350,236 individuals. Unauthorized network activity was detected on November 14, 2023, prompting immediate action to contain the threat. An investigation confirmed unauthorized access and data removal by December 6, 2023. Compromised data included names, contact information, dates of birth, medical services received, clinical records, medications, and health insurance information. 

MMRG is notifying affected individuals and providing complimentary credit monitoring and identity protection services. To prevent future breaches, MMRG has reviewed and enhanced its security policies and procedures.  

7. Geisinger 

Geisinger experienced a data breach involving a former employee of Nuance Communications, a vendor providing IT services. The breach occurred when the employee accessed patient information two days after termination. Discovered in November 2023, the breach exposed data such as names, dates of birth, addresses, medical record numbers, and other personal information. 

Law enforcement requested a delay in patient notifications to avoid impeding their investigation. The former employee was arrested and is facing federal charges. Geisinger has advised affected patients to review their health plan statements and contact insurers if they notice unauthorized services. Notifications are being mailed to those affected. A class-action lawsuit has been filed against Geisinger and Nuance Communications for failing to safeguard patient data adequately. 

8. Eastern Radiologists Data Breach 

Eastern Radiologists, Inc., a North Carolina imaging chain, experienced a data breach potentially exposing 886,000 patient records to cyber criminals. The breach was discovered in November last year when suspicious activity was noticed on their network. After an investigation, it was found that a nefarious actor had accessed the network and stolen personal data like names, contact information, Social Security numbers, insurance information, exam and procedure details, referring physicians, diagnosis information, and imaging results. The stolen data, which varied by patient, was copied to an off-site location. 

The hackers had access to the radiology clinic’s systems for four days, from November 20 to 24. In response to the breach, Eastern Radiologists is strengthening its security measures to prevent future incidents. They have enhanced their network monitoring capabilities and continue to assess and improve their security controls. 

Eastern Radiologists, which serves patients across eastern North Carolina with offices in Greenville, Washington, and Kinston, has notified the affected patients directly. They have committed to ongoing efforts to secure their computer systems and the data they maintain to prevent similar breaches in the future. 

9. Superior Air-Ground Ambulance Service, Inc. 

In May 2024, the Superior Air-Ground Ambulance Service faced a severe data breach affecting 858,238 individuals. As the largest independent emergency medical services provider in the Chicagoland area, their network was accessed by an unauthorized third party for a week, during which sensitive information was stolen. The compromised data included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account details, patient records, medical diagnoses, treatment information, and health insurance data. 

Kirston Spann II, whose information was stolen, filed a class action lawsuit on June 6, 2024, in the U.S. District Court for the Northern District of Illinois. The lawsuit alleges that the breach resulted from Superior Air-Ground Ambulance Service’s negligence in maintaining private information and failing to implement adequate security measures, such as regular updates and data encryption. The claims include non-compliance with the Health Insurance Portability and Accountability Act (HIPAA) and state laws, suggesting the breach could have been prevented with proper safeguards. 

10. Ascension Ransomware Attack 

Ascension reported a ransomware attack on May 8, 2024, to the HHS Office for Civil Rights, indicating an interim figure of 500 affected individuals. The attack involved the exfiltration of files from seven servers used for daily tasks, which contained protected health information (PHI) and personally identifiable information (PII). 

Ascension initiated a detailed review process to determine the full extent of the breach. The attack disrupted electronic health record (EHR) access, affecting patient care and operational efficiency. To mitigate risks, Ascension provided free credit monitoring and identity theft protection services to concerned patients. They also began restoring EHR access and other systems, with an expected completion date of June 14, 2024. 

Where are Healthcare Organizations Lagging in Data Security? 

Organizations fail to protect against data breaches in healthcare due to systemic issues across employee training, outdated technology, and inconsistent security protocols. These challenges make them prime targets for breaches and expose sensitive patient data. Here are key areas where healthcare organizations fall short in data security: 

1. High Cost of Data Breaches 
Healthcare bears the highest average cost per data breach across all industries, with expenses often exceeding $10 million per incident. This stems from the value of patient information on the black market and regulatory penalties for HIPAA non-compliance, along with substantial costs to restore systems after an attack. 

2. Employee Awareness Gap 
Frontline healthcare workers often lack adequate training in identifying cybersecurity threats, such as phishing emails and social engineering attacks. Many hospitals provide minimal cybersecurity training, leaving staff vulnerable to scams that exploit this knowledge gap. Regular, scenario-based training is rarely enforced sector-wide, despite its necessity. 

3. Outdated Technology and Legacy Systems 
Many healthcare providers continue to use legacy systems that no longer receive security updates, making them easy targets for hackers. These systems lack encryption, multifactor authentication, and other critical security features, increasing the risk of unauthorized access. 

4. Lack of Regular Security Assessments 
Healthcare providers often skip regular cybersecurity assessments due to budget constraints and operational disruptions, leaving vulnerabilities unchecked. Without routine penetration testing and vulnerability scans, organizations miss key opportunities to identify and address potential risks before they’re exploited. 

5. Insufficient Data Encryption 
In many healthcare settings, data encryption is only applied sporadically. Patient records and other sensitive data often lack end-to-end encryption both at rest and in transit. This gap leaves data susceptible to interception and unauthorized access, particularly as cyber threats grow more sophisticated. 

6. Inadequate Incident Response Plans 
Many healthcare organizations lack a well-defined, tested incident response plan. Only 43% of healthcare providers report having a strong, documented response strategy, resulting in delayed reaction times during breaches and exacerbated impacts on both patients and operations. A comprehensive, rehearsed plan is critical to minimize data loss and maintain patient trust during cyber incidents. 

How Nalashaa can help? 

As healthcare data breaches continue to escalate, securing sensitive patient information has become critical. Nalashaa Solutions offers tailored HIT security solutions, including data encryption, access control measures, and adaptive monitoring systems to safeguard all digital assets comprehensively. 

Our advanced threat detection ensures real-time insights and early warnings, empowering healthcare providers to stay ahead of cyber threats and prevent breaches. 

From initial risk assessments to the latest compliance, Nalashaa supports healthcare organizations at every stage of cybersecurity, prioritizing both data safety and regulatory adherence. For specialized support in strengthening your healthcare systems, reach out to us at info@nalashaa.com.