Shieldra
Healthcare data breach statistics
The state of HIPAA breaches, compiled from the HHS Office for Civil Rights (OCR) breach portal and HIPAA Journal, updated for 2026. In 2024, 725 large breaches exposed the records of about 289 million individuals; ~81% were hacking/IT incidents, and the average healthcare breach cost $7.42 million.
Healthcare data breaches by year (500+ records, reported to OCR)
| Year | Breaches | Individuals affected |
|---|
| 2022 | 720 | 51.9 million |
| 2023 | 746 | 133.1 million |
| 2024 | 725 | 289 million |
| 2025 (preliminary) | 710 | 61.6 million |
Breaches by cause (2024)
| Cause | Share of breaches |
|---|
| Hacking / IT incident | 81.2% |
| Unauthorized access / disclosure | 15.7% |
| Loss & theft | 2.5% |
| Improper disposal | 0.6% |
Where breached PHI lived (2025)
| Location | Share of breaches |
|---|
| Network server | 61.5% |
| Email | 24.9% |
| Paper / films | 5.6% |
| Electronic medical record (EHR) | 4.6% |
Largest healthcare data breaches on record
| Organization | Year | Individuals affected |
|---|
| Change Healthcare (UnitedHealth / Optum) | 2024 | 192.7 million |
| Anthem Inc. | 2015 | 78.8 million |
| Conduent Business Services | 2025 | 62.2 million |
| Welltok, Inc. | 2023 | 14.8 million |
| Kaiser Foundation Health Plan | 2024 | 13.4 million |
Key takeaways
- Hacking dominates: ~81% of 2024 breaches were hacking/IT incidents, concentrated on network servers (61.5%) and email (24.9%).
- 2024 was a record year for exposure — ~289 million individuals — driven by the Change Healthcare ransomware attack (192.7 million), the largest healthcare breach on record.
- Third-party vendor risk now dominates by impact: an estimated ~65% of individuals affected in 2025 were exposed through a business-associate breach, up from ~5% in 2015.
- Breach counts have plateaued at 710–746 large breaches a year (2022–2025), even as records exposed swing wildly.
- Healthcare is the costliest sector for breaches ($7.42M average, per IBM 2025), and the 2026 HIPAA penalty maximum is $2,190,294 per violation category.
Sources
- HHS OCR Breach Portal (the official Wall of Shame): https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
- HIPAA Journal — Healthcare Data Breach Statistics: https://www.hipaajournal.com/healthcare-data-breach-statistics/
- IBM — Cost of a Data Breach Report 2025: https://www.ibm.com/reports/data-breach
- Federal Register — 2026 Civil Monetary Penalties Inflation Adjustment (HIPAA max $2,190,294).
Frequently asked questions
How many healthcare data breaches happened in 2024?
725 breaches of 500 or more records were reported to the HHS Office for Civil Rights (OCR) in 2024, exposing the records of approximately 289 million individuals — a record year, driven largely by the Change Healthcare ransomware attack.
What is the most common cause of healthcare data breaches?
Hacking and IT incidents, by a wide margin — about 81% of large healthcare breaches in 2024. Most compromised PHI lived on network servers (61.5%) or in email (24.9%).
What is the largest healthcare data breach ever?
The 2024 Change Healthcare (UnitedHealth/Optum) ransomware attack, which affected 192.7 million individuals — the largest on record, surpassing the 2015 Anthem breach (78.8 million).
How much does a healthcare data breach cost?
Per IBM’s Cost of a Data Breach Report 2025, the average healthcare breach cost $7.42 million — the most expensive of any industry for the 14th consecutive year.
What is the HIPAA penalty maximum in 2026?
The inflation-adjusted HIPAA civil monetary penalty maximum for 2026 is $2,190,294, effective for penalties assessed on or after January 28, 2026.
