Top 10 healthcare data breaches so far in 2024

During the first half of 2024, health systems and healthcare companies have experienced major cyberattacks. There have been 341 breaches reported to the Department of Health and Human Services in the first half of the year, according to the department’s database. The ten largest breaches affected over 31 million Americans, indicating the significant scale and severity of cybersecurity challenges in the healthcare sector.

Overview of major breaches

The ten largest breaches of healthcare data so far this year have had a profound impact, and the number of affected individuals could grow as more details emerge.

1. Kaiser Permanente

   Kaiser Permanente, one of the nation’s largest health systems, reports that up to 13.4 million individuals may have been affected by a breach involving the transmission of personal information to third parties such as Google and Bing. Although there is no evidence of misuse of the data, the organization issued notifications out of caution.
   
   

2. Concentra Health Services

   Concentra, a Texas-based provider of occupational medicine and urgent care, suffered a breach impacting nearly 4 million people. The breach was traced to a third-party vendor, Perry Johnson & Associates, Inc., which provides medical transcription services. According to a statement released by Concentra in February, "This event occurred solely at PJ&A and was not the result of any activities or inactions on Concentra’s part.”
   
   

3. Sav-Rx

   Sav-Rx, a pharmacy benefit manager, experienced a cyberattack affecting approximately 2.8 million individuals. The company has confirmed that the data accessed by unauthorized parties was destroyed and is offering free credit monitoring to affected customers.
   
   

4. WebTPA

   WebTPA, which handles administrative services for benefits plans, faced a breach affecting over 2.5 million people. The breach, detected in December, compromised personal information including Social Security numbers and insurance details.
   
   

5. INTEGRIS Health

   The Oklahoma-based health system INTEGRIS was hit by a cyberattack affecting nearly 2.4 million individuals. The breach included sensitive information such as Social Security numbers and birth dates, but no financial data was reported to be compromised.
   
   

6. Medical Management Resource Group

   Operating under the name American Vision Partners, this organization experienced a breach affecting more than 2.3 million people. The attack exposed various types of personal information, including Social Security numbers and banking details.
   
   

7. Geisinger

   Geisinger’s breach, which impacted over 1.2 million individuals, was linked to a cybersecurity incident involving Nuance Communications. A former employee accessed patient information without authorization, prompting legal action and a delay in notifying affected individuals.
   
   

8. Eastern Radiologists, Inc.

   This North Carolina organization suffered a breach impacting over 880,000 people. The unauthorized access involved copying private information from patients across 17 hospitals and seven outpatient facilities.
   
   

9. Superior Air-Ground Ambulance Service, Inc.

   A cyberattack on the Superior Air-Ground Ambulance Service affected more than 850,000 individuals. According to their notice about the event, the breach involved various records, including health insurance and personal identification details.
   
   

10. UNITE HERE

    The New York labor union UNITE HERE faced a cyberattack affecting over 790,000 people. The breach involved Social Security numbers and financial data, although there has been no evidence of fraud linked to the incident.
    
    

The growing challenge of cybersecurity in healthcare

The number of individuals impacted by these breaches stresses the ongoing vulnerabilities within healthcare organizations. Despite efforts to strengthen cybersecurity measures, many systems remain susceptible to attacks, with significant consequences for patient privacy and data security. Healthcare organizations must address fundamental cybersecurity issues to prevent future incidents. That includes improving system segmentation and reinforcing basic security practices.

Related: How cyberattacks can disrupt healthcare services

FAQs

How can healthcare organizations prevent data breaches?

Healthcare organizations can reduce the risk of data breaches by implementing strong cybersecurity measures, conducting regular security training for employees, and using encryption to protect sensitive data.

Read more: Tips for cybersecurity in healthcare

What is the role of business associate agreements (BAAs) in preventing data breaches?

BAAs ensure that third-party vendors handling protected health information (PHI) comply with HIPAA regulations, reducing the risk of breaches caused by vendor actions.

What should a healthcare organization do immediately after discovering a data breach?

Upon discovering a data breach, a healthcare organization should contain the breach, assess the scope of the impact, notify affected individuals and relevant authorities, and begin an investigation to understand how the breach occurred and how to prevent future incidents.