What we can learn from 2024's top healthcare cyberattacks

In 2024, millions of individuals had their personal and medical information compromised. These breaches disrupted healthcare operations, led to legal repercussions, and placed financial and reputational burdens on the affected organizations. Healthcare institutions can better understand their security gaps by analyzing these incidents and implementing strategies to prevent future breaches.

The importance of cybersecurity in healthcare

Healthcare organizations store some of the most valuable data in the world, making them targets for cybercriminals. Unlike financial fraud, where unauthorized transactions can often be reversed, medical records contain sensitive personal information that, once stolen, can be used for identity theft, fraudulent insurance claims, and even black-market sales. In some cases, attackers manipulate patient records, which can lead to dangerous medical errors.

According to the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal (HHS), 2023 set a record for healthcare data breaches, with over 725 incidents exposing more than 133 million patient records. The trend has only worsened in 2024, with major breaches affecting hospitals, insurers, and healthcare technology providers. One of the most devastating examples was the Change Healthcare ransomware attack, which disrupted pharmacy and insurance billing systems across the U.S. and compromised the data of millions of patients.

“The attack on Change Healthcare has had far-reaching consequences, delaying medical services and putting patient safety at risk,” said cybersecurity expert John Riggi of the American Hospital Association. “This is a wake-up call for the industry—stronger cybersecurity measures are not optional; they’re critical to patient care.”

The financial impact of healthcare breaches is also severe. According to an IBM report, the average cost of a data breach in the healthcare sector is the highest of any industry, reaching $10.93 million per breach in 2023, up from $6.45 million in 2019. 

To address these threats, the Health Insurance Portability and Accountability Act (HIPAA) mandates strict privacy and security requirements for healthcare data. The privacy rule controls how patient information is accessed and shared, while the security rule requires safeguards to protect electronic protected health information (ePHI). Organizations must also comply with the breach notification rule, which mandates public disclosure of data breaches affecting more than 500 individuals.

Regulatory oversight is tightening in response to the growing number of attacks. In December 2024, the Biden administration proposed new cybersecurity regulations aimed at strengthening healthcare data protections, including stricter encryption requirements and mandatory security audits. “The time for voluntary compliance is over,” said Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology. “Healthcare systems are critical infrastructure, and we must treat them as such.” 

Hospitals, clinics, and insurers must act swiftly to strengthen their cybersecurity defenses. This includes implementing advanced encryption, multi-factor authentication, real-time threat monitoring, and regular staff training to prevent phishing attacks, which is the entry point for most breaches. Without these measures, healthcare providers risk not only regulatory penalties but also the erosion of patient trust and, in extreme cases, the endangerment of lives.

The biggest healthcare cyberattacks of 2024

Change Healthcare

Type of breach: Ransomware

Individuals affected: 190 million

Duration of breach: 25 days for medical claims, nine months for clearinghouse services

The Change Healthcare attack was the most catastrophic healthcare cyberattack of 2024, affecting nearly 190 million individuals, effectively making it the largest healthcare data breach in history. The ransomware group BlackCat/ALPHV infiltrated the company’s network on February 11, yet the breach remained undetected for nine days, leading to a crisis that forced Change Healthcare to disconnect over 100 services. The attackers demanded a $22 million ransom, and while the company never confirmed whether it paid, a cryptocurrency transaction of that amount was recorded shortly after the attack, fueling speculation.

The impact of this breach was severe. Hospitals, pharmacies, and clinics across the country experienced disruptions in billing, prescription processing, and patient care. The attack compromised medical and financial records and exposed insurance details, lab results, and sensitive patient histories. The fallout is still unfolding, with Change Healthcare facing lawsuits, including legal action from Nebraska Attorney General Mike Hilgers, who alleges that the company failed to implement adequate security controls. The true scope of the breach may not be fully understood for years, but it has set a new precedent for healthcare cybersecurity failures.

Read more: Going deeper: The Change Healthcare attack 

Kaiser Foundation Health Plan

Type of breach: Accidental data exposure

Individuals affected: 13.4 million

Duration of breach: Unknown

Kaiser Foundation Health Plan’s data breach was an example of how internal misconfigurations can lead to major security failures. Unlike the deliberate cyberattacks on other organizations, this breach stemmed from the unintentional sharing of patient data with third-party vendors, including Microsoft, Google, and X (formerly Twitter). While no Social Security numbers or financial records were leaked, the compromised information included names, IP addresses, and browsing activity from Kaiser’s websites, all data that, in the wrong hands, could be exploited for targeted advertising, profiling, or social engineering attacks.

Kaiser reported the breach to the Department of Health and Human Services (HHS) on April 12, and affected individuals were notified later that month. Adding to the organization’s cybersecurity troubles, a separate breach in Southern California later in the year exposed data from an additional 44,600 individuals. Although no confirmed misuse of the data has been reported, the incident reinforced the need for stringent data-sharing policies and regular security audits to prevent unintended disclosures.

Read also: Kaiser Permanente breach exposes millions to third-party advertisers 

Ascension Health

Type of breach: Accidental download of a malicious file

Individuals affected: 13.4 million

Duration of breach: Six weeks

On May 8, Ascension Health detected suspicious activity on its network, triggering an internal investigation that ultimately revealed an employee had unknowingly downloaded a malicious file. The seemingly minor mistake led to a massive security breach that crippled access to electronic health records (EHRs), MyChart patient portals, and critical hospital systems for nearly six weeks.

The attack disrupted access to test results, prescription orders, and scheduling systems, forcing many facilities to revert to manual processes. Although Ascension has not disclosed the full extent of compromised data, it confirmed that hackers accessed patient records, including medical history, insurance details, billing data, and government-issued identification numbers. One employee’s mistake set off a chain of operational failures, showing why regular cybersecurity training and strong access controls matter.

See also: Ascension Health falls victim to cyberattack, impacting 13.4 million 

HealthEquity

Type of breach: Unauthorized access

Individuals affected: 4.3 million

Duration of breach: Unknown

HealthEquity, a provider of health savings accounts (HSAs) and benefits management services, experienced a data breach on March 9 when a cybercriminal gained unauthorized access to a third-party partner’s user account. The attacker extracted patient data, including Social Security numbers, employer information, insurance details, and prescription records.

The breach went undetected for over two weeks and was only discovered on March 25 through routine monitoring. While HealthEquity maintains that no malware was introduced into its systems, the unauthorized access allowed attackers to harvest sensitive medical and financial information. A full internal investigation was completed in June, leading to enhanced security measures within the company. Third-party vulnerabilities put healthcare organizations at risk, showing why strict access controls for external partners are necessary.

Watch: Millions of people exposed after Utah-based provider was breached

Acadian Ambulance Service

Type of breach: Ransomware

Individuals affected: 2.9 million

Duration of breach: Unknown

In June 2024, the Daixin Team targeted Acadian Ambulance Service in a ransomware attack that compromised the records of 2.9 million individuals. The hackers initially claimed to have stolen 10 million records and demanded a $7 million ransom, but later reports revealed that fewer individuals were affected. It remains unclear whether Acadian paid any ransom, but the company initially offered a counterpayment of $173,000, which the hackers reportedly refused.

The stolen data included names, birthdates, Social Security numbers, and patient intake records. Although no confirmed cases of identity theft or fraud have surfaced, the breach proves the growing trend of ransomware attacks targeting emergency and critical care providers. Acadian has since provided affected individuals with identity protection services, but this incident shows the high stakes involved in securing emergency medical service data.

See more: Acadian Ambulance records compromised in data breach

Lessons from 2024’s cyberattacks

Continuous monitoring is fundamental

Organizations cannot rely on reactive security measures. The Change Healthcare and HealthEquity breaches indicate the need for real-time monitoring to detect intrusions before they escalate into full-scale crises.

Internal security gaps can be just as dangerous as external attacks

The Kaiser and Ascension breaches prove that simple misconfigurations or employee errors can lead to massive data leaks. Regular staff training and security audits are necessary to prevent accidental exposures.

Ransomware attacks are evolving

The Change Healthcare and Acadian Ambulance attacks show the increasing sophistication of ransomware groups. Preventative measures like network segmentation, strong backup protocols, and zero-trust security models are needed.

Related: Cybersecurity insights and trends for 2024 

FAQs

Why do ransomware attackers target healthcare providers instead of other industries?

Healthcare providers are more likely to pay ransoms due to the nature of their services. Disruptions in patient care can be life-threatening, making hospitals and clinics high-pressure targets.

What are the risks of third-party vendors in healthcare cybersecurity?

Many breaches originate from vulnerabilities in external partners’ systems. Healthcare organizations should enforce strict access controls, conduct vendor security assessments, and require compliance with HIPAA and other regulations.

How can patients protect their medical information from cyber threats?

Patients should use strong, unique passwords for patient portals, enable multi-factor authentication where available, monitor their medical records for suspicious activity, and be cautious about sharing personal health information online.