US healthcare data breaches are out of control – over 400 million patient records have been exposed in the last two years
Two new reports have highlighted the immense scale of US healthcare data breaches, with 409 million personal records exposed over the last two years.
According to research from application security firm Indusface, there were 1,200 breaches in the US healthcare sector in the last 24 months, with 83% of incidents leaving patient records exposed.
Texas recorded 66 data breaches, the most of any state, as well as the most people affected, at 14,371,828. The state’s biggest breach was that of Concentra Health Services in January 2024, which saw data belonging to nearly four million people accessed or stolen.
California had the second-highest number of individuals affected by data breaches, at 9,218,788. Notably, it also experienced the largest healthcare data breach in the study, affecting 4,700,000 people, when Blue Shield of California’s member data was shared with Google for advertising.
At the other end of the scale, Ohio saw 45 incidents affecting the data of 3,767,504 people, and Massachusetts just 28, exposing data belonging to 3,743,999.
“The healthcare sector is vulnerable to these breaches due to both the vast amount of sensitive patient data, which is often sold to third parties for a high price, and weak or outdated software and systems,” said Venky Sundar, founder and president of Indusface.
“According to Verizon’s latest DBIR, vulnerability exploits have now overtaken phishing as a leading cause of data breaches. What is particularly concerning is how patching an average vulnerability takes 200-plus days.”
Ransomware contributing to healthcare data breaches
The figures come after a study from Michigan State University, Yale University, and Johns Hopkins University found that ransomware-related breaches have become a key issue for healthcare providers.
Researchers found that although ransomware accounted for just 11% of breaches in 2024 by number, those attacks alone were responsible for 69% of all patient records compromised that year.
The number of attacks has also been rising steadily over the last decade. While in 2010 there were no ransomware breaches, there were 222 in 2021, accounting for nearly a third of all major healthcare breaches that year.
Similarly, the overall share of breaches caused by hacking or IT incidents surged from 4% in 2010 to 81% in 2024.
Researchers said these numbers probably underestimate the true extent of the problem thanks to underreporting, reluctance to disclose ransom payments, and the fact that the study didn’t look at smaller breaches affecting fewer than 500 individuals.
“Ransomware has become the most disruptive force in healthcare cybersecurity,” said John Jiang, Eli Broad endowed professor of accounting and information systems in the MSU Broad College of Business and lead author of the study.
“Healthcare providers have limited cybersecurity resources, so it’s essential to focus protection on the most sensitive types of information. The solutions are within reach — what we need now is coordination, transparency and urgency.”
MORE FROM ITPRO
Source link
