Healthnews analysis reveals that 32.4 million patients in the United States have already been impacted by 275 healthcare data breaches this year. A single breach is responsible for 41% of all affected individuals.
A data breach occurs when sensitive information is accessed or disclosed without authorization, posing a risk to individuals or organizations. Such breaches can put various types of data at risk, including personal, financial, and medical information.
Healthnews conducted this analysis using publicly available data from the U.S. Department of Health and Human Services, which requires healthcare organizations to report data breaches involving data of 500 or more individuals. The analysis includes both resolved breaches and those currently under investigation, with the most recent data retrieved on May 9, 2024.
Overall, in the first quarter of 2024, 222 data breaches were registered. Compared to the same period last year, this represents a significant increase of 41%.
However, the actual number of patients affected by the breaches has fallen slightly, from 17.6 million in Q1 2023 to 17.1 million in Q1 2024.
In April, an additional 51 data breaches occurred, impacting 15.1 million patients. The Kaiser Foundation Health Plan breach alone affected 13.4 million of these individuals. Two more data breaches were reported in early May, involving 199,744 patients.
The majority — 30 — of the affected healthcare institutions were in California, followed by Texas at 27, and New York at 16.
Top 5 biggest data breaches of 2024
#1 Kaiser Foundation Health Plan, Inc. — 13.4M patients affected
On April 12, the Kaiser Foundation Health Plan, the largest nonprofit health plan in the United States, filed a notice with the U.S. government that 13.4 million residents were affected by a data breach. Due to improper tracking code implementation, patient data was shared with third-party advertisers, including Google, Microsoft, and X.
The data shared included members' names, IP addresses, information that could indicate whether members were signed in to a Kaiser Permanente account or service, details about how members interacted with and navigated through the website and mobile apps, and the search terms used when accessing the company's online health encyclopedia.
Kaiser stated that it has since removed the tracking code from both its websites and mobile apps.
#2 Concentra Health Services, Inc. — 4M patients affected
On January 9, 2024, Concentra Health Services confirmed that the protected health information of nearly 4 million patients was compromised in the cyberattack on Perry Johnson & Associates, Inc. (PJ&A).
During the breach, an unauthorized party gained access to the PJ&A network, a provider of medical transcription services to healthcare facilities, between March 27, 2023, and May 2, 2023, and obtained copies of certain files. These files contained personal health information of individuals, potentially including names, dates of birth, addresses, medical record numbers, hospital account numbers, admission diagnoses, and dates and times of service.
In addition, for some individuals, the affected data may have included Social Security numbers, insurance information, and clinical information from medical transcription files, such as laboratory and diagnostic test results, medications, the name of the treatment facility, and the name of healthcare providers.
#3 INTEGRIS Health — 2.4M patients affected
In December 2023, the organization confirmed that it had been the victim of a cyberattack after patients received extortion emails informing them that their data had been stolen in a cyberattack on the healthcare network and that the data would be sold to other threat actors if they did not comply with the extortion demand. The investigation revealed that unauthorized individuals may have accessed certain files as early as November.
In January 2024, INTEGRIS Health notified the U.S. Department of Health and Human Services that 2.4 million patients had been affected.
#4 Medical Management Resource Group, L.L.C. — 2.35M patients affected
The Medical Management Resource Group, which operates under the name American Vision Partners and provides administrative support for ophthalmology practices, announced in early February that it had identified unauthorized access to its network on November 14, 2023.
An investigation by the company revealed that hackers had obtained personal information belonging to patients of American Vision Partners' clients. This information included names, contact details, dates of birth, medical records, and, in some cases, Social Security numbers and insurance details.
The breach impacted approximately 2.35 million individuals.
#5 Eastern Radiologists, Inc — 886.7k patients affected
In January 2024, Eastern Radiologist, Inc., a provider of radiologic services in North Carolina, completed an investigation that revealed unauthorized access to its network between November 20 and 24, 2023. During this breach, some documents were accessed and/or copied from their system.
The compromised files contained various patient data, potentially including names, contact information, Social Security numbers, insurance information, exam and/or procedure details, referring physicians, diagnoses, and/or imaging results. As a result, data from over 886.7 thousand patients was affected.
9 resources
- U.S. Department of Health and Human Services Office for Civil Rights. Cases currently under investigation.
- U.S. Department of Health and Human Services Office for Civil Rights. Archive.
- Ehealthinsurance.com. Kaiser Foundation Health Plan of Washington in Washington.
- TechCrunch. Health insurance giant Kaiser will notify millions of a data breach after sharing patients’ data with advertisers.
- The HIPAA Journal. Concentra confirms almost 4 million patients affected by PJ&A data breach.
- Pjats.com. Cyber incident notice.
- Bleepingcomputers.com. Integris Health says data breach impacts 2.4 million patients.
- Securityweek.com. Eye care services firm faces lawsuit over data breach impacting 2.3 million.
- Easternrad.com. Notice of security incident.
Your email will not be published. All fields are required.