While the healthcare sector faces a relentless cyber onslaught, with a staggering 113 million records breached in 2023 alone, the true cost of these incidents extends far beyond staggering statistics to devastating financial impacts and eroded patient trust.
Key Takeaways
- In 2023, the healthcare sector experienced 540 data breaches reported to HHS OCR involving over 500 individuals each
- From 2018 to 2023, healthcare breaches increased by 62%, totaling over 2,500 incidents
- In Q1 2024, 102 healthcare breaches were reported, a 25% rise from Q1 2023
- Change Healthcare breach in Feb 2024 affected 1/3 of Americans indirectly
- Anthem breach 2015 exposed 78.8 million individuals' PHI
- 2023 total: 113,628,580 healthcare records breached
- Average healthcare data breach cost $10.93 million in 2023, up 53% from 2020
- Total cost of 2023 healthcare breaches estimated at $6.5 billion industry-wide
- IBM 2023: Lost business costs averaged $3.32M per healthcare breach
- Hacking accounted for 83% of healthcare breaches in 2023 per HHS
- Ransomware attacks caused 67% of healthcare breach notifications 2023
- Phishing was initial vector in 16% of healthcare breaches per Verizon DBIR 2024
- OCR 2023: $6.85M in fines from 13 HIPAA settlements
- Anthem 2018: $16M OCR penalty plus $115M class action
- Premera Blue Cross 2021: OCR $6.85M settlement
Healthcare data breaches are surging alarmingly, exposing millions of patient records every year.
Affected Individuals
- Change Healthcare breach in Feb 2024 affected 1/3 of Americans indirectly
- Anthem breach 2015 exposed 78.8 million individuals' PHI
- 2023 total: 113,628,580 healthcare records breached
- Ascension breach Oct 2023 impacted 5.6 million patients
- UnitedHealth/Change Healthcare Feb-Mar 2024: potentially 100 million+ affected
- 2022: 51,077,886 records exposed in healthcare
- Q4 2023: 32 million records breached in healthcare
- Premera Blue Cross 2015: 11 million individuals
- Q1 2024: 10+ million records from 102 breaches
- 2021: 45,429,054 records exposed
- Community Health Systems 2014: 4.5 million SSNs and records
- Q2 2024: 12 million records from 86 breaches
- Medical Informatics Engineering 2023: 3.18 million records
- 2020: 29.8 million records breached
- UM Health-Sparrow 2023: 1 million+ patients
- Oregon HHS 2023: 650,000 individuals
- 2019: 41.2 million records
- Prisma Health 2023: 1.075 million
- Q3 2023: 38 million records exposed
- Scripps Health 2021: 147,267 individuals
- 2018: 13 million records
- Perry Johnson & Associates 2023: 9 million records
- Walgreens 2023: 14,000 customers
- 2023 average breach size: 133,000 records
- Mass General Brigham 2023: 196,000 patients
- Florida HHS 2023: 1.5 million
- 2024 Change HC: 94 million claims data potentially exposed
Affected Individuals Interpretation
After reviewing a decade of data where breaches are measured in populations of small nations, the only diagnosis left is that the entire healthcare system is patient zero for an incurable case of digital hemorrhage.
Breach Methods
- Hacking accounted for 83% of healthcare breaches in 2023 per HHS
- Ransomware attacks caused 67% of healthcare breach notifications 2023
- Phishing was initial vector in 16% of healthcare breaches per Verizon DBIR 2024
- 2023: 249 hacking incidents out of 540 total healthcare breaches
- Unauthorized access: 12% of 2023 healthcare breaches
- Email/phishing breaches: 20% rise in healthcare 2022-2023
- Improper disposal caused 2% but 5 breaches in Q4 2023
- Ransomware via Ryuk/Conti hit 25+ hospitals 2020-2023
- 45% of healthcare breaches from third-party vendors 2023
- Network server hacks: 40% of large breaches 2023 HHS data
- Email incidents: 154 in 2023 healthcare breaches
- Lost/stolen devices: 8% of breaches Q1 2024
- Change HC: BlackCat ransomware via compromised credentials
- Insider threats: 19% of healthcare incidents per Verizon 2024
- Portal/website hacks: 25 breaches in 2023
- 2023: 67 ransomware notifications to HHS healthcare
- Physical security breaches: 1% but notable in small clinics
- Supply chain attacks like Change HC: 15% rise 2023
- EHR system vulnerabilities exploited in 30% hacking cases
- Privilege misuse: 10% of Verizon-tracked healthcare breaches
- Q2 2024: 72 hacking/IT incidents out of 86
Breach Methods Interpretation
While the healthcare industry is frantically bolting the front door against ransomware gangs, hackers are waltzing through the digital backdoor, pilfering data from vendors, phishing credentials from inboxes, and exploiting the alarming fact that nearly half of all breaches stem from trusted third parties who were supposed to help guard the castle.
Breach Volume Trends
- In 2023, the healthcare sector experienced 540 data breaches reported to HHS OCR involving over 500 individuals each
- From 2018 to 2023, healthcare breaches increased by 62%, totaling over 2,500 incidents
- In Q1 2024, 102 healthcare breaches were reported, a 25% rise from Q1 2023
- 2023 saw 113 million healthcare records exposed, the highest annual total on record
- Hacking/IT incidents accounted for 83% of large healthcare breaches in 2023
- Between Jan 2022 and Dec 2023, 196 healthcare organizations reported breaches to HHS
- In 2022, healthcare had 706 breaches affecting 51.5 million people
- Q4 2023 recorded 152 healthcare breaches, up 43% from Q4 2022
- Over 5 years to 2023, healthcare breaches grew 300% in volume
- 2021 had 714 healthcare breaches reported to HHS
- In 2024 YTD (as of Oct), 379 healthcare breaches reported
- 2020 saw 590 breaches in healthcare, down from 2019's 654
- From 2009-2023, total healthcare breaches exceed 40,000 affecting billions cumulatively
- Q2 2024 had 86 healthcare breaches
- 2019 recorded 654 healthcare data breaches
- Healthcare breaches doubled from 2019 to 2023
- In 2023, 1 in 3 healthcare orgs faced a breach
- 2022 Q3 saw 136 breaches, highest quarterly in healthcare history then
- Cumulative breaches since 2009: 35,000+
- 2023 breaches cost healthcare $10.93M average per incident
- Q1-Q3 2024: 253 breaches reported
- 2018 had 353 breaches
- Breaches rose 20% YoY in healthcare 2022-2023
- 2021 Q4: 110 breaches
- Healthcare phishing-related breaches up 50% in 2023
- 2017: 234 breaches reported
- 2024 projected 600+ breaches based on trends
- Mid-2023 spike: 300 breaches H1
- 2016: 380 breaches
- Ransomware breaches in healthcare tripled 2020-2023
Breach Volume Trends Interpretation
The healthcare sector's data is hemorrhaging at an alarming rate, setting grim new records with each passing year as if patient privacy were a condition with an increasingly poor prognosis.
Financial Costs
- Average healthcare data breach cost $10.93 million in 2023, up 53% from 2020
- Total cost of 2023 healthcare breaches estimated at $6.5 billion industry-wide
- IBM 2023: Lost business costs averaged $3.32M per healthcare breach
- Notification costs per record: $7.59 in healthcare 2023
- Change Healthcare breach disruption cost UnitedHealth $872M in Q1 2024
- Average detection/investigation cost $1.52M per healthcare breach 2023
- Ransomware breach costs in healthcare: $4.44M avg above normal 2023
- Ponemon 2023: Healthcare post-breach turnover costs $1.8M avg
- Anthem settlement 2018: $115M for 78.8M breach victims
- Equifax-like healthcare fines total $100M+ since 2017
- IBM: Customer churn post-breach costs healthcare $1.9M avg 2023
- Premera settlement 2021: $74M for 11M breach
- 2023 healthcare breach fines: $6.85M total OCR penalties
- Average lost revenue per healthcare breach: $1.94M in 2023
- Community Health Systems 2018: $2.2M OCR fine post-breach
- Ponemon: Incident response costs $1.6M avg for healthcare 2023
- Scripps Health ransomware 2021 cost $112M estimated
- 2022 total healthcare breach costs: $5.9B projected
- OCR 2023 settlements: $6.85M from 13 cases
- Average fines per violation: $50,000-$1.5M in healthcare cases
- Universal Health Services ransomware 2020: $67M costs
- 2021 healthcare avg cost $9.23M per breach
- Change HC projected annual cost: $2.3B+ to UnitedHealth
Financial Costs Interpretation
The bill for healthcare’s digital negligence reads like a horror movie sequel where the monster is both ransomware and sheer bureaucratic incompetence, leaving patients holding the bag and executives holding a $10.93 million dollar invoice.
Regulatory Actions
- OCR 2023: $6.85M in fines from 13 HIPAA settlements
- Anthem 2018: $16M OCR penalty plus $115M class action
- Premera Blue Cross 2021: OCR $6.85M settlement
- Community Health Systems 2018: $2.175M OCR fine
- 2023 OCR healthcare fines: Avow Hospice $2.5M for PHI disclosure
- Scripps Health 2023: Corrective action post-ransomware no fine yet
- UM Health-Sparrow 2024: OCR investigation ongoing
- 2022 OCR resolutions: 12 healthcare entities $4.3M total
- Florida HHS 2023: No fine yet, notification to 1.5M
- Ascension 2024: HHS OCR breach portal listing 5.6M
- Mass General Brigham 2023: OCR review initiated
- Perry Johnson 2023: 9M records, OCR reported
- 2021: OCR $4.2M from 10 healthcare cases
- Change Healthcare: HHS audit and potential fines pending 2024
- Walgreens 2023: OCR notification for 14K, no penalty
- Oregon HHS 2023: 650K notified per HHS rules
- Prisma Health 2023: HHS listed, corrective measures
- 2020 OCR healthcare fines: $6.2M total
- Medical Informatics Eng 2023: OCR portal entry 3.18M
- Average OCR fine per healthcare settlement 2023: $527K
Regulatory Actions Interpretation
Apparently, the cost of treating patient data like a casual group chat has now been upgraded from a stern memo to a bill averaging over half a million dollars per institutional oopsie.
Sources & References
- Reference 1HIPAAJOURNALhipaajournal.comVisit source
- Reference 2HHShhs.govVisit source
- Reference 3PHIVACYphivacy.comVisit source
- Reference 4IBMibm.comVisit source
- Reference 5OCRPORTALocrportal.hhs.govVisit source
- Reference 6VERIZONverizon.comVisit source
- Reference 7PONEMONponemon.orgVisit source
- Reference 8KREBSONSECURITYkrebsonsecurity.comVisit source
- Reference 9REUTERSreuters.comVisit source
- Reference 10JUSTICEjustice.govVisit source
- Reference 11BECKERSHOSPITALREVIEWbeckershospitalreview.comVisit source
- Reference 12CNBCcnbc.comVisit source