Every country in the world has a healthcare system.

Granted, some are significantly better than others, but every country has a system.

Of course, there are many ways to judge which healthcare system is best.

According to the World Population Review, the best is South Korea, followed by Taiwan and then Denmark.

The UK comes in tenth place and the US is below this.

That said, some of the best surgeons in the world are in the US and, despite healthcare being costly, it is at the cutting edge of new techniques.

One thing all healthcare systems have in common is that they contain a huge amount of personal data.

For every person that uses the system, there will be a name, address, contact details, social security number, payment details, medical history, age, and an array of other information.

In short, there’s enough information for a criminal to use in a variety of ways, such as stealing your identity.

Considering how much data is held by healthcare systems, it’s not surprising that they are regularly attacked.

A breach can cause serious consequences financially and emotionally for many people.

As the following healthcare data breach statistics show, attacks happen all the time and breaches do occur. You need to know what to do if your data is stolen.

Let’s take a closer look at the statistics.

Post Contents

1 Key Statistics
2 Top Healthcare Data Breach Statistics in 2024
3 What To Do If You’re The Victim Of A Healthcare Data Breach
4 Summing Up
- 4.1 Sources

Key Statistics

In 2022 there were over 700 US healthcare data breaches involving more than 500 records each
95% of all identity thefts are a result of healthcare data breaches
Most data breaches are a result of hacking or it incidents
45% of all healthcare data breaches are via phishing
There are an average of 1,463 healthcare cyber attacks per week
Third-party vendors are the biggest vulnerability for healthcare providers
There have been 22 major data breaches since 2022
Every healthcare breach is fineable
The US government spends 15% of it’s budget on cybersecurity
42 million records have been exposed between march 2021 and February 2022
67% of healthcare providers have experienced an attack from lookalikes
24% of doctors don’t recognize the signs of malware

Top Healthcare Data Breach Statistics in 2024

1. In 2022 There Were Over 700 US Healthcare Data Breaches Involving More Than 500 Records Each

The number of healthcare data breaches has grown rapidly in recent years.

While this type of data has always been a target, the consolidation of big data has made it possible to keep vast amounts of data in one place.

Unfortunately, that makes the data more appealing to cybercriminals and explains the increased number of attacks.

As with most things in life, if you try enough times you’ll get it right.

That’s why the number of healthcare data breaches is growing.

According to the latest Statista records, there were 707 data breaches in 2022 that involved the loss of more than 500 records.

This was on a par with 2021 which had 715 breaches.

The pandemic could be said to have triggered the latest increases.

In 2020, the year of lockdowns, 663 cases of data breaches involving over 500 records were reported.

That’s significantly more than in 2019 with 512 cases.

However, to highlight how big this problem is becoming, consider 2009, when there were just 18 breaches.

(Statista)

2. 95% Of All Identity Thefts Are A Result Of Healthcare Data Breaches

As mentioned, the healthcare industry is an obvious target for cybercriminals.

It houses millions of people’s personal information.

There’s a lot people can do with this kind of information.

It’s not just identity theft, a complete personnel file can be sold on the dark web and facilitate people with various schemes, including tax fraud.

Of course, this doesn’t always end well for the victim who has to prove they weren’t involved in an illegal activity.

The quality of this information and the possibilities with such information make it worth 50 times more than credit card details.

The depth of the information makes identity theft significantly easier, which is why, in 95% of identity thefts, the data has been stolen from healthcare records.

(Globe Newswire)

3. Most Data Breaches Are A Result Of Hacking Or IT Incidents

Every healthcare provider, no matter how big or small, needs to report specific security incidents.

In particular, it must be disclosed if a breach is detected and over 500 records have been compromised in any way.

The OCT can compile a list of breaches, allowing healthcare providers to see where the biggest risks lie.

According to their records and breaches reported to them, hacking and IT incidents are the biggest concern.

There were 555 reportable cases of this type of breach in 2022.

In contrast, there were just 113 reports of unauthorized access breaches and 35 incidents when data was physically stolen.

However, perhaps the most concerning breaches were the 4 reported incidents of records being improperly disposed of.

While hacks are a serious risk, there is no excuse for simply giving data away by failing to dispose of it properly.

The OCR collects details regarding each incident.

It’s interesting to note that many of the hacking and IT issues were related to network attacks, generally via malware.

Impressively, this type of assault happened in 56% of all data breaches.

(OCR)

4. 45% Of All Healthcare Data Breaches Are Via Phishing

Phishing is when someone is sent an email with a link.

The link looks plausible, encouraging the receiver to click on it and deal with the urgent request.

Unfortunately, the link isn’t genuine.

It can either have malware attached to it, which downloads into your computer, or it can link you to a website which will ask for your login details.

Malware can penetrate all parts of your computer, generally recording your actions and often your keystrokes.

This allows the hackers to access your login details and get onto the system whenever they want.

However, in many cases, the phishing attack tells you of an urgent issue that needs to be resolved.

You then click on a link to log in and resolve the issue.

Unfortunately, the link in the email takes you to a dummy site.

You’ll enter your login details and the hackers will instantly know what they are.

The hackers can then log in to the system, appear as legitimate users, and take any files they want.

Phishing attacks were successful in at least 165 incidents when over 500 records were lost.

That’s approximately 45% of all reportable healthcare data breaches.

(OCR)

5. There Are An Average Of 1,463 Healthcare Cyber Attacks Per Week

Healthcare attacks are popular.

According to the latest information from Insider Intelligence, an average of 1,463 attacks happened every week in 2022.

This figure represents an impressive 74% increase in the number of attacks in 2021.

The study doesn’t illustrate what is driving the phenomenal increase in attacks.

The good news is that not all are successful, but some are and it only takes one breach for a sizable amount of data to be lost.

The US manages slightly less than the average number of attacks.

According to statistics, the average for the US is 1,410 a week.

However, this represents an 86% increase compared to 2021.

That means there are likely to be even more cyber attacks throughout 2023.

Despite the slightly below-average attack level, the attacks against US healthcare providers are often more sustained.

This resulted in 344 breaches in 2022, giving the US the dubious title of most breaches for the third year running.

(Insider Intelligence)

6. Third-Party Vendors Are The Biggest Vulnerability For Healthcare Providers

Healthcare providers have three main vulnerabilities and third-party vendors are arguably the biggest issue.

A cybercriminal will generally find it easier to hack a third-party’s system.

In general, they have less security than the healthcare organization.

Getting into the healthcare data is much easier when the hackers already have access to a third-party vendor.

They simply connect through the third-party system.

It’s also difficult for healthcare providers to protect against.

Cloud breaches are also a serious risk for healthcare providers.

An estimated 73% of providers store data on the cloud.

Unfortunately, 61% of respondents in a recent survey stated their cloud storage had been attacked.

In most cases, the attack was via phishing, ransomware, or some other form of malware.

The good news is the majority of attacks were spotted in minutes or hours, keeping data loss levels low.

Cybercriminals can also hack in via connected devices.

The Internet of Things, as it’s known, is a great way to control features when you’re not physically present.

However, because they are connected to the healthcare systems they are a security risk.

The IV pumps account for 38% of a hospital’s IoT footprint.

It only takes one to have a poor/weak password and a hacker can get in.

(Insider Intelligence)

7. There Have Been 22 Major Data Breaches Since 2022

Despite the number of attacks, successful data breaches are comparatively rare and, in most cases, they release less data than hackers get from other industries.

However, sometimes the hackers get it right.

According to official records, there were 21 data breaches since January 2022 involving over one million records.

A further 22 cases involved 500,000 records being stolen.

However, these are nothing compared to the largest healthcare data breaches known about.

The biggest was the Anthem breach where 78 million records were stolen.

Another 11.5 million were taken from Optum360, and Premera Blue Cross lost 11 million records.

Laboratory Corporation of American Holdings lost 10.2 million and the Excellus Health Plan lost 9.3 million.

In every case, millions of people needed to be notified, so that they could cancel bank cards and protect themselves from identity theft.

(IT Governance)

8. Every Healthcare Breach Is Fineable

Data breaches cannot always be foreseen.

However, every organization should be doing everything in their power to protect against data breaches.

To help ensure this happens the HIPAA requires all breaches to be reported to them.

They can then assess the issue and decide on what compliance failures have occurred and how they should be penalized.

It’s important to note that data breaches are classified per violation.

That means there can be several violations and associated costs for one data breach.

There are four tiers of fines, every healthcare organization should be aware of them.

The first tier refers to breaches that the organization could not have foreseen or protected against.

The fine at this level is between $100 and $50,000.

Tier two covers things the organization should have been aware of but wasn’t.

The fine at this level is $1,000 to $50,000.

Tiers three and four are more serious.

These are when breaches have happened that the organization should have been aware of and protected against.

Tier three has a fine level of between $10,000 and $50,000, but tier 4, saved for the worst breaches which an organization should have been able to prevent, has a fine of at least $50,000 with no upper limit.

It’s worth noting that the OCR has received over $65 million in fine payments connected to HIPAA fines within the last 5 years.

(HIPAA)

9. The US Government Spends 15% Of It’s Budget On Cybersecurity

The average healthcare organization spends 9.9% of their annual budget on cybersecurity, effectively protecting the data they have.

That’s billions of dollars a year.

However, this pales in comparison to the US government which spends 15% of its annual b budget on cybersecurity.

What’s interesting is, that despite the high percentage of budgets, the overall amount being spent on cybersecurity is decreasing.

Once you realize that organizations are busy cutting costs it becomes more obvious why many still use Legacy operating systems, such as Windows 7.

They simply don’t have the funds to upgrade.

Of course, using such systems means that they are more vulnerable to cyber attacks, legacy systems are no longer updated, making a cyber attack more likely to be successful.

This could be the reason why so many successful cyberattacks and subsequent data breaches in healthcare organizations are a result of hacking and IT infrastructure issues.

(HIMSS Healthcare Cybersecurity Survey)

10. 42 Million Records Have Been Exposed Between March 2021 And February 2022

The number of breaches affecting over 500 records seems fairly low, 22 major breaches since 2022 doesn’t seem so bad.

However, the truth is, that in just one year, from March 2021 to February 2022, 42 million records were obtained by cybercriminals.

That’s a lot of people whose lives have been affected.

This statistic illustrates that the size of the breach isn’t always important, every breach needs to be taken seriously as it affects real people.

In addition, a small breach is often the test run for a cybercriminal.

Once they’ve found a way into the system they can take a lot more data.

It’s worth noting that One Touch Point estimates there is a 70% chance of a breach occurring in 2023 which will affect over 5 million records.

The threats aren’t going away.

Over 2100 healthcare data breaches have been known since 2009, and the figure, and quantity of records taken, increases every year.

(Get Astra)

11. 67% Of Healthcare Providers Have Experienced An Attack From Lookalikes

Cybercriminals know which scams work the best and they often don’t need to spend hours hacking through the system security.

One of the simplest, and most effective ways to get data is by using a legitimate login.

All they have to do is convince someone to share it.

They can do this by hacking third-party vendors, or by phishing for the data.

Lookalikes can be classified as a type of phishing.

It’s when the criminals create a site that looks genuine, convincing someone to log into their account.

Because it’s a lookalike, the login simply provides the scammers with legitimate login details.

They can then log in and start stealing files without suspicion.

(HIPAA)

12. 24% Of Doctors Don’t Recognize The Signs Of Malware

Doctors may be very good at reading people and their symptoms.

However, nearly a quarter of all doctors don’t know what a malware attack looks like.

That means they won’t report slow performance, freezing or crashing of apps, or even annoying pop-ups and error messages.

They also won’t recognize when storage space is suddenly lost or browser settings change by themselves.

This is a serious concern as doctors have access to all the healthcare information.

If they can’t recognize the signs of a malware attack they are likely to facilitate the attack.

In short, doctors, and potentially other medical staff, need better training to help them prevent data breaches.

(Get Astra)

What To Do If You’re The Victim Of A Healthcare Data Breach

Data breaches have become a fact of life and there is little you can do to stop your healthcare provider being breached.

They have your personal details and they control their security measures.

However, you do need to know if your records have been breached as you’ll have to take steps to minimize any damage caused.

You should first hear of the data breach directly from your healthcare provider.

However, big breaches quickly make the news, meaning you may hear it there first.

In both cases, you’ll want to confirm that your records have been breached.

To do this type the healthcare provider’s website into your browser and go straight there.

You should see information about the breach on their site.

If not, you can email them or even call them to check what happened and whether your record is affected.

Never reply or click on a link in an email that tells you about a breach, it could simply be cybercriminals trying to get your information.

You’ll also want to verify what data was stolen.

Of course, if it’s your entire healthcare record then the criminals have everything.

Be aware that your email address and password are enough for a hacker to try accessing other accounts.

Your name, phone, number, and address all provide them with the opportunity for identity theft.

They can also take your phone number themselves and abuse it while undertaking change-of-address scams.

Your social number is perhaps the most dangerous, this makes identity theft easy, along with a host of other scams.

After you’ve found out what’s been taken you’ll want to change your logins on any affected, or related accounts.

Remember, it’s best to use a unique password for every account.

Using a password generator is generally a good idea.

You should also place a freeze on your credit with Experian, Equifax, and TransUnion.

This stops anyone from accessing your credit records and effectively makes it impossible for anyone to take out a loan in your name.

Of course, you’ll also need to contact your bank and any other financial institutions.

If contact details are affected consider changing your phone number, moving isn’t a practical option for most people.

It’s also a good idea to file a report with the Federal Trade Commission (FRC).

It will help when proving that you didn’t make certain transactions.

Healthcare data breaches mean additional information can be stolen and used against you.

It’s advisable to contact your doctor and health insurance provider and get copies of your recent medical records and benefits.

This will show you if anyone is claiming benefits under your policy.

You’ll also have to be extra vigilant regarding any medical bills you receive, make sure they are genuine.

If any support is offered by the healthcare provider or a local company, take it.

You’ll find it easier to sort any issues with help.

Summing Up

The above healthcare data breach statistics paint a clear picture.

In short, data breaches are happening all the time and a breach can have a serious impact on your financial and mental well-being.

Changing passwords regularly, keeping them unique, and being vigilant regarding your personal details will help you stay safe even if your healthcare data is breached.

However, you can’t prevent a breach from happening.

Instead, be vigilant and know what to do if your data is exposed.