As many as 172 million individuals — more than half the population of the United States — may have been impacted by large health data breaches reported to the Department of Health and Human Services in 2024, according to a STAT analysis of records from HHS’ Office for Civil Rights. It’s a new record for the scale of large health care breaches, breaking one set just last year.
The vast majority of those health data breaches — 532 of the 656 reported as of December 4 — have resulted from hacks and ransomware attacks, continuing a years-long trend. Since 2018, HHS has reported, it has seen a 264% increase in large ransomware breaches, and seven health systems have been fined up to $950,000 for failing to protect patients’ protected health information from ransomware attacks.
But existing enforcement hasn’t been enough to stem the tide. “We’re going to see these numbers continue to go up as we have more and more health I.T. vendors, more and more startups in the space that have access to data,” said Andrew Mahler, vice president of privacy and compliance at health care risk auditor Clearwater and former OCR investigator. HHS’ Office of Inspector General recently issued a report finding that OCR hasn’t conducted audits of compliance with the HIPAA security rule since 2017.
This article is exclusive to STAT+ subscribers
Unlock this article — and get additional analysis of the technologies disrupting health care — by subscribing to STAT+.
Already have an account? Log in