In 2024, OCR received 13 data breach reports that affected over 1 million healthcare records each. The biggest healthcare data breach impacted an approximated 100,000,000 million people. The total of exposed or compromised records of U.S. residents for those 13 data breaches is 146,463,977, which is about 42% of the U.S. population.
Change Healthcare Data Breach
The biggest healthcare data breach of 2024 happened at Change Healthcare. A ransomware affiliate gained access to the Change Healthcare network on February 12, 2024, and encrypted files using ransomware on February 21, 2024. Before encryption, the ransomware affiliate extracted the protected health information (PHI) of approximately 100 million people affecting 54% of the breached records in 2024. The BlackCat/ALPHV ransomware group was responsible for the attack. Change Healthcare paid a $22 million ransom but the ransomware group pulled an exit scam. The ransomware affiliate claimed to have not received payment and consequently sold the stolen information to the RansomHub group. RansomHub group tried to extort Change Healthcare again but did not succeed.
This healthcare data breach also disrupted many healthcare providers that depended on Change Healthcare’s products and the continuous outage. The cyberattack kept patients from getting prescription drugs except if they could pay for them using their own money. The outage severely disrupted the healthcare companies’ revenue cycles, causing small practices to close down.
As per the investigation of the cyberattack, the ransomware affiliate exploited a Citrix portal without an activated multifactor authentication. Because of the massive disruption, congress reviewed the effect of consolidation in medical care. This attack undoubtedly showed that consolidation could create one point of failure that contributed to the paralysis of the U.S. healthcare system. The legislators asked why a big company like Change Healthcare failed to set up multifactor authentication, which is fundamental cybersecurity protection, and why standard procedures for quickly re-establishing systems are lacking in case of a ransomware attack.
Kaiser Foundation Health Plan Data Breach
The 2024 second biggest healthcare data breach was reported in April and affected the PHI of around 13,400,000 people. The scope of the breach is enough to become one of the biggest healthcare data breaches ever, however, the negative effects of the breach were nominal.
Kaiser Foundation Health Plan used tracking technologies like pixels on its web pages and programs, which captured user activities and shared that data with third parties like Google, Meta, Microsoft, and X. The data transmitted is based on user interactions and could have contained an identifier like an IP address and the pages visited, search phrases that disclosed conditions, medications, injuries, and exercise routines. The tracking codes were discovered while conducting an internal investigation.
In December 2022, OCR published guidance for HIPAA-covered entities regarding HIPAA and tracking technologies, which mentioned that these technologies are in general not HIPAA compliant. The American Hospital Association challenged the guidance, and so OCR updated the guidance in 2024. A judge decided that the guidance was illegal and partly dropped the guidance. This using tracking technologies is allowed on healthcare websites although on unauthenticated web pages only. Authenticated web pages like patient portals should not have tracking tools.
Ascension Health Data Breach
The 2024 third biggest healthcare data breach involved a ransomware attack on Ascension Health in May. The Black Basta ransomware attack disrupted healthcare operations throughout the 142 hospitals of the Catholic health system. The attack was discovered on May 8, 2024. The electronic health record system was inaccessible for about 4 weeks. Based on the investigation, the ransomware group used a malicious file that was downloaded by an employee and gained initial access to the user’s device. Then, the attacker moved laterally to access 7 of its 25,000 servers.
The breach report submitted to OCR had a placeholder of 500 impacted persons. In December 2024, Ascension Health updated the total of affected persons to 5,599,699 patients. As of January 2025, some patients have yet to receive their notification letters, which is 8 months following the theft of their data.