New research reveals a rise in health data breaches, with non-ransomware attacks now the dominant threat.
A new study published in JAMA Network Open shows that healthcare data breaches in the U.S. have more than doubled over the past decade, jumping from 216 incidents in 2010 to 566 in 2024. The number of affected patient records grew even more dramatically from 6 million in 2010 to 170 million in 2024.
The study reviewed breaches reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) involving at least 500 patient records. Researchers categorized the breaches by type, including ransomware and non-ransomware attacks, unauthorized access, theft, loss, and others.
While theft was the leading cause of breaches in 2010, the threat has changed. By 2024, non-ransomware hacking and IT incidents made up 81% of breaches, and ransomware attacks accounted for another 11%. The most affected category over the entire study period was non-ransomware hacking, which impacted 643 million of the 732 million compromised records.
Researchers noted that healthcare organizations often lack the cybersecurity resources to withstand these attacks, and the urgency of patient care makes hospitals especially vulnerable to ransomware disruption. They called for improvements in OCR reporting and stronger tracking of cryptocurrency payments tied to ransom demands.
The researchers stated that hacking incidents, particularly ransomware, were the main drivers of the surge in breaches. They recommended adding mandatory ransomware fields in federal reporting systems to improve clarity and surveillance. They also proposed revising breach severity rankings to reflect how outages affect care delivery and suggested monitoring cryptocurrency flows to deter future ransom payments.
Patient data remains a frequent target for cyberattacks, given its sensitivity and the impact that service disruptions can have on care delivery. Recent incidents reflect a move away from physical theft toward digital intrusions that affect entire systems. In response, both federal agencies and healthcare organizations may need to strengthen coordination around threat detection, breach reporting, and long-term resilience planning.
Non-ransomware incidents often involve credential theft, phishing, or silent data exfiltration, which may be harder to detect and can occur without obvious disruption making them attractive to attackers seeking long-term access or resale opportunities.
The OCR primarily assesses breach severity based on the number of individuals affected. Researchers argue this method overlooks operational impacts, like delayed care, which may be more harmful in practice.
Healthcare entities often operate with outdated systems, limited cybersecurity staff, and urgent care delivery needs that leave little time for incident response planning or infrastructure upgrades.
Ransom payments are typically demanded in cryptocurrency. Tracking these transactions could help disrupt payment flows, reduce attackers’ incentives, and identify recurring threat actors.
Researchers recommend requiring more detailed breach categorization in OCR reports, especially around ransomware, and adjusting federal frameworks to reflect how cyberattacks impact patient safety and system functionality.