HIPAA breaches in 2024: What the numbers say about small providers

This analysis presents a data-driven examination of HIPAA breach reports filed with the OCR, covering both resolved and unresolved cases from 2024. Specifically, it looks at how the breaches affected small healthcare providers (fewer than 100 employees).

Utilizing data directly from the OCR, this analysis dissects the reported breaches, focusing on patterns across various dimensions such as breach type, location of breached information, and the presence of business associates.

The raw data can be found here and here.

Overall stats

• 608 total breaches were reported in 2024.
• 346 cases are still under review, 262 cases have been resolved.
• The largest single breach affected 5,466,931 individuals.
• Healthcare providers accounted for 87.8% of the breaches reported in 2024
• Business associates accounted for 5.6% of the breaches reported in 2024
• Healthcare plans accounted for 6.2% of the breaches reported in 2024
• Healthcare Clearing Houses experienced only 0.3% of breaches in 2024
• Hacking/IT incidents account for the majority of breaches (81.4%), with a significant number attributed to ransomware attacks.
• A number of incidents involved unauthorized access to patient information through compromised credentials or insider threats.
• "Email" was a common keyword, appearing in 71 resolved cases (27%), suggesting email-related vulnerabilities play a substantial role in these breaches.
• The keyword "ransomware" was prevalent in the resolved HIPAA breach descriptions, mentioned in 76 cases (29%), indicating a significant impact of ransomware attacks.
• "Phishing" was notably mentioned in 50 resolved cases (19%), highlighting its prominence as an email-based security threat.
• 129 breaches ( 21%) involved a business associate, highlighting the amplified risk they bring.

Smaller healthcare providers accounted for 41% of breaches

Smaller healthcare providers were not immune to HIPAA breaches in 2024. The following insights were gathered looking at the incidents that involved healthcare organizations with fewer than 100 employees.

• 41.4% of the breaches reported were from small organizations.
• 139 cases are still under review, 113 cases have been resolved.
• In total, 10,657,904 individuals were affected by these breaches.
• The largest single breach affected 2,264,157 individuals.
• Hacking/IT incidents account for the majority of breaches (82.1%).
• Email was noted as the location of the breached information for 23.4% of the reported breaches.
• Ransomware is most frequently mentioned in the breach description of resolved cases, appearing in 35.3% of cases.
• Email is mentioned in 25.6% of resolved cases.

The bottom line

Small healthcare providers may not have the resources of larger institutions, but they’re facing the same cybersecurity threats. If you're a solo practitioner or run a small group practice, now is the time to assess your email security.