When Change Healthcare first announced it suffered a cybersecurity breach in February 2024, it wasn’t known it would be the largest healthcare data breach reported to federal regulators.
But it wasn’t the only large-scale breach in the industry that year. Today, patients are tasked with keeping their personal, private information safe from cybercriminals, but they also rely on the security measures imposed by their service providers.
When interacting with medical institutions, patients often share highly sensitive information and trust it will be protected, whether the data includes Social Security numbers, bank account details or medical records. Since these organizations hold the sensitive data of all their patients, they become attractive targets for cybercrime. With one attack, the criminal can access millions of people’s information. The intimate nature of the healthcare sector means this data is particularly sensitive, and therefore, the ramifications of a breach can be far more dangerous.
2024 was a particularly eventful year for healthcare’s cybersecurity teams. HHS’ Office for Civil Rights currently counts 869 healthcare data breaches under its investigation that have been reported in the last 24 months. While some of these have affected only a few hundred people, the worst breaches have targeted millions of patients.
The full extent of the breaches’ damage might not fully be known for years, but it is possible to review the key components of these cybersecurity failings. From there, healthcare organizations can draw a few key takeaways on how to better protect patient data going forward.
Top healthcare cyberattacks of 2024
Although several large-scale breaches were reported in 2024, many of these actually occurred in 2023 and were only brought to public attention the following year. Of the breaches that happened in 2024, there were five that affected 2.5 million patients or more.
Change Healthcare
Type of breach: Ransomware.
Number of individuals affected: 190 million.
Length of breach: 25 days for medical claims, nine months for full clearinghouse services.
The most high-profile health data breach of 2024 was at Change Healthcare, a subsidiary of UnitedHealth Group. The cyberattack first occurred on Feb. 11 but was not detected for nine days, at which point the breach was severe enough to require Change Healthcare to disconnect more than 100 services and go offline.
It was quickly determined to be a ransomware attack, for which BlackCat/ALPHV claimed responsibility. While it is still unconfirmed whether the organization paid the ransom to the hackers — or how much the sum was — Change Healthcare has since reported a full restoration of its services. Security researchers identified a payment to the ransomware attackers on March 1 in the amount of 350 bitcoins — approximately $22 million — which could have been a payment from Change Healthcare.
Since the scale of the data breach is so large, it has taken almost a full year for Change Healthcare to review all the affected data. The organization has sent letters in batches to affected patients as they were identified. Reviews of the cyberattack suggest compromised information included both personal and protected health information (PHI), but there has been no evidence of this information being misused.
Since the incident occurred, Nebraska Attorney General Mike Hilgers has filed a lawsuit against Change Healthcare for its role in the breach, claiming they implemented insufficient security measures and exacerbated the attack with their policies. It is estimated that of the 100 million affected individuals, at least 575,000 are Nebraskans.
Kaiser Foundation Health Plan
Type of breach: Accidental data sharing.
Number of individuals affected: 13.4 million.
Length of breach: Unknown.
The cybersecurity breach at Kaiser Foundation Health Plan was slightly different from others on the list. It involved the accidental sharing of certain data to third-party vendors as opposed to a criminal attack. It is thought that a misunderstanding over configurations led to the unintended sharing of data. The problem has since been fixed, but it is unclear how long they had been sharing this data.
Instead of tracking highly sensitive patient information, such as bank account numbers and Social Security numbers, data included members’ names, IP addresses and browsing activity on Kaiser sites. However, this data could still be used to inform targeted advertising or other marketing efforts. Some of the vendors that might have received this information include Microsoft, Google and X (formerly Twitter).
Kaiser reported the breach to the HHS on April 12 and began notifying affected patients at the end of that month. No misuse of the data has been detected as yet.
Later in the year, Kaiser reported a secondary breach in Southern California that occurred in September 2024. It is estimated to have affected 44,600 people, according to HSS’ Office for Civil Rights.
Ascension Health
Type of breach: Accidental download of corrupted file.
Number of individuals affected: 5.6 million.
Length of breach: Six weeks.
On May 8, 2024, Ascension Health detected unusual activity on its network and discovered there had been a cybersecurity breach. The attack compromised several company systems, hindering access to electronic health records, MyChart, some phone systems, and systems used for ordering tests and medications.
It took the health care provider six weeks to fully restore access to all systems. Through third-party investigations, it was ultimately uncovered that the breach occurred when an individual employee accidentally downloaded a corrupted file.
Ascension has not been able to confirm exactly what data was accessed, but they have confirmed the types of information accessed include “medical information, payment information, insurance information, government identification and other personal information.”
HealthEquity
Type of Breach: Unauthorized access.
Number of individuals affected: 4.3 million.
Length of breach: Unknown/no disruption to activity.
The HealthEquity breach occurred on March 9 when a partner’s user account was accessed by an unauthorized party that then transferred personal information off their systems. HealthEquity identified this breach through routine monitoring on March 25, but there was no formal disruption to their services. After a review, HealthEquity confirmed no malware was found within their systems.
The unauthorized party accessed protected medical information, some of which might be unrecoverable. This breach affected nearly 4.3 million HealthEquity members.
It took several months to conclude a full internal investigation of the data breach, which ended in late June. In the breach notice, the organization reported exposed information might include names, contact information, employer information, Social Security numbers, health plan details, diagnoses, prescription information and details about HealthEquity benefits and accounts.
Since the incident, HealthEquity announced it has taken steps to strengthen its cybersecurity policies.
Acadian Ambulance Service
Type of breach: Ransomware.
Number of individuals affected: 2.9 million.
Length of breach: Unknown/no disruption to services.
In June 2024, Acadian Ambulance Service (AAS) experienced a cyberattack. Daixin Team claimed responsibility for the breach and originally reported it had obtained 10 million unique data records, but the formal report to the HHS’ Office for Civil Rights showed the number to be substantially lower. The attack occurred sometime between June 19 and June 21, when an unauthorized party accessed AAS’ systems. Daixin Team claims to have demanded a ransom of $7 million, but there is no confirmation of payment being made by AAS, but they did originally offer a payment of $173,000.
Information shared in the breach could have included names in combination with dates of birth, Social Security numbers, addresses and medical information collected during the intake process.
As with many of the other breaches on this list, Acadian Ambulance Service has not yet found any data misuse cases. All patients affected by the breach have been contacted, and AAS has offered complimentary identity theft protection services and credit monitoring.
The importance of cybersecurity in healthcare
Protected information is used to access many services, including medical care and credit lending. In healthcare systems, the information shared between patient and provider extends to more than just the usual personal data and includes PHI, such as diagnoses, prescriptions and health insurance information. This information could be used nefariously if it lands in the wrong hands. This is why healthcare organizations need to maintain high cybersecurity and data security standards — to protect the information that patients have entrusted them with.
To formalize this system and give healthcare providers clear metrics on their obligations to protect PHI, the federal government enacted the Health Insurance Portability and Accountability Act (HIPAA).
HIPAA explained
Under HIPAA, covered entities — such as health plans, healthcare clearinghouses and healthcare providers that use electronic transactions — must maintain a specific standard to look after and secure the protected health information of their patients.
The act’s Privacy Rule lets patients look at and hold copies of their own medical records, request corrections and limit their health plan’s exposure to medical treatments paid for in cash. It applies to specific PHI, such as common identifiers, the patient’s medical condition over time, received care and payment statuses for healthcare services. Meanwhile, the Security Rule requires covered entities to meet specific standards to secure patients’ electronic PHI, such as developing appropriate and reasonable security policies.
Another component is the HIPAA Breach Notification Rule, which states that covered entities must notify patients, HHS, and, in certain cases, the media in the event of a PHI breach. Notifications must be made to HHS within 60 days of identifying the breach — or annually in the event of breaches that affect less than 500 people. This rule also applies to business associates, whether they have been impacted by or enacted a security breach. HHS’ Office for Civil Rights enforces HIPAA and its various rules.
Takeaways from the healthcare cyberattacks of 2024
Cybersecurity capabilities improve year over year, but the scale of the top healthcare cyberattacks of 2024 showed that there are still serious security vulnerabilities within the sector. Just as new technology can provide better safeguards, bad actors can use it to break into protected systems. By looking at the source of these data breaches, their nature, and their ultimate resolution, healthcare organizations can glean a few important takeaways on how to better avoid such attacks in the future.
Looking at the breaches of 2024, important takeaways include the following:
Consistent, thorough system reviews are critical to catching breaches early
As seen with the Ascension Health breach, not every cyberattacker will ring the alarm on their way out. Some attacks are about maintaining long-term m to data without the organization noticing, so there is a larger window to copy, move and potentially misuse information.
If the attackers don’t announce their work and demand a ransom, it falls on the institution to spot the incident and take action. By practicing regular, comprehensive security reviews, organizations can increase their chances of catching an attack in its early stages, mitigating the scale and scope of the attack.
Breaches don’t need to be malicious or intentional to cause harm
While many data breaches result from active cyberattacks, the Kaiser Foundation breach was an example of how data can be leaked accidentally and without ill intent — and still negatively affect millions of patients. In that instance, a misconfiguration of settings led to the sharing of protected information, rather than a nefarious criminal attack.
Nevertheless, patient data was compromised and could still be misused as a result. This shows how important it is for organizations to take extra care when setting up their networks and sharing any data with third parties, to meet HIPAA standards and keep their customers’ data secure.
A single breach could compromise services for months, so prevention is paramount
The Change Healthcare security breach affected not only 190 million people, but also caused issues with service delivery for months after the breach was detected. The organization took meaningful action to resolve the issue, but it still required substantial time to restore service to its original levels due to the severity of the attack.
This is a clear example of how organizations are limited in their ability to respond to cyberattacks. Therefore, prevention is the most helpful tool. By investing in security measures and reducing vulnerabilities, institutions will see greater results than solely investing in their response.
Madeleine Streets is a senior content manager for WhatIs. She has also been published in ‘TIME,’ ‘WWD,’ ‘Self’ and Observer.’
