I. Executive Summary: The Crisis of 2024 and the Persistent Threat of 2025
The years 2024 and 2025 represent a pivotal period in the cybersecurity landscape of the healthcare industry, marked by a dramatic escalation in the scale and sophistication of cyberattacks. The crisis of 2024 was defined not by the sheer number of incidents, which saw a modest increase, but by an unprecedented, record-breaking total of individuals whose protected health information (PHI) was compromised. A single event, the Change Healthcare attack, stands as a bellwether for the systemic vulnerabilities present in the U.S. healthcare ecosystem, demonstrating how a single point of failure can disrupt care and compromise the data of a significant portion of the nation's population. In 2024 alone, the number of breached healthcare records surged by 64.1% over the prior year's record, reaching a staggering 276,775,457 compromised records, equivalent to over 81% of the U.S. population in that year.
Entering 2025, the threat has continued unabated, albeit with a statistical shift that could be misinterpreted as a decline. While the total number of affected individuals decreased in the first half of the year compared to the outlier numbers of 2024, the frequency and complexity of attacks have not diminished. The focus of malicious actors has shifted to exploiting vulnerabilities in the supply chain and targeting the human element through advanced social engineering tactics. This period has also highlighted the significant threat posed by internal errors and misconfigurations, proving that not all data exposure originates from external hacking.
The core findings of this analysis are multi-faceted: the immense and permanent value of PHI on the dark web makes the healthcare sector an irresistible target; a critical over-reliance on third-party vendors has created a vast and exploitable attack surface; foundational security controls like multi-factor authentication (MFA) are still not universally implemented; and, most critically, cyber incidents are no longer mere financial or IT problems but have evolved into a public health and safety crisis, directly contributing to delays in patient care and an increase in patient mortality. This report will detail these events and underlying causes, concluding with strategic recommendations to fortify the sector's defenses against a future of persistent and escalating threats.
II. The Unprecedented Scale of 2024: A Year of Systemic Failure
Statistical Breakdown: The Year That Broke Records
The year 2024 was characterized by a massive volume of data compromises, establishing new, sobering benchmarks for the healthcare industry. The FBI's 2024 Internet Crime Report identified healthcare as the critical infrastructure industry with the highest number of reported cyberthreats, totaling 444 incidents, which included 238 ransomware threats and 206 data breaches. A closer examination of the data reveals that while other sectors like critical manufacturing experienced more ransomware incidents (258), healthcare was disproportionately affected by data theft, suffering a higher combined total of ransomware and data theft attacks.
The sheer scale of the breaches was staggering. In 2024, there were 14 data breaches that each affected more than 1 million individuals. Across these 14 incidents alone, the records of nearly 238 million U.S. residents were compromised, accounting for approximately 70% of the nation's population at the time. All but two of these major breaches were hacking incidents, and eight involved business associates, underscoring the profound risk posed by third-party vendors.
The following table provides a breakdown of the most significant data breaches of 2024, illustrating the unprecedented scale of the crisis.
Table 1: Top Healthcare Data Breaches by Individuals Affected, 2024
| Rank | Regulated Entity | Individuals Affected | Cause/Type of Incident | Entity Type |
| 1 | Change Healthcare, Inc. | 190,000,000 | Ransomware/Hacking | Business Associate |
| 2 | Kaiser Foundation Health Plan, Inc. | 13,400,000 | Unauthorized Disclosure (Tracking Pixels) | Health Plan |
| 3 | Ascension Health | 5,599,699 | Ransomware/Hacking | Healthcare Provider |
| 4 | HealthEquity, Inc. | 4,300,000 | Hacking (Third-Party Vendor) | Business Associate |
| 5 | Concentra Health Services | 3,998,163 | Hacking (Third-Party Vendor) | Business Associate |
| 6 | Centers for Medicare & Medicaid Services | 3,112,815 | Hacking | Health Plan |
| 7 | A&A Services d/b/a Sav-Rx | 2,812,336 | Hacking | Business Associate |
| 8 | Acadian Ambulance Service | 2,896,985 | Ransomware/Hacking | Healthcare Provider |
Export to Sheets
Source: Consolidated from various reports and regulatory filings
The Defining Event: The Change Healthcare Attack
The Change Healthcare cyberattack was the single most impactful event in the history of healthcare cybersecurity. The incident began on February 12, 2024, when a ransomware affiliate accessed the Change Healthcare network, culminating in the encryption of files on February 21, 2024. Prior to the encryption, the attackers exfiltrated the protected health information of an estimated 190 million individuals, which constituted 69% of all breached records for the year. The attack was orchestrated by the BlackCat/ALPHV ransomware group, who received a $22 million ransom payment.
This event's significance goes far beyond the astronomical number of records exposed. The attack demonstrated a profound systemic vulnerability within the U.S. healthcare infrastructure. Change Healthcare, a subsidiary of UnitedHealth Group, functions as a critical financial clearinghouse, handling claims, billing, and prescription services for a vast number of providers. The prolonged outage that resulted from the attack paralyzed these operations, disrupting provider revenue cycles and making it difficult for patients to fill prescriptions unless they paid out-of-pocket. The total losses from the incident were projected to exceed $1.5 billion. This incident was a clear-cut case of a critical infrastructure failure, revealing the fragility created by industry consolidation and over-reliance on a single vendor. The fact that the initial access was gained through a Citrix portal that lacked a foundational security control—multi-factor authentication (MFA)—points not just to a technical failing but to a catastrophic failure of governance and risk management within a critical sector.
Other Major Incidents of 2024
While the Change Healthcare breach dominated the headlines, other significant incidents further painted a picture of widespread vulnerability. In May 2024, Ascension Health, a major Catholic health system, fell victim to a Black Basta ransomware attack that affected nearly 5.6 million patients. This attack severely disrupted clinical operations across the health system's 142 hospitals, leading to postponed surgeries, delayed appointments, and the temporary diversion of ambulances to other facilities. The incident highlights the immediate and tangible impact of cyberattacks on patient care and safety. It was determined that the breach was triggered when an employee inadvertently downloaded a malicious file, underscoring the persistent threat of the human element in cybersecurity.
Another major incident, affecting 13.4 million individuals at Kaiser Foundation Health Plan, was not a traditional hacking incident. The breach was the result of the health plan using third-party tracking technologies, such as pixels, on its websites and applications that transmitted sensitive user data to companies like Meta and Google, in a manner that was not compliant with Office for Civil Rights (OCR) guidance. This event demonstrates that significant data exposure can result from internal misconfigurations and flawed technology implementations, not solely from malicious external actors. The prevalence of third-party compromises was a consistent theme throughout 2024. For example, the HealthEquity breach affected 4.3 million individuals after a threat actor compromised a vendor's device. Similarly, a breach at A&A Services d/b/a Sav-Rx, a pharmacy benefits management company, exposed the data of over 2.8 million individuals. This confirms a critical shift in adversary strategy, where attackers are increasingly targeting the weaker security postures of interconnected vendors to gain access to the same valuable data.
III. The Evolving Threat Landscape of 2025: Shifting Targets and New Tactics
Statistical Overview: A Deceptive Dip
The threat landscape in the first half of 2025 presented a complex picture, marked by a statistical "dip" that masks an ongoing, high-level crisis. In the first five months of 2025, 311 data breaches affecting 500 or more individuals were reported to the HHS' Office for Civil Rights (OCR), a 13.1% decrease from the same period in 2024. More strikingly, the number of individuals affected fell by 52.4%, from 48.5 million in early 2024 to 23.1 million in early 2025. However, this apparent reduction is a statistical anomaly, not a true decline in the threat. The 2024 numbers were heavily inflated by the Change Healthcare breach, which affected 190 million individuals and skewed all metrics for the year. Without such a singular, massive event, the number of large-scale incidents remains significant, proving the threat is not abating.
The Supply Chain Crisis in Focus: A Ripple Effect
The first half of 2025 continued to highlight the immense and persistent threat of supply chain vulnerabilities. A major incident at the healthcare services firm Episource, a business associate that services providers and health plans like Optum and UnitedHealth Group, exposed the data of over 5.4 million individuals in a ransomware-driven intrusion between late January and early February 2025. This event is a clear example of the "ripple effect," where a single breach at a third-party vendor compromises data across multiple client organizations, forcing many, such as Sharp Healthcare, to issue their own breach notifications.
A separate but illustrative case study occurred in June 2025, when a phishing incident at the business associate Integrated Oncology Network led to data breaches at over 25 radiology and oncology practices across 12 U.S. states. The attack, which affected nearly 123,000 individuals, involved unauthorized access to email accounts and SharePoint. This incident demonstrates that even seemingly small, targeted attacks on a single vendor can have a widespread, multi-state impact, underscoring the critical importance of supply chain risk management.
Table 2: Top Healthcare Data Breaches by Individuals Affected, 2025 (First Half)
| Rank | Regulated Entity | Individuals Affected | Cause/Type of Incident | Entity Type |
| 1 | Yale New Haven Health | 5,500,000 | Hacking/IT Incident | Healthcare Provider |
| 2 | Episource | 5,418,866 | Ransomware/Hacking | Business Associate |
| 3 | Blue Shield of California | 4,700,000 | Misconfiguration/Unauthorized Disclosure | Health Plan |
| 4 | Lockton | 1,100,000 | Hacking | Business Associate |
| 5 | Community Health Center, Inc. | 1,000,000+ | Hacking/IT Incident | Healthcare Provider |
| 6 | Frederick Health | 934,000+ | Ransomware | Healthcare Provider |
Export to Sheets
Source: Consolidated from various reports and regulatory filings
Other Major Incidents of 2025
Beyond the supply chain, other major incidents underscored the persistent threat from various attack vectors. In March 2025, Yale New Haven Health, one of Connecticut's largest healthcare systems, discovered unusual activity on its IT network that affected over 5.5 million people. The compromised information was extensive, including demographic data, Social Security numbers, and medical record identifiers.
The breach at Blue Shield of California, which affected 4.7 million members, illustrates a different but equally dangerous threat. This data exposure was not the result of a hacking incident but an "incorrect data merge" where some members could view another member's data on the member portal. This incident, along with the Kaiser Foundation breach in 2024, emphasizes that not all data exposure is caused by malicious external actors. The scope of risk management must be expanded to include internal system misconfigurations and flaws in third-party-supplied technology. This shift in the nature of data compromises demonstrates that as organizations harden their perimeters, the threat surface is moving inward, to the people and processes within the organization.
IV. Analysis of Key Attack Vectors and Actors
Ransomware: A Dominant and Evolving Weapon
Ransomware remains the single most dominant threat to the healthcare sector. In 2024, 67% of healthcare organizations experienced a ransomware attack, a significant increase from 60% in 2023. The financial burden of these attacks is substantial, with the average cost to recover from a ransomware incident rising to $2.57 million in 2024, up from $2.2 million in 2023. In some instances, the average breach recovery cost was reported to be even higher, at $9.77 million per incident in 2024.
A major development in 2025 has been the shift in ransomware tactics. The data shows a trend of escalating coercive measures, where ransomware groups are no longer just encrypting data and waiting for payment. They are now contacting company employees via phone, email, and text, and even directly reaching out to individuals whose personal data has been stolen. This is a move toward a more aggressive, high-pressure extortion model, reflecting the immense value placed on the stolen data. The proliferation of ransomware-as-a-service (RaaS) has also lowered the barrier to entry for cybercriminals. The number of active ransomware groups rose from 41 in Q2 of 2024 to 71 in Q2 of 2025, according to one report. This rapid growth, even with the dissolution of major groups like BlackCat/ALPHV and RansomHub, is a testament to the RaaS model, which allows less-skilled actors to purchase "ready-to-go" ransomware packages, ensuring the threat volume remains consistently high.
Phishing and Social Engineering: The Human Vector
While ransomware is the end result, phishing and social engineering are the primary initial access vectors. A report reveals a stunning 442% surge in phishing attacks from the first to the second half of 2024. This trend is not an accident; it represents a strategic shift by attackers. The June 2025 data breach report is particularly telling, noting that for the first time, email accounts were the most common location of breached data, surpassing network servers. This causal relationship indicates that as organizations fortify their network perimeters, adversaries are systematically targeting the human element, which is often the weakest link. The Change Healthcare attack, while a technical failure due to the lack of MFA, was ultimately an attack that leveraged stolen credentials. The Integrated Oncology Network incident in June 2025 is a textbook example of how a single phishing campaign can trigger a widespread supply chain breach.
Dominant Threat Groups and Nation-State Actors
An analysis of the threat actors reveals a concentrated effort from specific groups and a broader, more strategic interest from nation-states. In 2024, the FBI identified Akira, LockBit, and RansomHub as the ransomware groups with the most complaints against them. By the second quarter of 2025, new groups had risen to prominence, with IncRansom, Qilin, and Everest being the most active in targeting healthcare.
Beyond financial gain, there is a clear strategic interest from nation-states in compromising healthcare data. Countries like Russia, China, North Korea, and Iran provide safe harbor for hackers and are known to be interested in the intelligence value of health records. The PHI of Americans, including their personally identifiable information, occupations, and medical conditions, can be leveraged for intelligence collection and potential exploitation, particularly for individuals who may gain prominent positions or security clearances in the future.
V. The Foundational Vulnerabilities of the Healthcare Sector
The healthcare industry's persistent vulnerability is rooted in a unique combination of high-value data, systemic technological limitations, and human factors. This confluence of weaknesses creates a "perfect storm" for cybercriminals.
The High Value of Protected Health Information (PHI)
Protected health information is the "goldmine" for hackers. The value of a single medical record on the dark web can range from $250 to $1,000, a value that significantly surpasses that of a stolen credit card, which rarely sells for more than $5. The immense value of PHI stems from its permanence and its multiple uses. Unlike a credit card that can be canceled or a bank account that can be frozen, PHI is permanent and can be used for long-term fraud. Attackers use stolen PHI to commit identity theft, file fraudulent medical claims, or obtain prescriptions. The urgency of healthcare operations, where a single minute of system downtime can have life-threatening consequences, creates a powerful incentive for organizations to pay ransoms to regain access to critical systems. This economic model is the core driver of the continuous escalation of attacks.
Systemic Roadblocks: Technology, Budget, and People
The healthcare sector struggles with foundational challenges that create a fertile ground for cyberattacks. Many organizations continue to use outdated legacy systems, which create "technology roadblocks" and are difficult to secure. Furthermore, cybersecurity budgets are often underfunded. A study revealed that while healthcare is good at identifying serious vulnerabilities, it is exceptionally poor at fixing them in a timely manner. The median time to resolve (MTTR) a serious vulnerability in healthcare is 58 days, and the "half-life" score—the time taken to resolve 50% of identified vulnerabilities—is a staggering 244 days, making it the third-worst industry for this metric. This analysis demonstrates a critical disconnect: while risk analyses may be performed, organizations are unable or unwilling to allocate the resources needed for timely remediation, turning a known vulnerability into a persistent and exploitable weakness.
The human factor also remains a significant vulnerability. Employee negligence has been identified as a primary cause of data loss and exfiltration, and a large percentage of organizations express concern over the risk posed by employee errors. Healthcare staff are often preoccupied with demanding clinical duties and may lack the expertise to recognize and mitigate online threats. The urgent nature of medical care means that security measures that disrupt workflow, even minimally, are often resisted, making the adoption of new security technology difficult.
VI. Consequences: Financial, Operational, and Patient-Level Impacts
The consequences of cyberattacks in the healthcare industry extend far beyond a financial or reputational hit; they have become a matter of public health and safety.
Financial Fallout
The financial repercussions of healthcare cyberattacks are substantial. The average cost of a healthcare data breach was $4.74 million in 2024, a slight decrease from the previous year. However, a separate report found that the average breach recovery cost in 2024 was much higher at $9.77 million per incident. The Change Healthcare incident, in particular, demonstrated the potential for astronomical losses, with total costs projected to top $1.5 billion. In addition to direct recovery costs, organizations face potential HIPAA violation fines, which can reach up to $1.5 million per year per violation category, as well as significant reputational damage and patient churn.
Impact on Patient Care
The most profound finding from the 2024 data is the direct and measurable impact of cyberattacks on patient safety. A survey of healthcare organizations revealed that cyberattacks in 2024 led to widespread disruption of patient care. The data indicates that:
69% of organizations reported that cyberattacks disrupted patient care.
56% observed delays in medical procedures or tests.
53% saw an increase in medical complications.
A staggering 28% noted an increase in patient mortality, a 21% rise from the previous year.
This is the most critical and alarming consequence of the past two years. These statistics shatter the notion that cyber threats are purely an IT problem. The direct causal link between cyber incidents and increases in patient mortality and medical complications elevates cybersecurity from a technical or compliance concern to a life-or-death patient safety imperative.
VII. Strategic Recommendations for a Resilient Future
The events of 2024 and 2025 have provided a clear, albeit painful, blueprint for the strategic and operational changes required to build a more resilient healthcare sector. The following recommendations are derived from an analysis of the key vulnerabilities and trends.
Strengthening Foundational Defenses: The Change Healthcare incident, triggered by the absence of multi-factor authentication (MFA), must serve as a non-negotiable lesson for the entire industry. All organizations must mandate MFA for all network access points, especially those that are externally facing. Furthermore, organizations must prioritize timely patching and vulnerability management to address the abysmal remediation rates identified in 2025. Adopting a programmatic approach to offensive security and regularly conducting red-team exercises can help organizations proactively identify and address weaknesses before they are exploited by adversaries.
Managing Third-Party and Supply Chain Risk: The overwhelming number of breaches originating from business associates in both 2024 and 2025 necessitates a fundamental re-evaluation of vendor risk management. Healthcare organizations must establish robust, continuous third-party risk management programs that include thorough due diligence, regular security audits, and contractual mandates for cybersecurity standards.
Investing in People and Processes: The surge in phishing attacks and the documented role of employee negligence in major breaches demands a greater focus on the human element. Organizations must implement continuous cybersecurity awareness training programs and regular phishing simulations to equip staff with the knowledge to recognize and report threats. To address the friction that new security tools can create, organizations should adopt frictionless solutions like Single Sign-On (SSO) and Risk-Based Authentication (RBA), which enhance security without disrupting critical, time-sensitive healthcare workflows.
Leveraging Advanced Technology and AI: The battle against cyber threats cannot be won without leveraging advanced technology. Strategic use of AI and automation tools can significantly shorten the time required for organizations to detect and contain incidents, with some reports indicating a reduction of 98 days in detection and containment time, leading to substantial cost savings.
Recommendations for Policy and Governance: A comprehensive solution requires a top-down approach from policymakers. It is critical to support the Department of Health and Human Services' (HHS) proposed updates to the HIPAA Security Rule and new cybersecurity requirements for hospitals. Policymakers should also advocate for increased civil monetary penalties for violations and for greater resources for HHS to enforce compliance, conduct proactive audits, and provide technical assistance to smaller, less-resourced organizations.
In conclusion, the healthcare industry stands at a critical juncture. The events of the last two years have demonstrated that the traditional approach to cybersecurity is no longer sufficient. The threat is not abstract; it is a clear and present danger to operational viability and, most importantly, to patient lives. A path forward demands a multi-pronged, systemic strategy that integrates robust technical controls, proactive third-party management, continuous human education, and a firm commitment from policymakers to hold the industry accountable for the security of its most valuable asset: patient trust.
Sources used in the report
Here are the URLs of the sources used to create the report:
https://socradar.io/biggest-healthcare-cyber-attacks-in-2025/
https://swivelsecure.com/solutions/healthcare/healthcare-is-the-biggest-target-for-cyberattacks/
https://www.chiefhealthcareexecutive.com/view/these-are-the-biggest-health-data-breaches-in-the-first-half-of-2025
https://www.hipaajournal.com/june-2025-healthcare-data-breach-report/
https://www.hipaajournal.com/ransomware-attacks-fall-q2-2025/
https://www.aha.org/news/headline/2025-05-12-report-health-care-had-most-reported-cyberthreats-2024
https://www.aha.org/news/aha-cyber-intel/2025-04-03-3-must-know-cyber-and-risk-realities-whats-ahead-health-care-2025
https://www.ibm.com/think/insights/healthcare-industry-attack-trends-2024
https://www.hipaajournal.com/biggest-healthcare-data-breaches-2024/
https://www.chiefhealthcareexecutive.com/view/unitedhealth-cyberattack-and-more-the-10-biggest-health-data-breaches-of-2024
https://www.ifaxapp.com/hipaa/phi-hackers-risks-implications/
https://www.crowdstrike.com/en-us/resources/white-papers/healthcare-cybersecurity-2025-staying-ahead-of-emerging-threats/
https://www.invensis.net/blog/cyber-threats-to-healthcare-data
https://www.hipaavault.com/resources/dark-web-healthcare-phi/
https://www.hipaajournal.com/may-2025-healthcare-data-breach-report/
https://www.hipaajournal.com/healthcare-industry-vulnerability-remediation-2025/
https://aspr.hhs.gov/cyber/Documents/Health-Care-Sector-Cybersecurity-Dec2023-508.pdf
https://www.ispartnersllc.com/blog/healthcare-cybersecurity-statistics/