off label.

Consent & data

Is the surge driven by more breaches or by bigger breaches, and where should prevention leverage go?

Reported health-data breaches exposed the records of nearly 290 million people in 2024, the worst year on record. Almost all of the exposure comes from hacking and IT incidents rather than lost laptops, and healthcare providers report the most breaches while business associates are widely under-counted.

Question

The problem

Health data privacy is now a core trust and operations risk for hospitals, payers, vendors, and patients. The national landscape depends on interconnected data flows, but breach exposure can be driven by a small number of very large incidents, weak vendor oversight, or preventable security failures outside the patient relationship.

The recommendation

Treat health data security as patient protection and enterprise risk management. The recommended approach is to reduce mega-breach exposure, strengthen vendor and business-associate controls, segment incident frequency from incident size, and require faster accountability when sensitive records are exposed.

The exposure

The scale, trajectory, and drivers of health-data breaches, and what causes them.

289M
individuals had health data exposed in 2024, the worst year on record
289,162,330 people across 741 large breaches of 500 or more records.
741
large health-data breaches reported to HHS OCR in 2024
Breaches of 500 or more records. Nearly flat since 2021, when there were 715.
5.2×
rise in the average records exposed per breach, 2021 to 2024
From about 75,650 to 390,233 records per breach. The crisis is bigger breaches, not more of them.
94%
of 2024 exposed records came from hacking and IT incidents
259.0M of the 275.1M individuals whose breach cause is published. Severity concentrates even harder than frequency.

Reading the numbers

Who is accountable, who is under-counted, and why recent-year totals keep rising.

+125%
rise in the 2025 exposure total between the February and June 2026 snapshots
From 61.56M provisional to 138.5M, largely from one 62.2M-record breach added later. Recent-year totals are undercounts in progress.
118
breaches attributed to business associates in 2024, an undercount
Covered entities may report on a business associate's behalf, so breaches originating at clearinghouses and aggregators are understated.

Why this matters

Breach notification law requires disclosure after exposure, not prevention before it, and hacking and IT incidents, 94 percent of 2024's exposed records, scale to tens of millions of records per event, so a small number of large intrusions now drive most of the harm. The reporting system adds its own lag: the 2025 total already rose 125 percent between two 2026 snapshots after one breach was added late, meaning any recent-year total is a floor, not a final count, and business-associate attribution undercounts where breaches actually originate.

Recommended actions

  • Direct security investment, not just notification compliance, at large-scale hacking and IT-incident prevention, since that cause accounts for 94 percent of exposed records.
  • Require breach reporting to name the originating entity, not just the reporting entity, to correct the business-associate undercount.
  • Treat any breach total for the current or immediately prior year as provisional and flag the reporting lag explicitly wherever the figure is cited.
  • Prioritize regulatory attention on breach severity and scale, not breach count, since the count has stayed nearly flat for five years.
  • Monitor entity-type trends (provider vs. business associate vs. health plan) across multiple years rather than a single snapshot, since they move independently.

The recommendation

Therefore, treat health data security as patient protection and enterprise risk management. The recommended approach is to reduce mega-breach exposure, strengthen vendor and business-associate controls, segment incident frequency from incident size, and require faster accountability when sensitive records are exposed.

Demographic slice none. HHS OCR breach portal records entity/cause, not patient demographics.

Sources