Consent & data
Is the surge driven by more breaches or by bigger breaches, and where should prevention leverage go?
Reported health-data breaches exposed the records of nearly 290 million people in 2024, the worst year on record. Almost all of the exposure comes from hacking and IT incidents rather than lost laptops, and healthcare providers report the most breaches while business associates are widely under-counted.
The problem
Health data privacy is now a core trust and operations risk for hospitals, payers, vendors, and patients. The national landscape depends on interconnected data flows, but breach exposure can be driven by a small number of very large incidents, weak vendor oversight, or preventable security failures outside the patient relationship.
The recommendation
Treat health data security as patient protection and enterprise risk management. The recommended approach is to reduce mega-breach exposure, strengthen vendor and business-associate controls, segment incident frequency from incident size, and require faster accountability when sensitive records are exposed.
The exposure
The scale, trajectory, and drivers of health-data breaches, and what causes them.
Individuals affected by reported health-data breaches, 2021 to 2025
People whose protected health information was exposed in breaches of 500 or more records reported to HHS OCR. Large breaches reported are shown in the table.
Read it this way Individuals affected jumped from 54.09 million in 2021 to a peak of 289.16 million in 2024, then appear to fall to 138.5 million in 2025. That apparent drop is not necessarily real: the caveat notes the 2025 figure already roughly doubled between two 2026 snapshots as late reports were added, so read the last point as a floor, not a final number. Use this chart to distinguish breach frequency, breach size, cause, or entity type, and why the recommendation targets mega-breach containment and vendor oversight.
Caveat OCR portal totals for a given year keep rising as late reports are added. The 2025 total roughly doubled between February and June 2026 after a single 62.2 million-record breach was added. Figures reflect the June to July 2026 capture.
⊞ data table⬇ CSV
| Year | Individuals affected (millions) | Large breaches reported |
|---|---|---|
| 2021 | 54.09 | 715 |
| 2022 | 51.9 | 719 |
| 2023 | 168 | 746 |
| 2024 | 289.16 | 741 |
| 2025 | 138.5 | 772 |
The HIPAA Journal, Healthcare Data Breach Statistics · 2021-2025 · source
Number of large breaches reported per year, 2021 to 2025
Large breaches of 500 or more records reported to HHS OCR. The count is almost flat even as the number of people exposed quintupled, so the surge is not driven by more incidents.
Read it this way The count moves in a narrow band, from 715 in 2021 to a high of 772 in 2025, a change of well under 10 percent, while the individuals-affected chart over the same years shows more than a five-fold rise. That gap is what licenses the conclusion that a few very large incidents, not a wave of new incidents, are driving the exposure crisis. Use this chart to distinguish breach frequency, breach size, cause, or entity type, and why the recommendation targets mega-breach containment and vendor oversight.
Caveat OCR portal counts for recent years keep rising as late reports are added, so 2025 is still provisional.
⊞ data table⬇ CSV
| Year | Large breaches reported | Individuals affected (millions) |
|---|---|---|
| 2021 | 715 | 54.09 |
| 2022 | 719 | 51.9 |
| 2023 | 746 | 168 |
| 2024 | 741 | 289.16 |
| 2025 | 772 | 138.5 |
The HIPAA Journal, Healthcare Data Breach Statistics · 2021-2025 · source
Average records exposed per breach, 2021 to 2025
Individuals affected divided by the number of large breaches each year. Average incident size rose about five-fold from 2021 to 2024, pointing prevention at mega-breaches rather than incident volume.
Read it this way Average breach size roughly tripled between 2022 and 2023 alone, from 72,184 to 225,201 records, then nearly doubled again to 390,233 by 2024, before the 2025 figure fell back to 179,404, a number this chart's own caveat flags as still provisional. These swings move independently of the flat breach-count chart, confirming that incident severity, not incident frequency, is the more volatile variable to track. Use this chart to distinguish breach frequency, breach size, cause, or entity type, and why the recommendation targets mega-breach containment and vendor oversight.
Caveat Derived by dividing each year's individuals-affected total by its breach count. The 2025 figure is provisional and will rise as late reports are added.
⊞ data table⬇ CSV
| Year | Average records per breach | Individuals affected (millions) | Large breaches |
|---|---|---|---|
| 2021 | 75650 | 54.09 | 715 |
| 2022 | 72184 | 51.9 | 719 |
| 2023 | 225201 | 168 | 746 |
| 2024 | 390233 | 289.16 | 741 |
| 2025 | 179404 | 138.5 | 772 |
The HIPAA Journal, Healthcare Data Breach Statistics · 2021-2025 · source
Reported health-data breaches by cause, 2024
Number of large breaches reported to HHS OCR in 2024 by cause category.
Read it this way Hacking and IT incidents account for 589 of the 725 breaches with a stated cause, more than five times the next largest category, unauthorized access or disclosure, at 114. Loss and theft (18) and improper disposal (4) are far rarer, and loss/theft has no published individuals-affected total, so this chart speaks to how often each cause occurs, not to how many people it exposed. Use this chart to distinguish breach frequency, breach size, cause, or entity type, and why the recommendation targets mega-breach containment and vendor oversight.
Caveat Loss and theft are reported as one combined category. OCR does not publish an aggregate individuals-affected total for it, so only its breach count is shown here.
⊞ data table⬇ CSV
| Cause | Breaches | Individuals affected |
|---|---|---|
| Hacking / IT incident | 589 | 259037984 |
| Unauthorized access / disclosure | 114 | 16099437 |
| Loss / theft | 18 | not published |
| Improper disposal | 4 | 10309 |
The HIPAA Journal, 2024 Healthcare Data Breach Report · 2024 · source
Reading the numbers
Who is accountable, who is under-counted, and why recent-year totals keep rising.
Reported breaches by entity type, 2021 to 2025
Which regulated entity reported each breach. Provider reporting dominates and is steady, business-associate reporting swings, and health-plan reporting falls.
Read it this way Healthcare-provider reporting stayed the largest and steadiest line, from 516 in 2021 to 575 in 2025, while business-associate reports swung between 93 and 172 and health-plan reports declined from 104 to 59. Because covered entities may report on a business associate's behalf, the business-associate line likely undercounts where breaches actually originate. Use this chart to distinguish breach frequency, breach size, cause, or entity type, and why the recommendation targets mega-breach containment and vendor oversight.
Caveat These are reporting-entity counts, not root-location-of-breach counts. Business-associate breaches are under-represented because covered entities may report on their behalf.
⊞ data table⬇ CSV
| Year | Healthcare provider | Business associate | Health plan |
|---|---|---|---|
| 2021 | 516 | 93 | 104 |
| 2022 | 504 | 129 | 86 |
| 2023 | 469 | 172 | 103 |
| 2024 | 543 | 118 | 77 |
| 2025 | 575 | 136 | 59 |
The HIPAA Journal, Healthcare Data Breach Statistics · 2021-2025 · source
Reported health-data breaches by entity type, 2024
Breaches are attributed to whichever regulated entity reported them.
Read it this way Healthcare providers reported nearly five times as many breaches, 543, as business associates, 118, in 2024, but the caveat here matters: that gap is partly an artifact of who is allowed to file the report, since a covered entity can report on a business associate's behalf. Read this chart as who filed the report, not as a map of where breaches actually start. Use this chart to distinguish breach frequency, breach size, cause, or entity type, and why the recommendation targets mega-breach containment and vendor oversight.
Caveat Business-associate breaches are under-represented, because covered entities are permitted to report on a business associate's behalf. These are reporting-entity counts, not root-location-of-breach counts.
⊞ data table⬇ CSV
| Entity type | Breaches reported (2024) |
|---|---|
| Healthcare provider | 543 |
| Business associate | 118 |
| Health plan | 77 |
The HIPAA Journal, Healthcare Data Breach Statistics · 2024 · source
How the 2025 exposure total more than doubled in four months
The 2025 individuals-affected total as it was revised upward between reporting snapshots. Values are in millions of individuals.
Read it this way A single breach, the Conduent Business Services incident, added 62.2 million people to the 2025 total on its own, more than doubling the February 2026 provisional figure of 61.56 million, with other late reports adding a further 14.74 million to reach 138.5 million. This licenses the conclusion that recent-year totals are still climbing as reports trickle in, so any 2025-or-later figure quoted elsewhere should be treated as a floor, not a final count. Use this chart to distinguish breach frequency, breach size, cause, or entity type, and why the recommendation targets mega-breach containment and vendor oversight.
Caveat The 61.56 million February 2026 provisional figure and the 62.2 million Conduent Business Services breach are stated in the source's notes, not as separate structured fields. The other late reports are the remaining rise needed to reach the current 138.5 million total.
⊞ data table⬇ CSV
| Stage | Individuals affected (millions) |
|---|---|
| February 2026 provisional | 61.56 |
| Conduent Business Services breach added | 62.2 |
| Other late reports | 14.74 |
| June 2026 current total | 138.5 |
The HIPAA Journal, Healthcare Data Breach Statistics · 2026 · source
Why this matters
Breach notification law requires disclosure after exposure, not prevention before it, and hacking and IT incidents, 94 percent of 2024's exposed records, scale to tens of millions of records per event, so a small number of large intrusions now drive most of the harm. The reporting system adds its own lag: the 2025 total already rose 125 percent between two 2026 snapshots after one breach was added late, meaning any recent-year total is a floor, not a final count, and business-associate attribution undercounts where breaches actually originate.
Recommended actions
- Direct security investment, not just notification compliance, at large-scale hacking and IT-incident prevention, since that cause accounts for 94 percent of exposed records.
- Require breach reporting to name the originating entity, not just the reporting entity, to correct the business-associate undercount.
- Treat any breach total for the current or immediately prior year as provisional and flag the reporting lag explicitly wherever the figure is cited.
- Prioritize regulatory attention on breach severity and scale, not breach count, since the count has stayed nearly flat for five years.
- Monitor entity-type trends (provider vs. business associate vs. health plan) across multiple years rather than a single snapshot, since they move independently.
The recommendation
Therefore, treat health data security as patient protection and enterprise risk management. The recommended approach is to reduce mega-breach exposure, strengthen vendor and business-associate controls, segment incident frequency from incident size, and require faster accountability when sensitive records are exposed.
Demographic slice none. HHS OCR breach portal records entity/cause, not patient demographics.
Sources
- Breaches Affecting 500 or More Individuals (HHS OCR Breach Portal) · 2026
- Healthcare Data Breach Statistics, Updated for 2026 (The HIPAA Journal) · 2026
- 2025 Healthcare Data Breach Report (The HIPAA Journal) · 2026
- 2024 Healthcare Data Breach Report (The HIPAA Journal) · 2025
- 2022 Healthcare Data Breach Report (The HIPAA Journal) · 2023