Trends in Healthcare Data Breach Statistics
Our analysis of healthcare data breach statistics reveals a consistent upward trend over the past 14 years. Notably, 2021 recorded the highest number of reported breaches since the Office for Civil Rights (OCR) began publishing such data.
The trend continued in 2022, with 720 breaches involving 500 or more records reported to the OCR. The situation worsened in 2023, which set two new records: the highest number of reported breaches and the largest number of affected records in a single year. That year, 725 data breaches were reported, resulting in the exposure or unauthorized disclosure of over 133 million patient records.
The healthcare data breach statistics presented below include only incidents involving 500 or more records, as reported to the Office for Civil Rights (OCR). Although HIPAA mandates the reporting of all data breaches regardless of size, OCR does not publicly disclose details of smaller breaches. The data reflected in the following statistics and graphs encompasses both closed cases and ongoing investigations into potential HIPAA violations.
Between October 21, 2009—when the Office for Civil Rights (OCR) began publishing summaries of healthcare data breaches on its “Wall of Shame”—and December 31, 2023, a total of 5,887 large-scale breaches (involving 500 or more records) were reported. As of January 22, 2023, 857 of these breaches remained under investigation. For comparison, one year earlier, that number stood at 882, indicating minimal progress in reducing the investigative backlog—an issue largely attributed to OCR’s persistent underfunding.
Over the years, the primary causes of data breaches have shifted significantly. From 2009 to 2015, most incidents stemmed from the loss or theft of physical healthcare records and electronic protected health information (ePHI). However, the transition to digital recordkeeping, improved device tracking, and wider adoption of encryption technologies have helped reduce such cases. Similarly, incidents involving improper disposal and unauthorized access or disclosure have shown a downward trend.
Despite these improvements, data breaches have continued to rise due to a sharp increase in hacking and ransomware attacks. According to OCR, between January 1, 2018, and September 30, 2023, hacking-related breaches surged by 239%, and ransomware incidents rose by 278%. In 2019, hacking accounted for 49% of all reported breaches; by 2023, that figure had climbed to 79.7%.
Not only are breaches becoming more frequent—they’re also growing in severity. In 2021, 45.9 million healthcare records were compromised. That number rose to 51.9 million in 2022. But 2023 shattered all previous records, with a staggering 168 million records exposed, stolen, or improperly disclosed. This total included 26 breaches involving over 1 million records and four breaches exceeding 8 million records each. The largest single breach affected 11.27 million individuals, making it the second-largest healthcare breach ever recorded.
Preliminary data suggests a slight decrease in the number of breaches in 2024, though it is too early to draw definitive conclusions, as OCR has yet to finalize all breach reports for the year. While the number of incidents may have declined, the number of compromised records has surged once again—reaching over 276 million. This includes the largest healthcare data breach to date: the ransomware attack on Change Healthcare, which impacted an estimated 190 million individuals.
OCR updates its breach data at least once a month, typically adding the previous month’s figures around the 21st. Be sure to check regularly for the latest trends and updates for the current year.
Healthcare Data Breaches by Year
From 2009 through 2024, a total of 6,759 healthcare data breaches involving 500 or more records were reported to the Office for Civil Rights (OCR). These incidents have resulted in the exposure or unauthorized disclosure of protected health information (PHI) affecting 846,962,011 individuals—more than 2.6 times the population of the United States.
In 2018, healthcare data breaches of this scale were reported at an average rate of about one per day. By 2023, that rate had more than doubled, with an average of 1.99 breaches reported daily. Each day, an average of 364,571 healthcare records were compromised.
While the number of breaches reported in 2024 remained relatively consistent with the previous year, the impact grew significantly. In 2024 alone, the PHI of 276,775,457 individuals was exposed or stolen—averaging an astonishing 758,288 compromised records per day.
