Study: Most healthcare data breaches caused by hacking

Hacking and IT incidents, including ransomware, made up the majority of large healthcare data breaches reported to the HHS Office for Civil Rights in 2024, consistent with recent years. However, hacking has not always dominated healthcare data breach figures, researchers noted in a letter published in JAMA Network Open that analyzed breaches reported to OCR between 2010 and 2024.

Researchers affiliated with Michigan State University, Yale University and Johns Hopkins studied publicly available OCR data, which tracks healthcare data breaches impacting 500 or more individuals. In 2010, theft was the leading cause of healthcare data breaches, followed by unauthorized access, the researchers observed.

It wasn’t until 2017 that hacking became the primary breach cause, reflecting a significant shift in the cyberthreat landscape. As hacking incidents multiplied, healthcare began experiencing higher breach volumes.

For example, the number of protected health information (PHI) data breaches more than doubled over the past 14 years, increasing from 216 in 2010 to 566 in 2024. Hacking and IT incidents increased from 4% to 81% of all breaches in the same period.

"Although hacking or information technology incidents became the leading cause of health care data breaches in 2017, the proportion involving ransomware remains unclear," the research letter noted.

OCR groups healthcare data breaches on its portal into several categories, including hacking or IT incident, theft, improper disposal, unauthorized access and loss, as well as unidentified or unknown causes. Ransomware falls under the hacking or IT incident category, but OCR does not specify on its portal whether an incident involved ransomware.

The researchers paired OCR's data with their own analysis of breaches and labeled each hacking or IT incident as a ransomware hacking or IT incident or a non-ransomware hacking or IT incident. This decision was based on the researchers' analysis of OCR's fully investigated cases, event descriptions, specific indicators of ransom demands and known ransomware groups.

The results showed that ransomware hacking or IT incidents increased from zero reported cases in 2010 to 31% of all healthcare data breach cases in 2021. By 2024, that figure dipped to 11%, with ransomware accounting for 61 of the 566 cases from 2024 analyzed in this study.

Still, hacking remains a top breach cause, and cyberthreat actors are increasingly impacting a larger number of patient records with fewer individual hacks. For example, cyberthreat actors targeted Change Healthcare with a single ransomware attack that rippled throughout the entire U.S. healthcare system.

The number of records impacted by PHI breaches exemplifies this trend. From 2010 to 2024, 732 million records were impacted by healthcare data breaches, and hacking or IT incidents accounted for 88% (643 million) of those.

The researchers noted that their results were limited because these metrics do not show the operational disruptions that can result from a ransomware attack. Additionally, underreporting likely means that the true extent of ransomware's damage to healthcare is uncertain.

"Hospitals, clinics, health plans, and other HIPAA-covered entities are particularly vulnerable to ransomware attacks due to limited cybersecurity resources and the urgency of system recovery for patient care," the research letter stated.

"Mitigation strategies should include mandatory ransomware fields in OCR reporting to improve surveillance clarity, revising severity classifications to account for operational impact, and monitoring cryptocurrency to disrupt ransom payments."

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.