The Change Healthcare data breach is now the largest healthcare breach on record, with 190 million patient records exposed. Initial estimates were around 100 million, but as more details have surfaced, the true scale has become clear.
However, this was just one of many major cyberattacks in 2024. At least 13 other breaches affected over a million patients each, a stark reminder of how vulnerable healthcare organizations remain. Many were the result of hacking, with ransomware attacks causing the most damage.
In February 2024, Change Healthcare, one of the biggest healthcare technology companies in the U.S., suffered a major ransomware attack that sent shockwaves through the industry. The attack, carried out by the BlackCat/ALPHV ransomware group, led to the theft and encryption of sensitive patient data, disrupting healthcare operations nationwide.
The attackers reportedly gained access to Change Healthcare’s network through stolen credentials, taking advantage of a Citrix remote access system that didn’t have multi-factor authentication (MFA) enabled. Once inside, they moved through the network, stealing massive amounts of data before launching ransomware that crippled critical systems.
BlackCat/ALPHV initially demanded a $22 million ransom, which Change Healthcare refused to pay. Instead, the company took affected systems offline and worked with cybersecurity firms to contain the damage. However, things got even more complicated when another group, RansomHub, got hold of the stolen data and also attempted to extort payment. When neither group received a payout, the stolen patient data was left exposed, increasing the risk of identity theft and fraud for millions of people.
Change Healthcare processes about 40% of U.S. medical claims, which means the attack had a widespread impact. Pharmacies, hospitals, and clinics that rely on the company for billing and payment processing faced major disruptions.
Pharmacies across the country struggled to fill prescriptions, and some patients had to pay out of pocket for medications while systems were down. Physicians' offices also faced delays in processing claims, leading to financial strain for smaller healthcare providers. At one point, Change Healthcare’s outage affected over 90% of U.S. pharmacies, forcing many to use workarounds to keep serving patients.
UnitedHealth Group (UHG), Change Healthcare’s parent company, stepped in with billions of dollars in advance payments and interest-free loans to healthcare providers who were unable to process claims. Even so, the total cost of the attack is expected to surpass $2.3 billion.
The breach didn’t just disrupt healthcare operations, it also raised serious concerns about cybersecurity practices in the industry. The Department of Health and Human Services (HHS) launched an investigation into Change Healthcare’s security failures, particularly its lack of MFA on critical systems. At the same time, lawsuits started piling up. One of the biggest came from the Nebraska Attorney General, who accused the company of failing to take basic security precautions that could have prevented the attack.
As of March 2025, Change Healthcare has restored most of its systems and taken steps to improve security. The company has implemented stricter authentication measures and is offering credit monitoring services to affected individuals. But the damage is already done. Millions of patients now have their sensitive health and financial data in the hands of cybercriminals, and the long-term consequences, including identity theft and insurance fraud, are still unfolding.
The Change Healthcare attack is a wake-up call for the healthcare industry. Cyberattacks on medical systems don’t just affect businesses; they disrupt patient care, jeopardize personal data, and shake public trust. With ransomware threats continuing to grow, healthcare organizations must take cybersecurity more seriously or risk becoming the next big target.
Read more: Going deeper: The Change Healthcare attack
A breach at Kaiser Foundation Health exposed the data of 13.4 million patients due to the use of online tracking technologies. These tools, embedded in their websites and apps, may have transmitted patient data to third-party vendors such as Google and Meta. The Office for Civil Rights (OCR) later clarified that using such tracking technologies in ways that disclose protected health information (PHI) violates HIPAA.
In May 2024, Ascension Health fell victim to a Black Basta ransomware attack, disrupting 142 hospitals. The breach originated when an employee unknowingly downloaded a malicious file, which gave hackers access to internal systems. The attack affected nearly 13.4 million patients, and some individuals were not notified until eight months later, leading to criticism over Ascension’s breach response.
HealthEquity experienced a security breach when a hacker gained access to patient files through a third-party vendor, compromising 4.3 million patient records. The attack was carried out via a SharePoint vulnerability, proving the risks posed by external partners in healthcare data security.
A cyberattack targeting Perry Johnson & Associates, a medical transcription service, indirectly exposed nearly 4 million patient records linked to Concentra Health. Although the breach initially occurred in mid-2023, Concentra did not confirm its involvement until early 2024, demonstrating how third-party breaches can go unnoticed for months.
A zero-day vulnerability exploited by the Clop ransomware group in May 2023 affected 2,500 organizations, including CMS. However, it was not until May 2024 that CMS confirmed that 3.1 million Medicare patients were affected, indicating the long lag times in breach discovery and reporting.
The Daixin ransomware group targeted Acadian Ambulance Service between June 19 and June 24, 2024, stealing PHI from 2.8 million patients. When Acadian refused to pay the $7 million ransom, the attackers published the stolen data online.
A cyberattack on Sav-RX, a pharmacy benefit management company, occurred in October 2023 but was not disclosed until April 2024. More than 2.8 million patient records were compromised. While details are limited, it is suspected to have been a ransomware attack, and some reports suggest that Sav-RX may have paid a ransom to recover data.
Hackers breached WebTPA Employer Services in April 2023, but the intrusion was only discovered in December 2023. Clients were notified in March 2024, and the breach, impacting 2.7 million patients, was formally reported to OCR in May 2024. The delay in notifying affected individuals led to multiple lawsuits.
Hackers gained access to 2.3 million patient records at Integris Health in November 2023. The cybercriminal group Hunters International later contacted affected patients directly, demanding individual ransom payments of $50 in exchange for deleting their stolen data. This marked a shift in ransomware tactics, as hackers began targeting patients rather than just the breached organization.
A security breach at Medical Management Resource Group (MMRG), which provides administrative support to multiple ophthalmology practices, exposed the records of 2.3 million patients. A hacker infiltrated shared IT infrastructure, allowing access to data across 12 affiliated practices.
In October 2024, the Medusa ransomware group successfully targeted Summit Pathology by tricking an employee into opening a phishing email. The attack impacted 1.8 million patients. Since the stolen data was never leaked, it is believed that Summit Pathology may have paid the ransom.
Unlike the other breaches, Geisinger’s incident did not involve hacking. Instead, an employee of an IT service provider improperly accessed patient files two days after being fired. The lack of adequate offboarding security controls allowed the former employee to access 1.2 million records.
Given the frequency and severity of these breaches, the OCR has advised healthcare organizations to strengthen their security measures. Entities that cannot demonstrate safeguards may face HIPAA enforcement actions. To reduce cybersecurity risks, OCR recommends that healthcare providers and their business associates:
A ransomware attack often begins with phishing emails, compromised credentials, or software vulnerabilities. Once inside a system, hackers encrypt data and demand payment for decryption. If the victim refuses to pay, the stolen data may be leaked or sold.
Many breaches go undetected for months due to the complexity of healthcare IT systems and reliance on third-party vendors. Delayed reporting is often caused by forensic investigations, regulatory requirements, and attempts to mitigate damage before disclosure.
Hackers sell stolen medical records on the dark web, use them for identity theft, commit insurance fraud, or extort individuals by threatening to release sensitive health information.
Third-party vendors, such as IT service providers and medical transcription companies, often have access to patient data but may lack the same security measures as healthcare organizations. Cybercriminals target these vendors as weak entry points into larger networks.
Patients should monitor their medical records for fraudulent activity, place fraud alerts on their credit reports, change passwords for healthcare portals, and be cautious of phishing attempts that exploit stolen data.