Critical Condition: The Growing Threat of Healthcare Data Breaches

Data breaches now impact organizations across all sizes and sectors, often exposing the personal and sensitive information of millions. These incidents are typically the result of ransomware attacks, hacktivist campaigns or other cybercriminal activity.

Ransomware actors have largely moved away from traditional encryption-based extortion tactics to more aggressive “double extortion” models where data is first exfiltrated then encrypted. Some groups are even abandoning encryption completely in favor of pure data theft. For example, Hunters International has a new rebrand dubbed ‘World Leaks’ focusing solely on data exfiltration. This trend is driven by increased law enforcement scrutiny of gangs that encrypt data, a decline in ransom payments throughout 2024, and the continued growth of underground markets for trading stolen data.

Healthcare Delivery Organizations (HDOs) remain among the most targeted sectors due to the high value of the data they store, and the challenges inherent in securing their complex networks.

To better understand the scale and nature of current data breaches, we analyzed a dataset of over 700 breaches that either occurred in 2024 or were disclosed to victims during that year. Our analysis highlights key statistics, including the number of individuals affected, breach causes, and broader industry impact. In addition, we extend our analysis into 2025 to identify early trends and explore preventative strategies.

The dataset includes only breaches affecting 5,000 or more individuals, and only where the number of affected individuals was publicly confirmed. As a result, the report excludes breaches affecting fewer than 5,000 individuals, as well as those lacking verified impact data. This limitation may exclude certain incidents, particularly those in smaller organizations or jurisdictions with less stringent reporting requirements. Undisclosed breaches or those that did not report the number of affected individuals are also outside the scope of this analysis.

 

A Review of Data Breaches In 2024: Healthcare and Financial Services at the Top

By consolidating breach reports from news articles, public records from multiple US states, and the U.S. Department of Health and Human Services (HHS) breach portal, we compiled a dataset of 734 data breaches reported in 2024. Where available, we enriched the dataset with metadata, such as date of breach, impacted industry, affected country, and types of data compromised.

These breaches impacted 717 unique organizations. Notably, nine organizations experienced two breaches in the same year, and three organizations were breached three times. Of the 12 organizations with multiple breaches, five operate in the Healthcare sector.

The dataset reveals an average of over 60 breaches per month, roughly two per. Over 90% of these incidents affected entities in the US. This is partly due to the US-centric nature of our data sources, but also reflects a persistent trend: the US continues to be the most targeted country by ransomware operators and other threat actors. Australia and the UK were the second and third most affected countries respectively.

Collectively, these breaches affected a total of 2,447,878,758 identities – almost two and a half billion, averaging over three million individuals per incident. While these numbers are staggering, two caveats are important:

• Many individuals are likely affected by more than one breach, and thus counted multiple times. Without access to the underlying breached assets, deduplication is not possible. However, several incidents affected hundreds of millions of unique identities globally, so estimating over a billion unique identities impacted is not unreasonable.
• The average is skewed by a small number of massive breaches, such as the Ticketmaster breach in May which affected 560 million people worldwide – more than 1.6 times the US population. A more representative picture emerges in the distribution:
  • 47% of breaches affected between 10,000 and 100,000 people.
  • 57 large breaches affected 1 to 10 million individuals.
  • 32 data breaches exceeded 10 million individuals.

The figure below displays the number of individuals affected by data breaches across various industries. While Media & Entertainment appears as the most impacted sector, this is primarily due to the Ticketmaster breach. When this outlier is excluded, the entertainment industry drops to seventh place. The top three most affected sectors then become Healthcare, Financial Services and Services (including legal and professional).

When ranking industries by number of breaches, rather than by number of affected individuals, the order shifts slightly. Healthcare and Financial Services remain the most frequently breached sectors, followed by Retail.

This ranking aligns with findings from national reports in other countries. The Office of the Australian Information Commissioner publishes biannual reports on data breaches affecting Australian organizations, where Healthcare has often been the most impacted sector, with Financial Services and Retail also frequently appearing in the top 5. Similarly, the UK Home Office releases an annual “Cyber security breaches survey”, whose most recent edition lists both “Finance and Insurance” and “Health or Social Care” among the most affected sectors.

While the cause of breach could not be determined in all cases, cause data was available for more than 300 incidents. Among these, ransomware was by far the most common cause, followed by third-party system compromises. Additional causes, not reflected in the chart, include credential stuffing, SIM swapping and accidental disclosure via APIs, misdirected e-mails or public repositories.

In total, 47 distinct ransomware groups were linked to the breaches in our dataset, with the most active groups highlighted in the figure below.

Similarly, while detailed information on exposed data was not available for every incident, we analyzed a subset of 429 breaches where such information was disclosed. From this subset, we identified the most commonly compromised data types.

The Impact of Data Breaches: Attacker Profit and Victim Loss

Stolen data is frequently traded on underground markets, where prices remain alarmingly low, making sensitive information easily accessible to cybercriminals. Based on research from criminal marketplaces:

• Basic personal details (e.g. names and addresses) typically sell for $5 to $15.
• Full identity profiles (“Fullz”), which often include Social Security numbers and birth dates, are priced between $20 and $100.
• Scanned passports and U.S. driver’s licenses fetch $100 and $150, respectively.
• Credit card data, ranges from $15 to $120, depending on the account balance.
• Cloned credit cards with PINs are available for $20 to $25.
• Hacked online banking logins sell for $35 to $65, while compromised PayPal accounts go for just $3 to $10.
• Even hacked social media accounts, such as Facebook, are listed for between $6 and $45.

These accounts are often bundled and sold in bulk, typically after an initial exploit attempt by the seller. Buyers understand that many of the accounts will already be shut down or otherwise unusable.

In some cases, attackers seek additional revenue streams through more targeted extortion. For example, in the Integris Health ransomware breach, attackers not only sold stolen data on the dark web, but also contacted the victims directly. Victims were offered the chance pay $50 to remove their details or just $3 to view information belonging to any other impacted individual.

Beyond the harm to individuals, organizations bear significant cost from data breaches. These include operational downtime, incident response expenses, reputational damage, ransom demands, and, often, regulatory penalties. In the US Healthcare sector, such penalties are governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Other jurisdictions and industries impose their own regulatory frameworks, creating an increasingly complex compliance landscape.

According to data from the HIPAA Journal, there were 15 settlements, and six civil monetary penalties issued for HIPAA violations in 2024. The penalties ranged from $10,000 to $4.75 million, with an average just over $554,000. This represents a 61% increase in total enforcement actions compared to the 13 reported violations of 2023 and a 73% increase in the average penalty amount.

Beyond financial penalties, academic research suggests that breach remediation efforts, many of which are mandated by the HHS, are correlated with a “deterioration in timeliness of care and patient outcomes” in HDOs.

In severe cases, a data breach can result in a company’s complete shutdown. One notable example is National Public Data, a data broker that aggregated information from public sources. The company suffered a major breach in August, filed for bankruptcy in October following multiple lawsuits and mounting liabilities related to credit monitoring for hundreds of millions of affected individuals, and ceased operations entirely in December. The stolen data, originally advertised by a threat actor known as “USDoD” for $3.5 million, was ultimately leaked for free.

In the next section, we examine a similarly high-impact case from the Healthcare sector in Australia.

Concrete Examples: The MediSecure and Ansgar Cases

MediSecure, an Australian e-prescription provider, suffered a significant ransomware attack on April 13, 2024, resulting in a large-scale data breach. According to the Australian Department of Home Affairs, approximately 12.9 million individuals were affected. In a public statement issued on June 3, MediSecure disclosed that the financial impact of the breach forced the company into administration, following a denied bailout request to the Australian federal government.

Subsequently, on June 22, a threat actor operating under the alias of “ansgar” posted on an advertisement on a prominent underground forum, offering access to the stolen database. The actor claimed the dataset “includes information on citizens, insurance numbers, phone numbers, addresses, full names, supplier information, contractor information, email, user+passwords for MediSecure website, prescription information, […]”.

Initially priced at $50,000, the database was later reduced to $25,000. The seller alleged that the dataset had already been sold once, and was intended to be sold one more time.

The threat actor demonstrated continued interest in Healthcare-related data. On the same day as the MediSecure advertisement, and on the same underground forum, “ansgar” offered access to the CRM systems of two US hospitals, one in Tennessee and one in New Hampshire, for $2,500.

The following month, the actor listed an additional 9GB database allegedly obtained from the U.S. Health Department containing “mlns [sic.] of personal info” including “personal info of US citizens, NPI, zip, addreses [sic.], full name and etc.” for a price of $35,000.

It remains unclear whether any of the transactions, including the MediSecure dataset, were successfully completed, as the forum activity does not provide confirmation of sales.

According to ransomware aggregator feeds, the attack on MediSecure has been attributed to the RansomHub group. At the time of writing, the original post by RansomHub is no longer accessible. This may be due to the group migrating its infrastructure to the DragonForce Ransomware-as-a-Service (RaaS) affiliate program. As a result, we cannot confirm whether “ansgar” is directly affiliated with RansomHub or acting as a reseller of stolen data.

 

Healthcare Data Breaches in 2025: in Focus

As demonstrated in the preceding sections, Healthcare organizations are the most frequently breached, most likely to experience multiple breaches, and second only to one other sector in terms of individuals affected. The consequences are severe, both for patient safety and organizational viability. For these reasons, we conducted a deeper analysis of Healthcare breaches to date in 2025.

As of April 30, 2025, a total of 238 data breaches had been reported on the HHS breach portal, which mandates disclosure for any incident affecting more than 500 individuals. Of these, nine breach investigations had been concluded, while 229 remained ongoing.

These breaches impacted a combined 20,627,232 individuals, with an average of 86,669 individuals affected per breach. Four incidents each affected over one million people:

• 74% of breaches occurred at Healthcare providers
• 17% at business associates
• 9% at health plans

The figures below show a breakdown of the 2025 Healthcare breaches by type and location of compromised information. Notably, 77% of these breaches were attributed to “Hacking/IT incidents”, a figure consistent with the trend we reported last year, which highlighted the dramatic rise in such incidents from 0% in 2009 to nearly 80% by 2024.

The most significant finding from the 2025 data is that 56% of all Healthcare breaches affected data stored on network servers. This underscores the importance of treating servers as critical assets within H environments, and prioritizing their protection to prevent future breaches.

 

How to Prevent Data Breaches

Several government and regulatory bodies provide actionable guidance on preventing and responding to data breaches. Key resources include CISA’s guidelines for ransomware-caused breaches, the FTC’s data breach response guide for businesses, and advice from the Australian Cyber Security Center.

Drawing from these sources and our research findings, Forescout recommends the following actions to help Healthcare and other organizations prevent data breaches:

• Encrypt all sensitive data in transit and at rest, especially personally identifiable information (PII), protected health information (PHI) and financial data.
• Identify and assess the risk and exposure of network-connected assets that store or process sensitive data, including servers, IT endpoints, network equipment, operational technology, Internet of Things and medical devices.
  • Vedere Labs has published a recent list of riskiest connected devices in 2025.
  • We also published additional specific guidance for medical devices.
• Harden all network-connected assets by patching known vulnerabilities, changing weak credentials and disabling unused services. Focus on those critical assets that store or process sensitive data and those assets that give access to the critical assets, such as network equipment and domain controllers.
  • Implement multi-factor authentication (MFA) where possible to limit the effectiveness of credential-based attacks leveraging compromised data.
  • Avoid exposing management interfaces of network infrastructure devices, such as routers, firewalls and VPN appliances, to the internet, as these are frequent ransomware targets, especially via recent and 0-day vulnerabilities.
• Use network segmentation and network access control to limit internal and external connectivity to systems storing or processing sensitive data.
• Continuously monitor traffic to and from critical assets to detect and respond to data breaches. Exploitation attempts targeting known vulnerabilities or anomalous behavior or access patterns activity be investigated immediately.
  • We have published a specific guide to detect the most common ransomware TTPs to prevent attacks.

While this guide is primarily aimed at organizations, individuals affected by data breaches can also reduce their exposure by following guidance from the NCSC-UK and Australia’s Information Commissioner’s Office.