Kaiser Permanente, UnitedHealth Group and other cyberattacks: the most popular technology stories of 2024

Hospitals are healthcare organizations have faced the constant threat of cyberattacks in recent years, but 2024 illustrated just how disruptive breaches can be.

So it may not be surprising that our stories of cybersecurity have gained a wide audience. In fact, all five of the most well-read healthcare technology stories over the past year involved cybersecurity and cyberattacks.

Ransomware groups are employing more sophisticated attacks and hospitals are struggling to keep pace, even as more organizations are devoting more resources to cybersecurity, said John Riggi, national advisor for cybersecurity and risk for the American Hospital Association. Riggi and other experts participated in a cybersecurity panel held by Chief Healthcare Executive®.

“Cyberattacks against hospitals and health systems continue to increase at a very alarming rate,” Riggi said.

Here’s a look at costly and damaging breaches. It’s a safe bet that cybersecurity is going to remain a top concern of healthcare leaders in 2025.

1. Kaiser Permanente breach may affect 13 million people: Questions & answers

The California-based health system suffered a breach that affected over 13 million Americans, and it says something that it’s not even the biggest data breach in the healthcare industry over the past year.

Still, a breach of Kaiser Permanente is notable given its wide reach. Kaiser Permanente operates 40 hospitals in several states and its health plan has about 12.5 million members.

Health systems must notify the U.S. Department of Health & Human Services of any breach affecting more than 500 people. Kaiser Permanente told the department 13.4 million were affected, according to the department’s database.

Kaiser Permanente said there was no exposure of Social Security numbers, financial account information or credit card numbers.

Kaiser Permanente says online technologies may have sent personal information to other parties, including Google, Microsoft Bing, and X, the social media platform formerly known as Twitter.

• Read more: Cybersecurity panel: How hospitals can protect their systems and their patients

2. Hospitals affected by cyberattack of UnitedHealth subsidiary

The cyberattack of Change Healthcare, a subsidiary of UnitedHealth Group, has been the most damaging attack ever in the healthcare industry, officials have said.

In February, it became clear that the attack on change healthcare was affecting hospitals and other health providers. It would soon become clear that the breach disrupted providers across America, because Change Healthcare provides services to so many providers across the industry, including billing and prescription services.

Nearly all of the nation’s hospitals suffered a financial impact from the breach with payments being delayed, according to a survey from the American Hospital Association.

UnitedHealth said the breach affected 100 million people, or roughly one in three Americans. In 2023, all of the health data breaches reported that year affected 130 million Americans, according to the health department. The Change Healthcare attack approached that figure.

The attack also received heavy mainstream media coverage, shedding more light on the growing problem of cyberattacks in healthcare.

3. Change Healthcare cyberattack: VA notifies 15 million veterans of breach

The Change Healthcare attack also affected the nation’s veterans.

The Department of Veterans Affairs sent notices to 15 million veterans about the breach. Change Healthcare provides a variety of services for the VA, including filling prescriptions.

Lawmakers have criticized UnitedHealth Group for failing to employ sufficient security measures in light of the breach, and have also called on the government to exercise more oversight to ensure there is better cybersecurity in the healthcare sector.

U.S. Sen. Ron Wyden, D-Oregon, is calling on the health department to require healthcare organizations to meet some basic cybersecurity standards.

“It is clear that HHS’ current approach to healthcare cybersecurity — self-regulation and voluntary best practices — is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers,” Wyden said in a letter to the department.

4. Michigan hospital system suffers cyberattack, again

The McLaren Health Care system confirmed this summer that it had experienced a cyberattack, and unfortunately, it wasn’t the first breach the Michigan system has suffered.

In the fall of 2023, McLaren experienced a cyberattack, so the system suffered two breaches within the space of a year.

Citing limited access to key systems, McLaren said some non-emergency appointments, treatments and tests were postponed and had to be rescheduled. Ambulances were temporarily diverted from McLaren Port Huron Hospital, The Detroit Free-Press reported.

McLaren operates 13 hospitals in Michigan, along with a host of ambulatory surgery centers and clinics. McLaren also operates health plans covering more than 700,000 people in Michigan and Indiana.

5. The 10 largest data breaches of the first half of 2024

Chief Healthcare Executive® reviewed the 10 largest health data breaches of 2024, and even at the midyear mark, it was clear that the industry was seeing some damaging attacks.

Those 10 breaches alone affected more than 31 million Americans, and it’s worth noting that didn’t include the Change Healthcare breach. While the Change Healthcare ransomware attack had already happened, it wasn’t clear at that point how many people were affected. Given the scope of the Change Healthcare attack, it’s likely that the number of Americans impacted by cyberattack in 2024 will be substantially higher than a year ago.

In the first six months of 2024, there were 341 breaches of health data reported to the U.S. Health Department.