Three of four Americans affected by health data breaches | ViVE 2025

Nashville - Over the previous three years, the number of cyberattacks in health care hasn’t grown too dramatically.

John Riggi, national cybersecurity advisor for the American Hospital Association, talks about ransomware attacks at the ViVE conference in Nashville.

But the number of people affected by breaches of health data has soared, said John Riggi, national advisor for cybersecurity and risk with the American Hospital Association.

Riggi outlined the growing disruption of healthcare cyberattacks at the ViVE digital health conference Tuesday. In 2022, there were 556 healthcare breaches affecting 44 million people. A year later, federal officials reported 551 healthcare hacks, but the number who were impacted quadrupled to 136 million.

In 2024, there were 592 cyberattacks involving breaches of health data, and a staggering 259 million Americans were affected, he said. Put another way, three out of four Americans were affected by a breach of private health information.

Most of those were affected by the Change Healthcare cyberattack, the most disruptive cyberattack in the health industry in U.S. history. UnitedHealth Group, the parent company of Change Healthcare, reported that about 190 million Americans were affected by the breach that took place last February.

But several other healthcare organizations suffered breaches affecting millions of individuals. Even if the Change Healthcare breach is set aside, nearly 70 million Americans were affected by data breaches last year.

“We have tremendous dependency on the availability of technology to deliver care,” Riggi said. “That dependency creates risk.”

Attacking third parties

Even with all of those records being exposed, the theft of most private health information typically isn’t coming from electronic health records, Riggi said.

“We have healthcare records everywhere outside the electronic medical records,” Riggi said. “Shared databases, medical devices, they're on email or on laptops. … Our electronic medical records appear fairly secure. So the bad guys have figured out, identified where those records are and are attacking where they are, readily available, unsecured.”

• Read more: How a hospital system recovered from a cyberattack

Most of the attacks don’t involve hospitals directly, Riggi said. While hospitals are being affected by cyberattacks, hackers are typically not penetrating hospital computer networks, he said. Rather, they are finding ways to get into the systems of companies working with hospitals.

“The majority of these breaches are due to insecure third-party technology, insecure third parties, and non-hospital health providers, like clinics, like health plans, radiology, dental offices,” Riggi said.

“So we need to think about our relationships and business associations, and think about the third party risk … when we allow access outside access to our healthcare records,” he added. “Because the bad guys have figured out often our third parties and business associates are less secure than we are.”

Hospitals and health systems can pay a price with these breaches, even if they occur due to a vulnerability of a partner. Healthcare data breaches are far more expensive than those in any other industry, according to IBM.

But Riggi points to how attacks from ransomware groups threaten patient safety.

“The most significant type of cyberattack that we are concerned with are ransomware attacks, high impact ransomware attacks which disrupt and delay healthcare delivery, posing a very significant risk to patient safety and community safety, especially in cases of heart attack, stroke and trauma, when we have hospitals, communities, depending on the availability of those services,” Riggi said.

Threats beyond our borders

Many of those who have suffered cyberattacks took the threats of ransomware groups seriously, Riggi said.

“No organization, not even the federal government, can 100% eliminate cyber risk. Therefore, we must also be more resilient for when these attacks do, in fact, occur,” he said.

Riggi challenged health insurance companies to do a better job of guarding against insurance fraud, which he said would make private health data less valuable and less enticing to ransomware groups.

Hospitals and health systems need to do all that is possible to improve their security posture, and they need robust response plans to weather the disruptions of attacks. But he also said the federal government needs to offer more assistance.

“Yes, we must do more on defense as a healthcare sector, doing what we can, knowing our limitations on funding, especially. But again, we are not cybersecurity companies. Job one for health care is to deliver care and save lives,” he said.

Most cyberattacks launched against hospitals and health organizations are launched by groups outside the United States. “We need the federal government again working with us in the community to degrade the capabilities of the bad guys attacking us,” he said.

Many of the threats come from “non-cooperative foreign jurisdictions,” Riggi noted.

“That's a euphemism, folks, for Russia, China, North Korea and Iran,” he explained, noting that those countries provide safe harbor for ransomware groups.

“Russia, China, North Korea and Iran are making agreements with each other to exchange capabilities that are within their interests and potentially against our interests,” Riggi said. “So again, we need to band together as a community, as a healthcare community, to face this common threat.”