UnitedHealth cyberattack and more: The 10 biggest health data breaches of 2024

The Change Healthcare cyberattack caused unprecedented disruptions for hospitals and providers, experts say.

UnitedHealth Group CEO Andrew Witty said the company paid a $22 million ransom in the Change Healthcare cyberattack. Analysts say the attack, which affected 100 million people, is the most disruptive ever in the healthcare industry.

Analysts call it the worst cyberattack ever seen in the healthcare industry. UnitedHealth Group, the parent company of Change Healthcare, gained national attention and scrutiny from lawmakers and industry leaders.

Still, other cyberattacks and data breaches affected tens of millions of Americans over the past year.

Organizations suffering breaches of private health information that affect more than 500 people are required to report those incidents to the federal government. The U.S. Department of Health & Human Services database includes 576 data breaches affecting at least 500 individuals.

Here’s a roundup of the 10 largest health data breaches of 2024. The 10 largest breaches affected more than 141 million individuals, or more than 1 in 3 Americans, according to the health department. Millions more were affected by the hundreds of other breaches reported over the past 12 months.

During a recent cybersecurity panel held by Chief Healthcare Executive®, Adam Zoller, the global chief information security officer for the Providence health system, said 2024 was “a pretty wild year for healthcare.”

“Providence has been targeted by thousands of attacks, as we are every year,” he said. “We've thwarted these attacks. We've been able to, knock on wood, stay ahead of these attacks, but the attacks are growing in sophistication. They’re growing in volume.”

• Read more: Cybersecurity panel: How hospitals can protect their patients and their systems

1. Change Healthcare cyberattack

The ransomware attack of Change Healthcare obviously surpassed all other health data breaches in 2024, or any other year. UnitedHealth Group said 100 million Americans were affected by the attack.

Nearly all hospitals and health systems suffered financial impacts of the attack, because Change Healthcare handles so many functions for providers, including claims, billing and prescription services. Providers were hampered because payment of claims was delayed.

UnitedHealth paid billions of dollars in loans and advance payments to providers who were affected by the attack. UnitedHealth Group CEO Andrew Witty told lawmakers in May that the company also paid $22 million to the ransomware group behind the attack.

Lawmakers criticized UnitedHealth for failing to employ more robust defenses, and they also called on the government to take more substantial steps to ensure health organizations are focusing on cybersecurity.

• Read more: Hospitals face risks from cyberattacks aimed at vendors

2. Kaiser Permanente

In most other years, the Kaiser Permanente breach would have emerged as the biggest of the year.

The California-based health system suffered a breach that affected over 13.4 million Americans. But this breach didn’t come from a cyberattack. Kaiser Permanente says online technologies used by social media platforms may have sent personal information to other parties.

Kaiser Permanente said the data exposed included names and addresses, but there was apparently no disclosure of Social Security numbers or credit card numbers.

3. Ascension Health

The health system suffered a cyberattack that affected nearly 5.6 million individuals, and the disruptions illustrated how breaches and attacks can affect patient care.

Ascension discovered the breach in May and the system postponed surgeries and appointments at some of its hospitals. Some hospitals had to divert ambulances to other facilities temporarily. Some Ascension facilities were without access to their electronic health records for weeks, and patients faced longer waits at clinics.

In a message on its website, Ascension said the data exposed varies but could include medical information, credit card numbers, Social Security numbers, and insurance information.

Ascension said in June that it appears the breach occurred when an employee inadvertently downloaded a malicious file.

• Read more: Hospitals are making progress in cybersecurity, but aren’t keeping pace with attackers

4. HealthEquity, Inc.

The Utah-based organization experienced a breach affecting 4.3 million individuals, according to the health department database.

HealthEquity, which administers benefits including Health Savings Accounts, said in a notice filed with the Maine attorney general’s office that the breach occurred in March and was confirmed in June.

The company said the exposed data primarily included sign-up information for accounts and benefits. Some of the data included names, phone numbers, Social Security numbers, and payment card information. Some individuals had different types of data that were affected, and some data categories weren’t exposed for some people, the company said.

5. Concentra Health Services, Inc.

A division of Select Medical, Concentra Health Services Inc. was impacted by a breach that affected nearly 4 million individuals, according to the health department database.

Concentra offers occupational medicine, urgent care, physical therapy and other services at nearly 550 medical centers. The company also serves employers and operates more than 150 onsite medical facilities.

Concentra said the breach occurred due to a third party, Perry Johnson & Associates, Inc.

“This event occurred solely at PJ&A and was not the result of any activities or inactions on Concentra’s part,” Concentra said in a statement in February.

PJ&A provides medical transcription services to healthcare organizations. The company said it has added security measures to prevent future attacks.

6. Centers for Medicare & Medicaid Services

The CMS suffered a data breach that affected more than 3.1 million individuals, illustrating that government agencies are vulnerable to breaches.

The breach stems from a 2023 cybersecurity incident involving MOVEit software, a third-party application used to transfer files, the CMS said in September. The Wisconsin Physicians Service Insurance Corporation, a CMS contractor, discovered in May 2024 that an unauthorized party had copied some files. A previous review didn’t discover any suspicious activity.

The CMS notified affected individuals that some of the data exposed could have included names and addresses, Social Security numbers, hospital account numbers and Medicare beneficiary identifiers.

The agency said it wasn’t aware of any incidents of fraud or the improper use of private health data.

7. Acadian Ambulance Service, Inc.

The Louisiana-based organization suffered a breach affecting nearly 2.9 million individuals, according to the health department.

Acadian Ambulance Service said it detected suspicious activity and confirmed that someone gained access to the company’s network between June 19 and June 21.

The company sent notices to those affected in August. Acadian said it found no evidence that any private health information was used for identity theft or fraud.

But the exposure included information such as Social Security numbers, birth dates and medical information.

The company provides ambulance services in Louisiana, Mississippi, Tennessee, and Texas.

8. Sav-Rx

A&A Services, doing business as Sav-Rx, experienced a cyberattack that affected 2.8 million individuals, according to the health department.

Sav-Rx manages pharmacy benefits for health plans.

In a message to customers on its website, Sav-Rx said, “an unauthorized third party was able to access certain non-clinical systems and obtain certain files that contained personal information. However, in conjunction with third-party experts, we have confirmed that any data acquired from our IT system was destroyed and not further disseminated.”

Sav-Rx said it conducted an investigation and isn’t aware of third parties using the data, and the company said pharmacy systems were not affected. The company has offered free credit monitoring and identity theft protection to customers for two years.

Sav-Rx also said it has taken steps to bolster its cybersecurity.

9. WebTPA

WebTPA Employer Services, LLC experienced a data breach affecting more than 2.5 million people, according to the health department.

The company handles administrative services for benefits plans and insurance companies.

WebTPA said in a statement that it detected suspicious activity on its network in late December and launched an investigation, which found that an unauthorized party may have obtained personal information. WebTPA said the investigation into the extent of the breach was completed in March 2024.

The Texas-based company said it’s providing two years of identity monitoring services to customers. The information accessed included names, Social Security numbers, and insurance information, among others, the company said.

In notices to those affected, WebTPA said the company isn’t aware of any misuse of information. The company said it also consulted cybersecurity experts to improve its defenses.

10. INTEGRIS Health

The Oklahoma health system suffered a cyberattack affecting nearly 2.4 million people, according to the health department.

INTEGRIS said in a message to patients and community members that intruders accessed private health information, including Social Security numbers, contact information, and birth dates. However, the system said no financial information or payment information was accessed.

The health system also said some individuals have been contacted by a group claiming responsibility for the breach, but INTEGRIS urged individuals not to respond or engage with the group.