Change Healthcare Breach, Plus 12 Other Massive Breaches in 2024

The most shocking part is that the Change Healthcare breach wasn’t the only massive breach in 2024. Last year was truly one for the books, with 13 breaches affecting more than one million patients.

Not so shocking? All but two of these breaches were hacking incidents. With 2024 behind us, it’s time to take a look at the year’s most significant breaches.

1. Change Healthcare 

Ransomware is the name of the game. Change Healthcare was the victim of a ransomware attack in February 2024 in which the BlackCat/ALPHV ransomware group exfiltrated 190 million patient records. They then encrypted the files to prevent Change from being able to access them and force their hand into paying for their return.

Reports note that Change did not pay the $22 million ransom demand, so the group gave the stolen records to another group, RansomHub. RansomHub was also unsuccessful in its ransom attempts.

2. Kaiser Foundation Health Plan

13.4 million patients were exposed when Kaiser Foundation Health used technologies within its websites and applications that might have transmitted data to third-party vendors like Meta, Google, Microsoft, and X.

Online tracking technology (cookies) has been a sore spot for large healthcare organizations that often use the data for marketing purposes. The Office for Civil Rights (OCR) states, “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”

The rules on tracking technology are tricky. On June 20, 2024, OCR updated its guidance after courts found a portion of its previous guidance unlawful.

3. Ascension Health

In another large-scale ransomware attack, Ascension Health was targeted by a Black Basta attack. The incident led to the disruption of 142 hospitals, with outages lasting almost four weeks. The attack started when an employee downloaded a malicious file, allowing threat actors to access the health system’s servers. As a result, 5,599,699 patients were affected. In a possible breach notification blunder, some patients weren’t notified that their protected health information (PHI) was compromised until 8 months after the attack.

4. HealthEquity

4.3 million patients’ data was accessed when a hacker accessed HealthEquity’s patient files through one of their vendors. The malicious actor infiltrated the business partner’s device using SharePoint and copied the sensitive data. Failing to vet your vendors can lead to HIPAA violations (although it’s not clear if this was the case with HealthEquity). 

5. Concentra Health Services

In another vendor-related breach, Concerta Health Services was part of the cyberattack targeting Perry Johnson & Associates (PJ&A), a medical transcription company. Although the incident occurred in July 2023, Concerta could not confirm they were affected until January 2024. The damage? 3,998,163 patients’ PHI exposed.

6. Centers for Medicare & Medicaid Services

In May 2023, the Clop group exploited a zero-day vulnerability to gain unauthorized access to the networks of 2,500 companies. This widespread attack also impacted the Centers for Medicare and Medicaid Services (CMS) through a third-party contractor responsible for handling Medicare Part A/B claims. Shockingly, it took until May 2024 to confirm that 3,112,815 CMS patients were affected by this breach.

7. Acadian Ambulance Service

Another ransomware group claimed responsibility for the Acadian Ambulance Service breach, Daixin Team. Between June 19 – June 24, 2024, the PHI of 2,896,985 was stolen. After failing to meet the $7 million ransom demand, Daixin released the stolen data.

8. A&A Services d/b/a Sav-Rx

Sav-RX is a pharmacy benefit management company based in Texas. In October 2023, hackers accessed Sav-RX’s systems, although they didn’t inform their health plan customers until April 2024. The 2,812,336 patients affected by the incident weren’t informed until May 2024. Although not confirmed, it’s thought to have been a ransomware attack, and Sav-RX likely paid the ransom for the return of the stolen files.

9. WebTPA Employer Services

WebTPA Employer Services provides administrative services to health insurance and benefits plans. Between April 18 and April 23, 2023, hackers accessed WebTPA Employer Services’ network, but the incident wasn’t discovered until December 2023. Affected clients were informed of the incident in March 2024, but it wasn’t reported to OCR until May 2024. Due to the delay in breach notification, several lawsuits have been filed against WebTPA.

10. Integris Health

In November 2023, hackers accessed Integris Health’s network, exfiltrating the records of 2,385,646 patients. The Hunters International hacking group claimed responsibility for the attack and directly contacted patients for ransom after Integris refused to pay it. The group demanded $50 from each patient, promising to delete their stolen data. They threatened to sell the data if the ransom was not paid.

11. Medical Management Resource Group

Medical Management Resource Group, LLC (MMRG) provides administrative services to ophthalmology practices across several states. As such, they share an IT infrastructure with 12 practices. When a hacker gained access to MMRG’s network, they were able to access the patient files of all 12 practices. 2,350,236 patients had their data compromised in the attack.

12. Summit Pathology and Summit Pathology Laboratories, Inc.

Summit Pathology and Summit Pathology Laboratories reported a hacking incident in October 2024, and the Medusa ransomware group claimed responsibility. After tricking an employee into opening a malicious file in a phishing email, the ransomware group was able to access their network. 1,813,538 patients were affected by the attack, but since the data wasn’t leaked, it’s fair to assume that Summit paid the ransom.

13. Geisinger

The Geisinger data breach was a different story. This incident was one of the massive 2024 breaches not caused by hacking. A third-party IT service provider contracted by Geisinger failed to protect patient files after firing an employee. The employee in question accessed 1,276,026 patient files two days after being fired. It’s clear the service provider failed to have adequate termination procedures, leading to the unauthorized access of patient data.

OCR Recommendation on Hacking Prevention

Several, if not all, of these organizations will likely be subject to investigations into how they were breached. If they cannot prove they took necessary steps to prevent such incidents, i.e., a comprehensive compliance program, they will likely be party to the OCR Ransomware Enforcement Action and/or OCR Risk Analysis Initiative.

OCR recommends that healthcare providers, health plans, healthcare clearinghouses, and business associates take the following steps to mitigate or prevent cyberattacks:

• Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations
• Integrate risk analysis and risk management into business processes regularly
• Ensure audit controls are in place to record and examine information system activity
• Implement regular review of information system activity
• Utilize multi-factor authentication to ensure only authorized users are accessing ePHI
• Encrypt ePHI to guard against unauthorized access to ePHI
• Incorporate lessons learned from incidents into the overall security management process
• Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security

“One of the first steps in implementing effective cybersecurity in health care is assessing the potential risks and vulnerabilities to electronic protected health information,” said OCR Director Melanie Fontes Rainer. “A failure to conduct a HIPAA risk analysis will leave a health care entity vulnerable to cyberattacks, such as hacking and ransomware—which is bad for our health care system and bad for patients. We can and must do better.”