Health care companies are increasingly falling victim to sophisticated hacking efforts—including ransomware attacks—insider threats, and basic security flaws despite the highly confidential nature of patient data.
According to new research by Atlas VPN, a virtual private network provider, 87 million patients in the United States had their personal information improperly exposed so far in 2023. That is more than twice as much as last year when 37 million people had their data breached, making data privacy a top concern among health care compliance officers.
In 2022, over 37 million patients in the U.S. had their personal information exposed by healthcare organizations. However, breaches have skyrocketed this year. Just in the first half of 2023, hackers stole the data of over 41 million people. The third quarter marked an even greater cause for alarm, with 45 million more patients impacted.
Overall, there have already been 480 reported patient data breaches across the healthcare sector in the first three quarters of 2023 alone. This compares to only 373 total breaches during the entirety of 2022, highlighting the alarming acceleration in attacks.
The largest patient data incident so far was the HCA Healthcare breach, which impacted 11 million people. The second most significant breach happened at Managed Care of North America. The company found that an unauthorized third party accessed certain systems and stole the data of 8.9 million individuals.
This exponential growth highlights the ease with which hackers can access sensitive data. Medical records contain many personal details, making them a prime target. Yet healthcare organizations have not prioritized modern cybersecurity defenses to match the sophistication of criminal efforts.
“The sensitive nature of medical records makes them highly desirable targets for criminals, thus demanding the strongest security standards,” says Vilius Kardelis, a Cybersecurity writer at Atlas VPN. “Patients deserve to know their most personal information is safe, and providers must ensure that confidence. Healthcare has to view data protection as being just as critical as patient care.”
Most Vulnerable States
While healthcare data breaches impact patients nationwide, analysis shows certain states have been affected more than others.
California tops the list with 43 healthcare organizations afflicted by patient data breaches so far this year. The state’s massive population and concentration of healthcare providers likely make California a prime target.
New York comes in second, with 42 healthcare data breaches reported. Texas is third, with 38 healthcare entities experiencing breaches. Other states near the top include Massachusetts and Pennsylvania, with 31 and 30 breaches, respectively.
Vermont remains the only state with no reported healthcare breaches in 2023. Vermont’s small population and lack of major cities may allow it to fly under the radar of sophisticated hackers looking for maximum reward.
The data is based on the U.S. Department of Health and Human Services Office for Civil Rights database. Health organizations must report any health data breaches that impact 500 or more people to the secretary, which makes them public. 
Joseph McCafferty is editor & publisher of Compliance Chief 360°