HHS’s breach report to Congress: bigger breaches, lagging defenses

Healthcare data breaches are bigger and badder than ever – and they’re getting increasingly difficult for healthcare organizations to defend against, especially as more and more breaches are now originating with third-party business associates (BAs).  

HHS’s latest breach report to Congress shows that breaches are starting to shift away from traditional in-house targets and towards the broader ecosystem, with successful intrusions affecting larger groups of patients than ever before.  

And yet, healthcare organizations and their partners are not evolving their cybersecurity practices quickly enough to defend against these new tactics, HHS points out, leaving critical infrastructure open to the latest generation of attacks.  

With the breach landscape changing, and bad actors now equipping themselves with advanced AI tools to extend their capabilities, healthcare organizations need to keep pace with proactive, comprehensive vigilance both within their own systems and across their BA networks. 

Key takeaways from HHS’s latest breach report to Congress

The HHS Office of Civil Rights (OCR) submits a breach report to Congress every year, highlighting trends in cybersecurity over the prior twelve months. The latest data, covering calendar year 2024, reveals some interesting trends for the industry.  

Large-scale breaches were fewer in number, but bigger in scope. In 2024, OCR received 663 reports of large breaches affecting 500 or more individuals, a 9% decrease from the 730 breaches that occurred in 2023. However, despite the reduction in reported incidence, the total number of affected individuals reached approximately 243 million, driven by a handful of extraordinarily large cyberattacks.  

The numbers suggest that harm to individuals is becoming more concentrated, creating new challenges in containing the scale of a breach rather than just reducing the frequency. Just trying to secure the perimeter is no longer sufficient if bad actors have unrestricted access to anything they like once they manage to get inside.  

Business associates have become a disproportionate source of exposure. BAs accounted for only 16% of the large breaches reported in 2024 (106 out of 663), but those incidents affected approximately 207 million individuals, or 85% of all the people impacted by large breaches throughout the year.  The average BA breach affected nearly 2 million individuals. 

In comparison, direct breaches of healthcare providers accounted for 506 large breaches (76%) but only about 34.8 million affected individuals (14%). 

The disparity illustrates how third-party access is transforming the industry’s risk profile, and reinforces the need for healthcare organizations to have transparent and collaborative cybersecurity relationships with their partners.  

Sophisticated tech causes large breaches, but paper records are still a threat. Large breaches make headlines, but small breaches still cause headaches for healthcare organizations. The number of breaches affecting less than 500 individuals rose by 9% in 2024, totaling more than 74,000 incidents. Unlike large breaches that were mostly tied to hacking or IT incidents, these smaller events were often attributed to unauthorized access or disclosure of information. And that information was frequently stored on paper. 

Paper records were implicated in 39% of small breaches, or roughly 29,000 incidents in 2024. These events may only affect a handful of individuals at a time, but they show that in many cases, not much has actually changed in the way organizations secure (or fail to secure) physical assets in the decades since HIPAA first came into force.  

New threats, same cybersecurity deficiencies 

The continued prevalence of breaches tied to paper records is an example of a persistent problem: healthcare organizations still aren’t deploying their defenses quickly enough or comprehensively enough to counter evolving security threats. 

But it’s not just about buying the latest and greatest in AI threat detection. In the report, OCR points out that many organizations are simply not well-versed enough in several areas of foundational governance and cybersecurity hygiene, which raises their risks of exposure significantly. 

For example, officials repeatedly found that covered entities and BAs failed to conduct accurate and thorough assessments of potential risks to electronic protected health data, leaving them unable to protect what they can’t even identify.  

And even when organizations are able to get a handle on their risks, they don’t always follow through on implementing adequate safeguards. This includes watching their logs, audit trails, access reports, and other system activity records closely enough to prevent an incident – or catch a bad actor rooting around their systems, which they can sometimes do for months at a time before discovery. 

Lastly, OCR cautioned that organizations are not doing enough to implement strong identify and access controls, leaving themselves open to attacks via compromised credentials. 

Overall, the report shows a threat landscape in rapid transition – and a defense system that is still plagued by familiar weaknesses.  

As the industry increasingly relies on vendors and partners for essential business services, the interdependent nature of the modern digital environment means that a single, small vulnerability can have repercussions that echo across the entire ecosystem, potentially exposing the data of millions of individuals.  

The growing mismatch between the scale of these breaches and the lack of maturity in the controls designed to stop them should give cybersecurity leaders an even stronger incentive, if one was required, to establish full visibility into their networks, reassess their basic defenses, and work more closely than ever with BAs and other partners to create stronger shared defenses. 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry. Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system. She can be reached at [email protected].