American Hospital Association (AHA) Cyber & Risk Intel Blog
As of Oct. 3, 2025, 364 hacking incidents had been reported to the U.S. Department of Health and Human Services Office for Civil Rights, affecting over 33 million Americans. To be clear, when a hacking incident is reported to OCR, that means that the health care records of the number of individuals reported as impacted by the breach have been stolen, in part or in full, by “bad guys” — most often foreign criminal hackers.
As appalling as that number may seem, we have become somewhat desensitized to the large numbers and the true impact of these crimes. The irony is that some may seem relieved that “only” 33 million Americans had their health care records stolen so far this year. Folks, we can assure you that that number is still far too high and should not be tolerated as the norm.
Those who are relieved by this year’s numbers really can’t be blamed, given what has transpired in the past couple of years. By the end of 2024, 259 million Americans’ protected health information (PHI) had been reported as hacked — a new record. That figure included the 192.7 million Americans whose health care records were stolen during the UnitedHealth Group/Change Healthcare ransomware attack. This attack was perpetrated by the notorious Russian ransomware group known as Blackcat/ALPHV. It is interesting to note that Change revised the number of individuals impacted upward over several months from 100 million, to 190 million and finally to 192.7 million.
In 2023, 138 million Americans had their PHI hacked in hundreds of breaches — an astounding number at the time, with the largest breaches resulting from attacks by the Russian ransomware group known as Clop that compromised a popular third-party secure file transfer technology known as MoveIt.
These shifting counts reveal some underlying major issues about cybersecurity in the health care field. Let’s take a look at what we’ve learned from the Change Healthcare attack and other breaches.
Lessons Learned
We’ve observed that the Change Healthcare breach and other reported cyberattacks contain patterns that hold true for breaches reported to HHS-OCR over the last several years, including 2025.
- Over 80% of the stolen protected health information records were not stolen from hospitals — they were stolen from third-party vendors, software services, business associates, and nonhospital providers and health plans like the Centers for Medicare & Medicaid Services.
- Over 90% of hacked health records were stolen outside of the electronic health record system.
- 100% of the hacked data was not encrypted, either due to stolen credentials granting access to encrypted data or data being stored in an unencrypted format outside the EHRs.
- A significant number of the reported hacks in 2024 and 2025 were ransomware attacks accompanied by data theft. This is known as double-layered extortion.
Furthermore, as demonstrated by the inconsistent tallies of those affected by the Change Healthcare attack, health care organizations, especially third-party providers, need to improve their data mapping and data security practices. With so many EHRs being exchanged among care providers, third parties, service lines and organizations, hospitals may have a murky understanding of where their data is, which third-party providers have access, and the volume of the data they have. That’s one reason why it’s critical to understand your internal and external cyber risk exposure and to have a strategic third-party risk management program.
The First Step to Preventing and Mitigating a Cyberattack: Understand Your Risk Environment
Before you can protect against data theft, you need to figure out what exactly you need to protect. How are you managing your data and how secure is it? That requires a dynamic process to continuously map your data, network, network traffic, applications and devices to maintain an accurate and up-to-date asset inventory — including your inventory of network-connected medical devices. Plus, how much data do your third-party service providers have? Is your data encrypted? How’s your email security? How’s your patch management? Identity and access management is also a big attack vector.
Understanding your cyber risk exposure should also extend to understanding third-party software cyber risk exposure. Whether in medical devices or revenue cycle applications, a software bill of materials (SBOM) may be helpful in identifying software-related vulnerabilities.
It’s important to ensure your technology vendors supply an SBOM, which the Cybersecurity and Infrastructure Security Agency defines as “a formal record containing the details and supply chain relationships of various components used in building software.” SBOMs are critical to understanding all the components of the software you are using. Nearly every piece of software you purchase contains subcomponents that are sourced from other authors. If a vulnerability is discovered in one of those subcomponents, the entire tool can be at risk. Knowing what those subcomponents are will help you better defend your environment. Make no mistake, SBOM monitoring is a complicated process, but there are services available to help you with this crucial task.
