New analysis highlighted the growing impact of healthcare data breaches in the U.S., with Texas and California leading in both the number of incidents and individuals affected. The findings, compiled by application security firm Indusface, reflect ongoing challenges in data protection across the healthcare sector.
According to Indusface, the average cost of a healthcare data breach in the U.S. stands at approximately $9.77 million. These costs are largely driven by business disruption, legal claims and customer turnover.
Since 2023, Texas has recorded 66 healthcare data breaches, the highest of any state, impacting more than 14.3 million individuals. California, with 45 breaches, reported over 9.2 million people affected. New York followed with 61 breaches and 8.6 million individuals impacted.
California also experienced the largest single incident included in the analysis. From April 2021 to January 2024, member data from Blue Shield of California was shared with Google for advertising purposes, affecting an estimated 4.7 million individuals. While the company stated that no malicious actors were involved, the data shared included information such as plan type, location, gender, and family size.
Indusface also identified 46 large-scale healthcare data breaches, each impacting more than 500,000 individuals, over the past 24 months. One of the most significant involved Concentra Health Services in Texas, where nearly 4 million individuals were affected.
In New York, a breach at Enzo Clinical Labs in 2023 exposed the data of 2.47 million, attributed to inadequate data security measures.
In Florida, 36 breaches impacted 6.6 million individuals. The largest, at Florida Health Sciences Center, affected more than 2.4 million people, with reports indicating that attackers had access to patient data for nearly three weeks before detection. Tennessee reported 28 breaches and 4.9 million individuals affected, including an incident at United Seating and Mobility that compromised the data of more than 600,000 people.
While Utah reported only four breaches, the state saw over 4.3 million individuals affected, pointing to the scale of individual incidents rather than frequency.
Venky Sundar, founder and president of Indusface, said healthcare organizations face increased risk due to the volume of sensitive data and outdated technology infrastructure.
“The healthcare sector is vulnerable to these breaches due to both the vast amount of sensitive patient data, which is often sold to third parties for a high price, and weak/outdated software and systems,” Sundar said.
He referenced the latest Verizon Data Breach Investigations Report, which found that vulnerability exploits have overtaken phishing as the leading cause of data breaches. According to Sundar, resolving an average vulnerability can take more than 200 days.
“To minimize the chances of patient data being exposed, consider utilizing tools like web application scanners and cloud-based Web Application Firewalls (WAFs) to detect and mitigate vulnerabilities in real-time,” he said. “As the digital space continually evolves, staying on top of any network threats that might arise is essential. Implementing rigid security systems, careful monitoring, and proper protection can help keep sensitive data safe.”
