What role does technology play in healthcare data breaches?

It can be said that healthcare data breaches are a symptom of a greater problem related to an extremely predatory environment, whereby hackers or other ill-intending parties raid secure data sources like pirates of the high seas, taking information and exploiting it for their use or selling it on to other parties.

With healthcare records commanding high value on criminal markets, attackers target health IT systems, business associates, and third-party vendors as a matter of routine.

With healthcare data at a premium price on the black market, in which buyers will pay anywhere from $10-$1,000 per record (more 'valuable' than even hacked credit card information), the last few years have witnessed several high-profile healthcare data breaches affecting millions of patients.

In more recent years, the scale and frequency of those incidents have grown: hundreds of breaches affecting 500 or more individuals are reported to OCR each year, and hundreds of millions of patient records have been exposed across 2023–2024. However, these high-profile cases belie the fact that healthcare data breaches occur more frequently on a smaller scale.

The figures

The Office for Civil Rights (OCR) tracks healthcare data breaches greater than or equal to 500 patient records. OCR’s breach portal remains the primary public source for reported incidents of 500+ records; recent compilations show hundreds of reported breaches and totals in the hundreds of millions of exposed records in recent years.

Note: According to OCR, 253 healthcare breaches affected 500 individuals or more with a combined loss of over 112 million records. (This older figure reflected the situation at the time of our original article; reporting since then shows materially larger totals and more frequent hacking incidents.)

Hacking and other IT incidents now account for the majority of large breaches; recent analyses put hacking/ransomware-related incidents as the leading cause of records exposed.

The bulk of the breaches (38%) were reported as “Unauthorized Access/Disclosure,” while 90% of the top ten breaches were reported as a “Hacking/IT Incident”, representing 21% of all breaches. The other top category was “Theft” at 29% of all breaches.

The economic burden

The overall cost of healthcare data breaches is staggering and has continued to rise in recent years. In 2025,  DeepStrike reports that the economic burden of healthcare data breaches averages about $7.42 million per incident.

This figure does not include indirect costs such as reputational damage and lost productivity.

Regulatory penalties and remediation costs can be large. Fines for HIPAA violations, state attorney-general actions, contractual penalties, and class-action litigation add to direct remediation and notification expenses.

Further an organization may be subject to regulatory fines that can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal penalties.

The healthcare technology

The flow of data between organizations and EHR systems will only increase in the future; as such, the risk of healthcare data breaches will increase. The modern health IT ecosystem (cloud services, connected medical devices, third-party software, telehealth platforms, and extensive data sharing with business associates) expands the attack surface.

Of course, legal standards contained in HIPAA and HITECH offer the minimum threshold at which an organization should handle and secure its healthcare data. Given the security threats that face practices and their EHR systems and the growing ability to breach even those organizations that follow the law, extra security measures have become a necessity.

Among all security measures to prevent a breach of healthcare data from an EHR, encryption technology is perhaps the most vital to limiting risk. 

Encryption is not a requirement under HIPAA or HITECH, but they do not exempt the loss of encrypted data from being considered a reportable breach if the encryption was not appropriate.

As a risk mitigation and data protection measure, encryption is the most obvious strategy. In addition, encryption, staff training, and clear data security protocols can provide a strong foundation for data protection.

In effect, clear data privacy protocols and thorough training in data handling and collection measures can foster an organizational culture that makes data security a value just as vital as service delivery. From a data risk standpoint, ground-up measures such as this can further bolster technology-based security.

Key takeaways

Compromising patient data leads to immediate and long-term harm:

• For patients:
  • Identity theft
  • Medical fraud
  • Incorrect medical records
  • Personal and financial harm from the sale of medical and PII on criminal markets
  • Potential patient safety risks if clinical systems or devices are affected
• For healthcare providers/organizations:
  • Reputational damage
  • Regulatory fines
  • Loss of patient trust
  • Costly remediation
  • Legal exposure
  • Operational disruption if care systems or billing functions are affected
• When medical devices are hacked:
  • Affected clinical availability
  • Compromised device functionality
  • Direct patient safety risks

How to prevent healthcare data breaches

• Assume breaches will happen; invest in detection and containment first.
• Protect PHI with encryption, access controls, and careful vendor management.
• Reduce exposure from paper-based PII through digitization and strict handling rules.
• Treat medical device security as a clinical safety issue and require lifecycle support from vendors.
• Test incident response and involve external partners early (law enforcement, forensics, regulators).