Skip to Main Content

Odds are, you’ve gotten at least one of the unnerving letters in your mailbox this year: “We’re writing to inform you of a cybersecurity incident,” it might start. It’s the standard notice many health care organizations are required to provide when your protected health information gets exposed — and in 2023, data leaks, hacks, and mishandling led more of them to be delivered than ever before.

As many as 116 million individuals have been impacted by large health data breaches reported to the Department of Health and Human Services this year, according to records from its Office for Civil Rights as of December 21. That number has more than doubled over recent counts, driven primarily by a surge in hacking and ransomware attacks on health care organizations regulated by the privacy rule HIPAA.

advertisement

Since 2009, OCR has issued reports on large data breaches — those that impact 500 or more patients — which appear on its public “wall of shame.” The last record for individual impact was set in 2015, when three data breaches at health plans Anthem, Premera Blue Cross, and Excellus impacted tens of millions of patients each. It was a massive outlier, driving the total individuals impacted by large health breaches over 112 million.

Get unlimited access to award-winning journalism and exclusive events.

Subscribe

STAT encourages you to share your voice. We welcome your commentary, criticism, and expertise on our subscriber-only platform, STAT+ Connect

To submit a correction request, please visit our Contact Us page.