Adobe Stock image

The number of health care data breaches in the U.S. surged last year, up nearly 200%, compromising over 328 million individual records — an amount that nearly equals the entire population of the country.

California ranked second in data breaches, with 22.6 million having their data exposed.

According to a study by KnownHost, a web hosting company founded in 2006 specializing in fully-managed hosting services, breaches rose from 149 incidents in 2023 to 444 in 2024 — a 198% increase.

The report, which analyzed data from the U.S. Department of Health and Human Services Office for Civil Rights, included incidents from February 2023 to April 2025.

“This study highlights a rise in attacks in an industry that affects nearly every American,” KnownHost CEO Daniel Pearson said. “While health care is a human business, it’s increasingly dependent on digital systems. Health care organizations need to adopt modern, proactive security measures like HIPAA-compliant hosting, end-to-end encryption and mandatory staff security training to reduce their risks.”

Minnesota led the nation in breaches, with more than 191 million records exposed in only 21 breaches, averaging over nine million per incident. One of those breaches, a February 2024 breach, affected over half a million patients.

California’s 22.6 million record exposures ranked second nationwide. In of the 46 breaches, one incident saw a health system inadvertently share patient data with outside platforms including Google, Bing and X, potentially affecting 13.4 million people.

Other states with a high number of breaches included Texas (67), New York (60) and Illinois (55). Vermont and Wyoming reported no incidents while Nevada and the District of Columbia reported just one and two, respectively.

Of the 807 breaches reported nationwide, 675 were linked to hacking and IT-related incidents, with unauthorized access and disclosure blamed for another 110, underscoring the importance of attention to both external attacks and internal security breaches.

In 2024 alone, breaches were reported on 201 separate days.