While the total of breached patient records so far in 2025 pales in comparison to the previous two years, the “number is still far too high and should not be tolerated as the norm,” American Hospital Association leaders wrote.
Here are five healthcare cybersecurity-related figures from the Oct. 7 article by John Riggi, national advisor for cybersecurity and risk, and Scott Gee, deputy national advisor for cybersecurity and risk:
1. As of Oct. 3, 364 hacking incidents involving upward of 33 million individuals have been reported to HHS’ Office of Civil Rights, compared to 259 million in all of 2024 — including 192.7 million from the Change Healthcare cyberattack — and 138 million in the whole of 2023.
2. Over 80% of health records were stolen from third-party vendors, software services, business associates, nonhospital providers and health plans like CMS.
3. More than 90% of records were taken from outside the EHR.
4. All of the hacked data was unencrypted, with stolen credentials giving access to encrypted data or unencrypted records pilfered after being stored separately from the EHR.
5. Many of the reported hacks in 2024 and 2025 were ransomware attacks coupled with data theft, aka double-layered extortion.
