Healthcare Data Breaches in 2026-2025: 5 Recent Cases and the Cloud Security Lessons Every CISO Should Take From Them

Data security breaches in healthcare now cost more than breaches in any other industry: $10.93 million on average. For fourteen years, healthcare data breaches have consistently topped the cost table.

And here’s the part that should make every healthcare security team uncomfortable.

The breaches that defined 2023-2025 were not brilliant.

A Citrix portal without MFA. PHI is sitting where it should not be. A file-transfer CVE. A marketing pixel nobody reviewed closely enough. A ransomware chain that turned from “security event” into clinical disruption fast.

The controls existed somewhere. Just not on the path that mattered.

This article breaks down

• Five real healthcare breaches,
• What happened inside each one,
• And the one control that would have changed the outcome before the breach report wrote the story for everyone.

Key Insights

• Healthcare is still the costliest breach category. IBM’s 2026 Cost of a Data Breach Report puts the average healthcare breach at $10.93 million, keeping the industry at the top for the 14th year running.
• Data security breaches in healthcare are not rare edge cases anymore. Change Healthcare alone affected roughly 190 million people. Add HCA, MOVEit-related healthcare victims, Kaiser, and Ascension, and the scale stops looking like “incident response.” It looks like infrastructure risk.
• The breach paths were painfully ordinary. Missing MFA. Shadow PHI. A known MOVEit CVE. Marketing pixels on authenticated pages. A malicious download that spread into clinical systems. None of those require attacker genius.
• Cloud-side failure showed up in four of the five cases. Remote access, cloud storage, SaaS file transfer, marketing technology, federated identity, business associate workflows. Healthcare security teams can’t treat the cloud as a side environment anymore.
• The highest cost was not always the record count. Ascension disclosed nearly 5.6 million affected people, but the real damage showed up in downtime: manual workflows, delayed clinical access, scheduling pressure, and revenue-cycle drag.
• Healthcare data security breaches keep exposing the same weakness: visibility. The signals usually existed somewhere. IAM knew one thing. The scanner knew another one. Procurement had the vendor record. Compliance had the BAA. Nobody had the full breach path in one view.
• The control that changes outcomes is asset-context-aware monitoring. Start with the CI, then connect identity, PHI scope, exposure, owner, vendor, policy status, ticket, exception, and evidence before a missed control becomes a breach notice.

Why healthcare data breaches cost more (and hurt longer) than any other industry

Data security breaches in healthcare cost more because the exposed data keeps working for attackers after the incident is contained. IBM’s 2025 Cost of a Data Breach research puts healthcare at $7.42 million per breach, the highest of any industry for the 14th consecutive year. Healthcare also had the longest breach lifecycle: 279 days to identify and contain, more than five weeks above the global average.

Three things make the math worse:

1. PHI has a longer fraud shelf life. A card number gets cancelled. PHI does not. Names, dates of birth, diagnoses, insurance IDs, Social Security numbers, prescriptions, and billing records can support identity theft, insurance fraud, targeted phishing, and patient impersonation for years. That is why data security breaches in healthcare create risk long after legal notification is complete.
2. HIPAA turns response into a regulated workflow. Once unsecured PHI is involved, security teams are no longer just containing access. They are preserving evidence, validating scope, supporting HIPAA and HITECH notification duties, preparing OCR reporting, briefing counsel, and documenting corrective actions. For breaches affecting 500 or more people, the clock can move fast: HHS notification is due without unreasonable delay and no later than 60 days.
3. Downtime hits clinical operations. If an EHR, pharmacy system, imaging workflow, or claims platform goes down, care delivery changes immediately. Surgeries can be delayed. Ambulances may be diverted. Nurses move to paper. Discharge slows. Revenue cycle stalls. The breach becomes an operational disruption with clinical impact, not just a security event.

The five cases below all happened in the past 26 months. Each one shows a different failure pattern: exposed PHI, regulatory pressure, or care disruption. More importantly, each case shows what would have changed the trajectory before the breach became a board-level problem.

Examples of data security breaches in healthcare: 5 recent cases

These are real examples of data security breaches in healthcare, pulled from public breach updates, congressional testimony, regulator records, and company disclosures. Don't make up fake "what-if" answers. No scary movie plot in cyberspace. Just the dull control holes that grew into big issues for the whole country.

Change healthcare, February 2024

Change Healthcare was not breached through a never-before-seen exploit. ALPHV, also known as BlackCat, got in with compromised credentials on a Citrix remote access portal. The portal did not have MFA.

That is the part that matters.

Once inside, the attackers moved laterally, exfiltrated data, and deployed ransomware nine days later. HHS later listed about 192.7 million impacted individuals, putting this case in “largest healthcare data breach in US history” territory.

The blast radius was not limited to stolen PHI. Change Healthcare sits inside the payments and claims layer, so the ransomware impact hit the revenue cycle almost immediately:

• Claims stalled
• Pharmacy transactions broke
• Providers waited on payments
• Manual workarounds replaced normal workflows
• Cash-flow pressure moved from IT into finance and operations

One missing MFA control turned into weeks of billing disruption across US healthcare.

Lesson: MFA on every remote access pathway is non-negotiable. The audit may say MFA exists. The breach report will show which path was missed.

HCA Healthcare, July 2023: PHI-adjacent data leaked from an email workflow

HCA Healthcare did not lose clinical records in this breach. That is what makes this case so useful.

The attacker accessed an external storage location used to automate email formatting and stole patient data tied to communication workflows. HCA later said the incident affected about 11 million patients across 20 states.

2025 settlement reporting put the OCR figure at 11.27 million patients and referenced a stolen database with 27.7 million records.

The exposed fields were not “deep clinical data.” They were the kind of fields healthcare teams often underestimate:

HCA said the stolen data did not include clinical information, diagnosis, treatment details, payment data, passwords, driver’s license numbers, or Social Security numbers.

Still, this belongs in any serious review of data security breaches in healthcare because healthcare privacy does not begin and end with the EHR.

A patient name plus service location plus appointment date can say plenty. Oncology. Fertility. Behavioral health. Cardiology. A field does not need to be labeled “diagnosis” to create patient privacy risk.

The breach pattern is simple: Patient communication data moved into external storage. Security visibility did not match the sensitivity of the data sitting there.

The risk sits in the gap between what policy says and what storage actually contains.

A healthcare organization may rule that appointment reminder workflows should not store regulated data. Fine. The control only becomes real when security can inspect the storage path and prove what is inside it.

That means finding:

• Buckets, blobs, file shares, and temporary export paths tied to patient communications
• Files containing names, DOBs, appointment dates, service codes, MRNs, insurance IDs, or contact data
• Storage locations connected to vendors without clear BAA-covered storage
• Broad internal access, stale service accounts, external sharing, or cross-account permissions
• Old exports that should have expired after the workflow completed

That is where shadow PHI usually shows up. Not in the system that everyone audits. In the helper workflow, no one checks for shadow PHI until it appears in a breach notice.

The report healthcare teams should run

For a case like HCA, teams can build a PHI storage exposure report using Cloudaware inventory, compliance, and asset metadata.

That view changes the work from “check cloud storage” to a fix list:

1. Remove public or external access from storage containing PHI fields
2. Kill stale service accounts tied to old email workflows
3. Move PHI-bearing files into approved storage
4. Confirm BAA coverage for vendors touching patient communication data
5. Add alerts for bulk reads, permission changes, and new external sharing
6. Delete expired exports instead of letting them become breach material

This is data discovery with teeth. It tells security what patient data exists, where it sits, who can reach it, and which workflow created the risk.

Lesson from HCA

HCA shows why cloud storage exposure is not a side issue for healthcare security. The breach did not need diagnosis fields or treatment notes to affect well over 11 million people.

The operational lesson is blunt ↓

You cannot protect the PHI you do not know you have. Continuous discovery of what actually sits in cloud storage matters more than the policy that says it should not be there.

Read also: Cloud Security Automation: Framework, Tools & Best Practices

MOVEit transfer supply-chain breach, May-July 2023

MOVEit was not a hospital breach in the classic sense. No nurse clicked the wrong link. No EHR admin opened a malicious attachment.

A trusted file-transfer layer failed.

Progress Software’s MOVEit Transfer had a SQL injection vulnerability, CVE-2023-34362, rated CVSS 9.8 critical. The flaw let unauthenticated attackers access the MOVEit database over HTTP or HTTPS.

Cl0p exploited it before many teams had patched, isolated, or even confirmed where MOVEit existed in their environment. CISA later added the CVE to its Known Exploited Vulnerabilities catalog.

Healthcare got pulled in through the normal plumbing: file exchange, claims data, benefits administration, vendor workflows, and business associate connections.

Welltok reported 8.5M+ affected individuals. Maximus disclosed roughly 11 million. Johns Hopkins, Massachusetts General Brigham, and other healthcare entities also appeared in MOVEit-related breach disclosures. Source: ocrportal.hhs.gov

The root cause was not simply “a vendor had a CVE.” That is too thin for a post-mortem.

The real failure pattern was asset-to-data visibility. Security teams needed a quick answer:

• Where do we run MOVEit?
• Who owns it? Is it internet-exposed?
• What PHI passes through it?
• And which BAA-covered workflows depend on it?

Here is the report healthcare teams use in Cloudaware to answer them: 

SBOMs help, but only when they connect to live assets, vendor risk management, data classification, and BAA-covered workflows. Otherwise, an SBOM becomes another artifact nobody can query during the patch window.

Lesson: vulnerability management must cover vendor-managed components in your environment and in business associate workflows. The MOVEit CVE was visible. The blind spot was who ran it, what it touched, and whether PHI moved through it.

Read also: Healthcare Data Security: Full 2026 Guide

Kaiser Permanente tracking-pixel disclosure, April 2024

Kaiser did not get hit by ransomware. That is what makes this case useful. In April 2024, Kaiser Foundation Health Plan notified about 13.4 million current and former members and patients after tracking technologies on its websites and mobile apps may have shared user activity with outside vendors.

The named tools were the usual marketing stack suspects:

• Meta Pixel
• Google-related analytics and ad tools
• Microsoft/Bing advertising tools
• Other third-party scripts

Nothing about that sounds dramatic. That is the problem.

These scripts were running on healthcare web properties where logged-in members could search, click, view account details, book care, check pharmacy information, or move through billing and appointment workflows. HHS OCR warns that tracking technologies on authenticated healthcare pages can touch PHI, including IP addresses, appointment details, medical record numbers, prescriptions, billing data, email addresses, and portal activity.

A pixel on a public campaign page is analytics.
A pixel on an authenticated member portal can become PHI disclosure.

The root cause was not “bad marketing.”

It was missing security review on regulated-data-adjacent pages. Marketing technology entered production as approved business tooling. Security needed to know which pages loaded third-party scripts, what those scripts collected, where the data went, and whether each vendor relationship belonged anywhere near HIPAA-covered workflows.

Cloudaware clients usually make this kind of review operational using reports like:

The script finding is tied to the affected CI, which is tied to an app owner, the policy result is routed for review, and the change evidence stays attached to the asset record. No Slack archaeology. No privacy spreadsheet that goes stale two weeks after the audit.

The litigation kept moving after the breach notice. In 2026, Kaiser agreed to a proposed $46 million settlement while denying wrongdoing.

Lesson: one of the easiest healthcare data exposure paths to miss is the marketing pixel nobody mapped to PHI. Third-party scripts on authenticated healthcare pages need security review, vendor validation, and policy evidence before they ship.

Ascension Health, May 2024: when ransomware turned into a clinical operations crisis

A breach notice makes Ascension look like a data-loss story.

Nearly 5.6 million people affected. Medical records, lab details, insurance information, payment data, and personal identifiers exposed after a ransomware attack hit the health system in May 2024. Source: reuters.com

That number belongs in any serious list of data security breaches in healthcare. But it does not tell the whole story.

Inside the hospitals, the breach looked like blocked EHR access, paper charting, delayed tests, pharmacy disruption, ambulance diversion, postponed appointments, and clinicians trying to work safely without the systems they use every hour. Ascension operates about 140 hospitals across 19 states and Washington, D.C., so the operational blast radius was not theoretical.

Image source.

The breach in plain terms

What happened	Why it matters for security teams
An employee downloaded a malicious file that looked legitimate.	Treat phishing as the first step, not the full explanation.
Attackers gained access to Ascension’s environment.	Initial access became an internal visibility problem.
Reporting linked the incident to Black Basta ransomware.	Black Basta-style operations rely on speed, credentials, and lateral movement.
EHR and clinical systems were disrupted.	Ransomware hit care delivery, not only data confidentiality.
Ambulances were diverted at some facilities.	Downtime became a patient-flow and emergency-care problem.
Nearly 5.6 million people were later tied to the breach filing.	The data impact arrived after the operational damage had already played out.

Source: cybersecuritydive.com and healthcaredive.com

A practitioner should read Ascension as a chain:

malicious file → foothold → credential risk → lateral movement → ransomware → EHR disruption → clinical impact → breach filing

That chain matters because most teams over-index on the first and last links. They train employees not to click. They prepare notification letters after data is stolen.

The dangerous part sits in the middle.

Where the incident became hard to stop

Once an attacker has a foothold, the clock changes.

Security needs to know which identity was touched, what that identity can reach, which servers sit behind the same trust path, whether any EHR-adjacent systems are exposed, and which clinical service breaks if a subnet or host gets isolated.

That is not a philosophical ransomware lesson. It is the incident commander’s screen at 2:00 a.m.

A 2025 JAMA Network Open study on the Ascension outage found measurable disruption in emergency department operations, including changes in patient volume and emergency department stroke alert volumes during the ransomware period.

So, yes, the breach involved data.

The sharper lesson is this: In healthcare, ransomware does not wait for the privacy investigation to finish before it starts affecting care.

What the team needs to see before the ransom note

For an Ascension-type incident, “all alerts from the last 24 hours” is almost useless.

Too many signals. Not enough meaning.

The better view is an Identity-to-Clinical-Service Risk Board. It starts with the suspicious identity activity, then follows the path: account, endpoint, permissions, related assets, clinical dependency, assigned owner, and alert destination.

That is the view incident response needs while ransomware is still moving.

Because the raw signals usually arrive in pieces.

• A SIEM event shows a suspicious login
• An endpoint tool shows the affected device
• IAM data shows the role or service account
• The CMDB shows the asset, owner, environment, and related systems
• Compliance findings show whether the server was already drifting from required controls

Cloudaware’s role in that workflow is context. It connects discovered assets, CMDB relationships, tags, ownership, IAM posture, vulnerabilities, compliance findings, and SIEM-enriched events so the alert does not sit alone.

A suspicious service-account login is one thing.

A suspicious service-account login tied to an Epic support workflow, owned by EHR Infrastructure, with broad file-share access and a critical alert already routed to the right queue is a very different thing.

That changes the response from investigation sprawl to a focused handoff:

• Which account triggered the alert?
• Which asset is involved?
• Which clinical service may be affected?
• Who owns it?
• What security findings raise the priority?
• And where the alert has been sent?

Separate screens slow the room down.

Connected context gives the team a cleaner read before one endpoint issue turns into EHR downtime.

The controls Ascension pushes up the priority list

Do not turn this case into another “train users better” paragraph. Training helps. Email security helps. Endpoint control helps.

Ascension shows what has to exist after a malicious file gets through:

• Identity blast-radius mapping: Know what each user, service account, and privileged group can reach.
• Clinical dependency mapping: Tie servers, databases, cloud assets, and network segments to Epic, pharmacy, imaging, lab, scheduling, and portal workflows.
• Lateral movement detection: Watch for new admin use, unusual remote execution, suspicious service creation, abnormal file-share access, and privilege changes.
• Owner-based IR routing: Send containment tasks to the clinical app owner or infrastructure owner, not a generic queue.
• Restore tiers based on care impact: Bring back systems in the order patients and clinicians need them, not only by infrastructure labels.
• Downtime rehearsal: Test paper workflows, medication ordering, lab routing, ambulance diversion logic, and data reconciliation before an outage forces the drill.

That last one gets ignored until it hurts.

Healthcare downtime is not a normal IT outage. When Epic access disappears, nurses lose medication checks, physicians lose history, pharmacy workflows slow down, labs become harder to track, and every manual note creates reconciliation work later.

Lesson from Ascension Health

Ascension belongs in this article because it shows how modern ransomware moves from phishing to lateral movement to EHR disruption to measurable clinical impact.

The regulatory filing captured the data breach. The hospitals lived the downtime.

The data breach was the headline. The operational disruption was the actual cost. Healthcare incident response must assume that credential compromise will occur and be architected for what comes next.

Read also: Cloud Data Security Challenges: 10 Issues & Fixes

What these healthcare data security breaches tell us about cloud security in 2026

Healthcare data security breaches are no longer contained inside hospital IT.

That is the pattern across these five cases.

Change Healthcare started with remote access and a missing MFA control. HCA exposed patient data from an external storage location. MOVEit turned one file-transfer CVE into a supply-chain problem for hospitals, health plans, vendors, and business associates. Kaiser’s tracking-pixel disclosure came from approved marketing technology running too close to member data. Ascension began with a malicious download, then pushed clinical operations into downtime.

Different breach types. Same operating reality.

Healthcare now runs through identity providers, SaaS tools, cloud storage, analytics scripts, EHR integrations, claims platforms, vendor file exchange, and BAA-covered workflows.

A threat model built around the data center alone is already out of date.

The breach path now runs through the asset graph: identity, workload, data, vendor, owner, policy, exception, ticket.

That sounds abstract until you look at the controls that failed.

• Missing MFA was not a rare engineering problem
• Shadow PHI was not a zero-day
• A known vendor CVE was not invisible
• A marketing pixel on an authenticated portal was not advanced malware

These data security breaches in healthcare were ordinary gaps with an enterprise blast radius.

The control existed somewhere. MFA existed, just not on the path that mattered. Vulnerability scanning existed, just not connected tightly enough to vendor exposure and PHI scope. Privacy review existed, but not for areas where scripts touched logged-in member activity. PHI discovery existed as a goal, but not always as a live view of where regulated data actually sat.

That is why the record count is only half the story.

Ascension disclosed nearly 5.6 million affected people after its May 2024 ransomware attack. The heavier operational lesson was the disruption across care delivery: systems offline, manual workflows, delayed access to clinical data, scheduling pressure, and revenue-cycle drag.

In healthcare, downtime leaves the security console fast. It lands on nurses, pharmacists, billing teams, ambulance routing, and patients. Source: www.reuters.com

The practical control is not “more alerts.”

It is a view that shows the breach precondition while there is still time to fix it.

Start with the asset record. Then pull the surrounding context into one place: identity path, PHI scope, owner, exposure, vendor, policy status, exception, ticket, and evidence.

That is how these breach patterns become visible before they turn into breach reports.

In Cloudaware, this is the operating model: security teams investigate from the CI outward instead of stitching context from IAM, scanner, procurement, compliance, CMDB, and ticketing exports after the damage is done.

• A Citrix access path is not just a remote login. It is an identity chain, an MFA status, an owner, an exception, and a downstream service.
• A MOVEit finding is not just a critical CVE. It is a vulnerable file-transfer asset, a patch state, an exposure path, a vendor workflow, and a PHI question.
• A tracking pixel is not just a marketing tag. It is a third-party script on a regulated web asset, with a vendor status, BAA evidence, policy result, and change record attached.

That is the real common thread: visibility did not fail because healthcare teams had no tools. It failed because the tools were not looking at the same operating picture.

IAM knew one thing. The scanner knew another one. Procurement had the vendor status. Compliance had the BAA. The CMDB had the owner. The ticketing system had a remediation history.

Attackers do not care where the context lives.

They only need one path nobody sees end-to-end.

The lesson is brutally practical: healthcare cloud security has to connect the asset, data, identity, vendor, policy status, and remediation path before the breach report connects them for you.

What would have caught each breach (or limited the blast radius)

The ugly pattern across these healthcare data security breaches is not that teams had zero tools. They had tools. What they often lacked was one shared view of the asset, owner, identity path, PHI scope, exposure, and care impact.

That is where a unified cloud security stack earns its place. Not by “solving” the breach. By catching the precondition earlier or shrinking how far the attacker can move.

Breach	What made the breach possible	Control that should catch it or limit the blast radius
Change Healthcare, Feb 2024	Attackers used compromised credentials to access a Citrix remote-access portal without MFA, according to Congressional testimony and reporting.	Continuous IAM exposure review. Production systems tagged as PHI or PCI in-scope should raise priority when login events come from a new IP, unfamiliar geography, unmanaged device, unusual role path, or federated access pattern.
HCA Healthcare, Jul 2023	Patient-identifiable data sat in an external storage location used for email-related operations. HCA said clinical records were not involved, but names, contact details, DOBs, service dates, and appointment data were.	PHI/PII content inspection plus CMDB-led storage inventory. Every bucket, blob, file share, backup path, and export location needs an owner, app relationship, environment, and compliance scope.
MOVEit, mid-2023	A critical third-party file-transfer vulnerability hit healthcare through covered entities and business associates. One 2024 analysis counted 42 healthcare MOVEit breaches and more than 41M PHI records exposed.	Vulnerability scanning tied to exposure context. A scanner result alone says “MOVEit CVE.” The operational query should say: “internet-exposed MOVEit workload, production, PHI-related workflow, assigned owner, active CVE.” A 15-minute vulnerability scan cadence matters most when the finding lands on the asset graph.
Kaiser Permanente, Apr 2024	Tracking technologies on websites and apps transmitted personal data to third parties including Google, Microsoft Bing, and X. HIPAA Journal reported 13.4M affected people.	CSPM policy checks for regulated web properties. Healthcare-tagged apps and domains need configuration-as-code policies for marketing-tech changes, third-party scripts, outbound flows, and approval status. PHI inspection adds what data actually leaves, not just which script loaded.
Ascension Health, May 2024	A malicious file opened the door. The harder problem came next: credential risk, lateral movement, ransomware, EHR disruption, and clinical impact. Reuters later reported nearly 5.6M affected people.	SIEM identity anomaly detection enriched with CMDB context. Impossible travel, brand-new role assumption, MFA fatigue patterns, suspicious service-account behavior, and remote execution need asset metadata at ingestion.

Here is the part practitioners already know, but leadership often misses: The breach starts with one weak point. The blast radius comes from everything that weak point can reach.

None of these controls is exotic.

CSPM exists. SIEM exists. Vulnerability scanning exists. File integrity monitoring exists. Ticket routing exists. The failure starts when each tool describes a different version of the same environment.

• A CVE record points to one host
• An IAM anomaly points to a user
• A PHI match points to a storage location
• A compliance violation points to a failed control
• A ticket points to an owner

If those signals do not resolve to the same asset graph, the security team does the correlation manually. During a healthcare incident, that is expensive time.

In Cloudaware, the operational version is tighter: discovered multi-cloud assets sit in the CMDB with owners, tags, environment, compliance scope, vulnerabilities, IAM context, CSPM findings, SIEM-enriched logs, host-based intrusion signals, and Jira or ServiceNow routing.

A storage bucket, Citrix-facing server, MOVEit workload, web property, or EHR-adjacent host can be treated as one record with many risk signals attached.

That changes the work. The team stops asking, “What is this asset?” They start asking, “Does this touch PHI, claims, Epic, pharmacy, patient portal, or clinical uptime?”

That is the operational delta these examples of data security breaches in healthcare all point to. The control category matters. The shared asset graph decides whether the control becomes action.