Originally published by our sister publication Specialty Pharmacy Continuum
By Gina Shaw
Over 300 million patient records were breached in 2024, a 26% increase from 2023, according to the 2025 “Breach Barometer” report, released in late February by Bluesight, DataBreaches.net and Clearwater. Notifications of breaches averaged 205 days after the incident, up from 177 days in 2023, leaving affected individuals unaware of their data exposure for a more extended period than in past years.
The largest of these incidents, of course, was the Change Healthcare breach, a ransomware attack involving some 190 million patient records, which caused significant delays in patient care due to disrupted operations, including delays in prescription filling. The other most significant breaches included:
- a pixel tracking error-related breach at the health plan Kaiser Foundation Health, involving 13.4 million records;
- a ransomware attack on the multi-state Catholic health system Ascension Health, involving nearly 5.6 million records;
- a credential compromise at HSA administrator Health Equity Inc., involving 4.3 million records; and
- hacked medical transcription at New Jersey−based provider Concentra Health Services, involving nearly 4 million records.
Hacking and ransomware accounted for 82% of breaches reported in 2024, and business associates represented 66% of all breached records-a clear indication of the significant risks posed by third-party entities. “These findings serve as a critical reminder for healthcare entities to strengthen risk management and oversight when engaging with business associates to mitigate potential vulnerabilities,” the report noted.
Andrea Belmore, Bluesight’s director of professional services, added that “insider threats also continue to be a growing trend.” In 2024, insider errors, such as email mistakes or misconfigured cloud storage, resulted in nearly 16 million breached records—almost quadruple the previous year’s number of breached records for insider-error incidents. Although less common, insider wrongdoing caused substantial damage, with more than 1.3 million records compromised in 2024 due to malicious actions such as terminated employees exploiting access for financial gain.
Such wrongdoing is a particular issue for hospital pharmacies, Ms. Belmore noted. “The privacy and security of patient records is incredibly important, of course. Additionally, if you have nefarious actors snooping around in patient records, it is possible that they are engaging in other problematic behavior within the pharmacy space as well,” she said.
“We have often seen in Bluesight investigations that privacy matters can turn into pharmacy matters—if a person is snooping in patient records, that can correlate with drug diversion. That person may be looking at the records of ED [emergency department] patients to see if they’ve been prescribed narcotics, for example.”
The widening gap between discovery of a breach and notification of those affected not only puts individuals at greater risk for harm, but also reflects poorly on organizational readiness to detect and respond to breaches, according to the report. “Breaches undermined confidence in healthcare providers, particularly when insider threats, such as data snooping or improper sharing, were involved,” it said. “Restoring trust after such events proves challenging and often requires significant reputational recovery efforts.”
These delays can also lead to regulatory penalties and legal consequences, because timely breach reporting is often a requirement under data protection laws, the report pointed out. “Addressing these gaps must become a priority for organizations to protect both their stakeholders and their compliance standing.”
A $9.77 Million Mistake
Beyond operational and trust-related challenges, the report found, breaches also led to significant financial consequences for institutions involved. The cost of a single healthcare data breach in 2024 averaged $9.77 million, with rising impact from ransomware, legal actions and regulatory fines.
Hospital pharmacies should work with their IT teams, and potentially with external auditors as well, on annual security and privacy risk assessments, Ms. Belmore said. “They should go through your IT setup and network security, to ensure that it is configured … to minimize risk from outside actors. You should also [conduct] proactive, preparatory exercises focused on how you would respond to any breaches in a rapid and responsible fashion.”
Ms. Belmore reported no relevant financial disclosures.
