301,768,951 Patient records exposed in reported HIPAA breaches
That number isn't a projection. It isn't an estimate. It's the sum total of confirmed individuals affected across 735 breach reports filed with the HHS Office for Civil Rights - and it's growing every week.
The Change Healthcare catastrophe dwarfs everything
One breach dominates the landscape: Change Healthcare, with 192.7 million records exposed in a single incident. To put that in perspective, that's more than half of the entire US population's health records compromised in one attack.
But even without Change Healthcare, the remaining 734 breaches still account for over 109 million exposed records. This isn't a single point of failure - it's a systemic crisis.
The top 10 breaches account for 82% of all exposed records
| Organisation | Records Exposed |
|---|---|
| Change Healthcare, Inc. | 192,700,000 |
| Aflac Incorporated | 13,924,906 |
| Kaiser Foundation Health Plan | 13,400,000 |
| Episource, LLC | 6,725,572 |
| Ascension Health | 5,466,931 |
| Blue Shield of California | 4,700,000 |
| HealthEquity, Inc. | 4,300,000 |
| TriZetto Provider Solutions | 3,433,965 |
| Acadian Ambulance Service | 2,896,985 |
| Sav-Rx | 2,812,336 |
Hacking dominates, but insider threats are surging
Of the 735 reported breaches:
- 616 (84%) were caused by Hacking/IT Incidents
- 111 (15%) involved Unauthorised Access or Disclosure - often insider threats
- The remaining involved theft, loss, or improper disposal
The insider threat number is significant. One in seven breaches isn't a sophisticated external attack - it's someone inside the organisation accessing data they shouldn't.
California, Texas, and Florida lead the breach count
The geographic distribution follows population centres, but the per-capita rates tell a different story:
- California: 70 breaches
- Texas: 59 breaches
- Florida: 57 breaches
- New York: 42 breaches
- Illinois: 35 breaches
What this means for cybersecurity sales teams
Every one of these 735 breached organisations is now a prospect with an urgent, board-level mandate to invest in cybersecurity. They've been publicly named, they're facing regulatory scrutiny, and their patients are asking questions.
The window after a public breach filing is the highest-intent moment in the buyer's journey. These organisations aren't browsing - they're buying.
CipherCue monitors HHS OCR filings in real time and alerts your team within hours of a new breach report. Request a demo to see it in action.