This figure is the sum of individuals_affected reported in 735 HIPAA filings from the HHS Office for Civil Rights in our current dataset snapshot.
What this number is, and what it is not
- It is an aggregate exposure count across filings.
- It is not a unique-person count because the same person can appear in multiple incidents.
- It is filing-based, so totals can change when reports are amended.
That distinction matters. The number is still severe, but precision about methodology is essential when discussing public-health-scale breaches.
Change Healthcare dominates the totals
The single largest filing is Change Healthcare at 192.7 million affected individuals. Even after excluding that incident, the remainder still represents more than 109 million affected individuals across hundreds of separate filings.
This is not one isolated failure mode. It is repeated, cross-organisation exposure at national scale.
The top 10 breaches account for 82% of all exposed records
| Organisation | Records Exposed |
|---|---|
| Change Healthcare, Inc. | 192,700,000 |
| Aflac Incorporated | 13,924,906 |
| Kaiser Foundation Health Plan | 13,400,000 |
| Episource, LLC | 6,725,572 |
| Ascension Health | 5,466,931 |
| Blue Shield of California | 4,700,000 |
| HealthEquity, Inc. | 4,300,000 |
| TriZetto Provider Solutions | 3,433,965 |
| Acadian Ambulance Service | 2,896,985 |
| Sav-Rx | 2,812,336 |
Hacking is the dominant cause, but insider access remains material
Of the 735 reported breaches:
- 616 (84%) were caused by Hacking/IT Incidents
- 111 (15%) involved Unauthorised Access or Disclosure
- The remaining involved theft, loss, or improper disposal
One in seven incidents involving unauthorised access is significant, especially for organisations that focus only on perimeter defence.
California, Texas, and Florida lead breach volume
The geographic distribution follows population centres, but the per-capita rates tell a different story:
- California: 70 breaches
- Texas: 59 breaches
- Florida: 57 breaches
- New York: 42 breaches
- Illinois: 35 breaches
What this means beyond sales narratives
Several themes from public discussion are worth taking seriously:
- Patient impact: Health data exposure carries long-lived privacy and fraud risk.
- Cost-of-business dynamics: Many organisations still treat breaches as recoverable operating cost.
- Accountability gap: Penalties and litigation often arrive too slowly to change immediate behaviour.
Practical actions for healthcare organisations in the next 90 days
- Prioritise identity and helpdesk hardening for high-privilege workflows.
- Enforce vendor access segmentation and faster third-party credential rotation.
- Apply data minimisation to retention-heavy systems where legal requirements allow.
- Run scenario exercises for high-impact disclosure events and regulatory response.
Method note
Data source: HHS OCR breach portal filings included in CipherCue ingestion for records affecting 500 or more individuals. Totals shown here are filing totals and should be interpreted as reported exposure, not deduplicated persons.
We built this analysis to improve incident visibility and response timing. If your team wants the underlying filing stream in real time, request a demo.