US Healthcare Data Breach Crisis Impacts Millions
New research indicates over 2,200 medical centers nationwide have faced cyberattacks since 2023 as states tighten regulations.
- By Jesse Jacobs
- Apr 28, 2026
More than 2,200 healthcare centers across the United States have reported data breaches since 2023, exposing the systemic vulnerabilities of patient record systems. New research from Bridewell reveals that while the total number of individuals impacted by these breaches declined in 2025, the volume of attacks against medical facilities remains high.
California leads the nation in breach volume, recording 231 incidents that affected more than 52 million people. In response to the crisis, the state implemented Senate Bill 446. The law requires organizations to notify residents of a breach within 30 days using plain language to describe the exposed data and remediation steps.
Texas and New York follow as the second and third most impacted states. Texas recorded 172 incidents, while New York saw 159 breaches. A February intrusion at the New York City Health and Hospitals Corporation resulted in the theft of Social Security numbers, medical records and biometric data after an unauthorized actor remained undetected on the network for two months.
"Threat actors are targeting healthcare at an unprecedented scale," said Kelechi Onyedebelu, director of security solutions presales at Bridewell. "While the industry is getting better at limiting the damage, it is not yet getting better at preventing intrusions in the first place."
The analysis of U.S. Department of Health and Human Services data shows that 2024 was a peak year for exposure, with roughly 289 million people affected. That number dropped to 63 million in 2025. Experts attribute this decline to faster detection and updated HIPAA rules regarding network segmentation, which prevents attackers from accessing an entire system through a single entry point.
Despite these improvements, 26% of healthcare organizations still report low cybersecurity maturity. Major incidents continue to occur, such as a 2025 ransomware attack that disrupted 14 medical centers under the Kettering Health umbrella, affecting phone lines and electronic health records.
Other states facing significant per-breach impacts include Minnesota and Georgia. Minnesota averaged 4.1 million affected individuals per breach across 48 reported incidents since 2023.