According to the 2024 Annual Data Breach Report from the Identity Theft Resource Center (ITRC), data compromises decreased by 1% in 2024, that 44 less than 2023’s record-breaking total. Victims of data compromises increased by 312%, from 419 million (2023) to 1,728,519,397 (2024). 80% of data compromises in 2024 were due to cyberattacks. Cyberattacks accounted for 93% of breach notifications. The rest of the breach notifications were due to system and human error, physical attacks, and supply chain attacks.
The huge rise in victim notifications was mostly because of several mega data breaches. 2024 had 6 data breach reports involving over 100 million records. Although the Change Healthcare data breach was the biggest healthcare data breach ever, affecting 190 million healthcare records, it just placed third in 2024 because of two major data breaches. The Advance Auto Parts Inc. breach was the second biggest affecting 380 million consumers but the Ticketmaster Entertainment data breach was the first affecting 560 million individuals. The other three 100 million+ data breaches were the DemandScience by Pure Incubation data breach affecting 121.8 million, the AT&T data breach affecting 110 million, and the MC2 Data data breach affecting 100 million. These six breaches affected roughly 85% of all breach victims in 2024.
2024 was a notably bad year in terms of the number of breached U.S. healthcare records, though the number of healthcare data breach reports dropped by 3.5%. Presently, the OCR breach portal lists 721 data breaches for 2024, and 747 data breaches for 2023. The number of breached records increased because of the Change Healthcare data breach. There were 168 million breached records in 2023 and 247 million breached records in 2024.
ITRC’s statistics for healthcare does not include a lot of data breaches that occur at business associates of healthcare providers, which were under other categorizations. The ITRC information indicates a drop in healthcare data breaches. In 2023, there were 811 compromises with 60 million victims, while in 2024, there were 536 compromises with 47 million victims. In 2023, the healthcare sector had the most number of compromises but became number two in 2024 following financial services. Healthcare was number 10 when it comes to number of breached records. Throughout all industries, ITRC monitored 3,158 compromises in 2024, which include 288 unknown compromises, 2 data leaks, 18 data exposures, and 2,850 data breaches.
Many data breaches could have been avoided by adhering to cybersecurity guidelines just like in the following data breaches in 2024. In the data breaches at Advanced Auto Parts, Ticketmaster, AT&T, and Change Healthcare, hackers used compromised credentials to acquire access to their systems without multifactor authentication. Those 4 data breaches resulted in over 1.24 billion preventable record exposures because of lacking multifactor authentication. ITRC additionally discovered 29 cyberattacks in 2024 that were the consequence of credential stuffing, which were also preventable with multifactor authentication. If approved, the HIPAA Security Rule proposed update will require multifactor authentication in healthcare to secure protected health information.
The trend with breached organizations is not including important details in their data breach notifications. Breach victims are usually provided minimal details concerning the nature of the breach. The ITRC report states that the issue is not limited to healthcare. In 2023, 45% of breach notices lacked actionable details regarding the main reason for the data breach. In 2024, 65% of breach notices was missing actionable details concerning the main cause of the data breach. Without enough information, breach victims cannot precisely determine the level of risk.
The United States has not implemented a government data privacy legislation yet, even if there is bipartisan support for this type of legislation. A complete government data privacy legislation was proposed, yet it did not get approved in 2024. Therefore, individual states need to enforce rules to secure the privacy of state locals and be sure breach notifications are sent after an incident.
It is good that more states are implementing privacy laws. 40% of states currently have detailed data privacy regulations. The following states all have detailed privacy regulations by 2025: Delaware, Iowa, Minnesota, Maryland, Nebraska, New Jersey, New Hampshire, and Tennessee. The following states will likely pass privacy regulations in 2025: Michigan, Ohio, Oklahoma, and Pennsylvania.