A staggering 276 million patient records were compromised in 2024, experts have revealed.

It suggests eight in 10 Americans had some form of medical data stolen last year. 

The biggest hack in 2024 was also one the largest healthcare data breaches in US history, impacting 190 million patients linked to Change Healthcare.

Now, researchers at the cyber watchdog Check Point are warning of a newly uncovered healthcare cyberattack that could expose even more sensitive information than the previous year.

According to the team, cybercriminals are impersonating practicing doctors to trick patients into revealing Social Security numbers, medical histories, insurance details, and other personal data.

The phishing campaign has been active since March 20, and researchers estimate that 95 percent of its targets are in the US.

'In some versions of these phishing emails, cybercriminals deploy images of real, practicing doctors but pair them with fake names,' the Check Point team reported.

The emails instruct recipients to contact a listed healthcare provider using a specific phone number—part of the scam.

Researchers noted that Zocdoc has become a key tool in the attackers' arsenal, as it allows them to use images of real doctors while disguising their identities with fake credentials.

The Check Point team noted that the data compromised in 2024 amounted to roughly 758,000 records every single day.

'Victims of medical identity theft will spend an average of 210 hours and $2,500 out-of-pocket to reclaim their identities and resolve the fallout,' the researchers said.

In one case, cybercriminals created a fake profile on Zocdoc using a real doctor's image but a fake name and sent a fake pre-appointment message, booking confirmation, and additional instructions.

To safeguard patients' private information and finances, healthcare organizations are urged to install advanced phishing filters, conduct regular employee cybersecurity training and mock drills, and ensure their IT teams are equipped to respond to threats quickly.

In March 2025, Yale New Haven Health experienced a data breach affecting approximately 5.5 million individuals. 

Hackers copied the data on the day it was discovered, indicating a likely ransomware attack and exposing the fragility of the U.S. healthcare system.

These breaches highlight systemic failures in the cybersecurity infrastructure of the healthcare sector. Many organizations still rely on outdated systems that lack modern security protocols, making them easy targets for cybercriminals.

A recent study revealed that some medical devices—unlike smartphones or laptops—lack basic security safeguards, making them a significant entry point for hackers.

By compromising devices like MRI machines, cybercriminals can gain access to entire networks and connected systems, creating widespread vulnerabilities.

The financial repercussions of these breaches are staggering. UnitedHealth Group estimated the cost of the Change Healthcare breach at approximately $2.5 billion, covering response efforts, system rebuilds, and support for affected providers.

'The company has restored most of the affected Change Healthcare services while continuing to provide financial assistance to remaining healthcare providers in need,' UnitedHealth Group stated.

Beyond financial damage, the cyberattack also caused severe operational disruption. 

For instance, delays in processing insurance claims forced some patients to pay out of pocket for medications and services. Smaller healthcare providers faced devastating revenue losses, threatening their survival.

In response to the rising threat, a new set of Health Insurance Portability and Accountability Act (HIPAA) regulations was proposed in January 2025. 

The goal is to enhance the protection of medical records through stronger data encryption and stricter compliance checks.

The proposed rule is expected to cost $9 billion in the first year and $6 billion annually over the next four years.

Patients affected by data breaches are urged to monitor their financial accounts, request credit reports, and consider placing fraud alerts. 

'Patients are encouraged to review statements from their healthcare providers and report any inaccuracies immediately,' said Yale New Haven Health.

The exposure of 276 million patient records underscores the urgent need to reinforce cybersecurity in healthcare. 

As threats continue to evolve, it's critical for healthcare organizations to implement modern safeguards and conduct regular audits to stay ahead of attackers and protect sensitive patient data.