301,768,951 Patient records exposed in reported HIPAA breaches
That number isn't a projection. It isn't an estimate. It's the sum total of confirmed individuals affected across 735 breach reports filed with the HHS Office for Civil Rights - and it's growing every week.
One breach dominates the landscape: Change Healthcare, with 192.7 million records exposed in a single incident. To put that in perspective, that's more than half of the entire US population's health records compromised in one attack.
But even without Change Healthcare, the remaining 734 breaches still account for over 109 million exposed records. This isn't a single point of failure - it's a systemic crisis.
| Organisation | Records Exposed |
|---|---|
| Change Healthcare, Inc. | 192,700,000 |
| Aflac Incorporated | 13,924,906 |
| Kaiser Foundation Health Plan | 13,400,000 |
| Episource, LLC | 6,725,572 |
| Ascension Health | 5,466,931 |
| Blue Shield of California | 4,700,000 |
| HealthEquity, Inc. | 4,300,000 |
| TriZetto Provider Solutions | 3,433,965 |
| Acadian Ambulance Service | 2,896,985 |
| Sav-Rx | 2,812,336 |
Of the 735 reported breaches:
The insider threat number is significant. One in seven breaches isn't a sophisticated external attack - it's someone inside the organisation accessing data they shouldn't.
The geographic distribution follows population centres, but the per-capita rates tell a different story:
Every one of these 735 breached organisations is now a prospect with an urgent, board-level mandate to invest in cybersecurity. They've been publicly named, they're facing regulatory scrutiny, and their patients are asking questions.
The window after a public breach filing is the highest-intent moment in the buyer's journey. These organisations aren't browsing - they're buying.
CipherCue monitors HHS OCR filings in real time and alerts your team within hours of a new breach report. Request a demo to see it in action.