276 million healthcare records were breached in 2024 — 81% of the US population, in a single year. The Change Healthcare attack alone affected 192 million individuals. Healthcare carries the highest single-incident breach cost of any industry, for the 14th year running. PULSE engineers infrastructure in which protected health information cannot be exfiltrated by an adversary that has already breached the perimeter.
The 2024 healthcare cybersecurity year is defined by a single event: the February 2024 ransomware attack on Change Healthcare, a UnitedHealth Group subsidiary that processes approximately one in three US healthcare claims. The attackers — affiliated with the BlackCat / ALPHV ransomware-as-a-service operation — gained access on February 12, encrypted files on February 21, and exfiltrated the protected health information of an estimated 192.7 million individuals. The breach took out the country's largest healthcare claims-processing platform for over a month, disrupting prescription processing, insurance verification, and provider payment across the entire US healthcare system. [01]
The Change Healthcare incident accounted for 69% of the year's total breached records. Even excluding that single incident, 2024 saw approximately 85 million healthcare records breached — itself a record-equivalent year. The 14 mega-breaches affecting more than 1 million records each collectively exposed 237.9 million records, equivalent to 69.97% of the US population. [02]
The Verizon 2024 DBIR identified errors as responsible for 45% of healthcare-industry breaches, with personal health information commonly exposed. Misuse of privilege was also significant. Hacking and other IT incidents dominated, accounting for 81.2% of large 2024 breaches and at least 259 million breached records. The average size of a hacking incident in 2024 was 439,796 records.
The threat-actor profile in healthcare differs from finance. Where financial-sector adversaries are dominantly financially motivated criminal groups, healthcare attracts a wider mix: financially motivated ransomware operators (who pay attention to the sector's reduced ability to refuse payment given patient-safety implications), nation-state actors (who target pharmaceutical R&D and clinical-trial data), and insiders.
The combination of life-critical operational continuity, regulatory complexity, and structural underinvestment in cybersecurity (relative to financial services) produces a target profile uniquely advantageous to attackers.
Healthcare ransomware operators specifically target electronic medical record (EMR) systems, prescription processing, and laboratory ordering — knowing that hospitals cannot operate without them and patient-safety considerations increase pressure to pay. The 2024 Ascension Health attack took its EMR offline for over a month.
HIPAA "business associates" — third-party service providers handling PHI — are responsible for an outsized share of breach impact. The Change Healthcare incident affected 192M individuals via a single business associate. The Eye Care Leaders ransomware attack (2022) affected 39+ HIPAA-covered entities through a single EMR vendor.
In a recent ransomware report cited by HHS, phishing was the most common initial access vector for ransomware attacks (45% of respondents identifying phishing as the entry point in at least one of their attacks). Healthcare workforce training and email security have not reduced the success rate sufficient to materially lower breach incidence.
The 2023 Cl0p mass-exploitation campaign of MOVEit Transfer affected the healthcare sector heavily — 20.1% of MOVEit-affected organisations were in health, second only to education at 39.1%. The campaign demonstrated that supply-chain compromise of file-transfer infrastructure could affect hundreds of healthcare organisations simultaneously.
The IBM 2024 study found 70% of breached organisations reported significant or moderate operational disruption. In healthcare, the operational disruption translates to deferred surgeries, ambulance diversion, and extended emergency-department wait times. A 2023 study published in JAMA Network Open found statistically significant increases in 30-day mortality at hospitals affected by ransomware, although the precise causal mechanism remains debated.
The regulatory framework is dense. In the United States, HIPAA imposes a 60-day breach notification requirement for breaches involving 500+ individuals (with HHS OCR notification, individual notification, and media notification all required). State-level breach notification laws apply in parallel. The 2024 proposed update to the HIPAA Security Rule would mandate multi-factor authentication, encryption at rest and in transit, network segmentation, and other measures — bringing HIPAA Security closer to the controls expected in financial services.
In the European Union, GDPR Article 33 imposes a 72-hour breach notification window. The EU's Network and Information Systems Directive (NIS2), effective October 2024, designates healthcare as an "essential entity" sector with specific cybersecurity-governance and incident-reporting obligations. The 2024 European Health Data Space (EHDS) regulation creates a new harmonised framework for health-data exchange across EU member states.
In Australia, the Privacy Act 1988 imposes notification obligations through the Notifiable Data Breaches scheme, with maximum penalties of AUD 50 million for serious or repeated interference with privacy following the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022. The Australian Cyber Security Centre's Annual Cyber Threat Report consistently ranks healthcare among the most-targeted sectors.
Hospital cybersecurity is the only domain in which a successful adversary directly affects mortality statistics. The architectural answer should match the stake.
The principal target of healthcare-sector attack is the protected health information of the institution's patients. PHI is functionally non-replaceable: a leaked record of a cancer diagnosis, a substance-use treatment, a reproductive-health procedure, or a mental-health admission cannot be unleaked. The harm to the affected individual extends across the rest of their life. The harm to the institution's relationship with that individual is similarly permanent.
HIPAA Security Rule §164.312(a)(2)(iv) requires covered entities to implement encryption of electronic PHI as an addressable safeguard. The implicit assumption is that "encrypted PHI" is a recoverable state — the data exists, in protected form, on the institution's infrastructure. The Change Healthcare breach, the Ascension breach, the Anthem breach, and every major healthcare breach of the past decade have all involved environments in which the data the adversary sought existed in some recoverable form.
PULSE proposes a different architectural commitment. In a PULSE-substrate hospital environment, the protected health information of any specific patient at any specific moment exists only in the form, location, and access scope necessary for the specific clinical operation in question. An adversary infiltrating the EMR, the claims-processing platform, the imaging archive, or the business-associate chain does not encounter encrypted PHI they cannot read. They encounter the absence of recoverable PHI entirely.
The means is the trade secret. We disclose it under executed NDA only.
Architectural-fit assessment for academic medical centres, integrated delivery networks, multi-hospital systems, and specialty providers. Quantified residual-PHI-disclosure model under PULSE substrate. Cross-jurisdictional regulatory alignment matrix (HIPAA Security Rule / EU NIS2 / EU EHDS / Australia Privacy Act / Singapore PHMC). Reference architecture for EMR substrate, claims-processing infrastructure, and clinical-trial data exchange.
Available under executed NDA →All statistics on this page are drawn from publicly available reports issued by recognised industry bodies, regulators, and security research organisations. References are listed below for verification.
PULSE Digital Security cites these sources for context only. Citation does not imply endorsement of, or affiliation with, any cited organisation. All trademarks remain the property of their respective owners.