In April 2026 alone, the ShinyHunters extortion group breached ADT (5.5 million customers), Amtrak (2.1 million confirmed records), and McGraw-Hill (13.5 million student and educator accounts). All three attacks followed the same pattern. An employee credential was compromised through social engineering or infostealer malware, which gave the attackers access to the organization's Salesforce environment, from which they exfiltrated millions of records without triggering a single network based detection. No vulnerability was exploited. No malware was deployed on a server. Three household name organizations lost tens of millions of records in a single month through identity based access to cloud platforms.
These are not anomalies. They are the latest data points in a five year acceleration that the numbers now make impossible to dismiss. In 2025, the Identity Theft Resource Center tracked 3,322 data compromises across the United States, a new all time record and a 79 percent increase over 2021. Three consecutive years have now exceeded 3,000 annual compromises. The era of occasional, isolated data breaches is over. What organizations face today is a sustained, structural acceleration in privacy risk that shows no sign of reversing.
The Volume Is Not Going Down
All US Industries (ITRC Annual Data Breach Reports)
| Year | Total Compromises | Year Over Year Change |
| 2021 | 1,859 | Baseline |
| 2022 | 1,798 | -3% |
| 2023 | 3,202 | +78% |
| 2024 | 3,152 | -2% |
| 2025 | 3,322 | +5% (New Record) |
The jump between 2022 and 2023 is worth pausing on. In a single year, the number of US data compromises increased by 78 percent. That was not a temporary spike. The figure has held above 3,000 for three consecutive years and set a new record in 2025. Over the full five year window, volume increased 79 percent.
Healthcare Only (HHS OCR Breach Portal)
| Year | Large Breaches (500+ Individuals) | Year Over Year Change |
| 2021 | 715 | Baseline |
| 2022 | 719 | +1% |
| 2023 | 746 | +4% |
| 2024 | 742 | -1% |
| 2025 | 710 | -4% |
Healthcare breaches have plateaued in the 700 to 750 range since 2021. That plateau should not be confused with stability. It represents two large healthcare breaches every single day, a rate that doubled from one per day in 2018. The sector has simply reached a sustained high and stayed there.
The Scale of Each Breach Is Exploding
Volume alone does not capture the full picture. The number of individuals affected per breach is where the acceleration becomes most dramatic.
Healthcare Records Exposed (HHS OCR)
| Year | Individuals Affected | Average Breach Size |
| 2021 | ~45.9 Million | ~64,000 |
| 2022 | ~51.9 Million | ~72,000 |
| 2023 | ~133 Million | ~183,500 |
| 2024 | ~289 Million | ~389,000 |
| 2025 | ~61.6 Million | ~86,700 |
Between 2021 and 2024, the number of individuals affected by healthcare breaches alone increased more than sixfold. In 2024, 289 million individuals had their protected health information exposed or impermissibly disclosed. That is roughly 85 percent of the entire US population in a single year, from a single industry.
The 2025 figure appears to represent a return to 2021 levels, but this requires important context. The 2024 total was dominated by the Change Healthcare ransomware attack, which alone affected 192.7 million individuals, the largest healthcare breach in history. When the BlackCat/ALPHV ransomware group hit Change Healthcare on February 21, 2024, the downstream disruption was immediate and nationwide. Pharmacies could not process prescriptions electronically. Hospitals could not verify insurance eligibility. Providers went weeks without reimbursement. UnitedHealth Group, Change Healthcare's parent company, reported over $3.09 billion in direct response costs through Q3 2024.
Remove that single event and 2024 still exceeded 96 million individuals. The underlying trend has not reversed. 2024 was an outlier of catastrophic scale, and 2025 returned to a baseline that would itself have been considered extreme just four years earlier.
All US Industries (ITRC Victim Notices)
| Year | Victim Notices Issues |
| 2021 | 351.8 Million |
| 2022 | 425.2 Million |
| 2023 | 420.4 Million |
| 2024 | 1.37 Billion |
| 2025 | 278.8 Million |
The cross industry picture mirrors healthcare. In 2024, 83 percent of all 1.37 billion victim notices came from just five mega breaches, each affecting over 100 million individuals. The concentration of harm into fewer, larger incidents is itself a structural shift.
Physical Theft Is Dead. Hacking Owns the Curve.
The nature of breaches has changed as dramatically as their volume. A decade ago, physical loss and theft of devices containing unencrypted data was a leading cause of healthcare breaches. That era is over.
According to HHS OCR data, the shift has been rapid and decisive.
- In 2019, hacking and IT incidents accounted for 49 percent of all large healthcare breaches.
- By 2023, that figure reached 79.7 percent.
- In 2025, hacking and IT incidents exceeded 80 percent of all reported breaches.
OCR has documented a 239 percent increase in hacking related breaches between January 2018 and September 2023, and a 278 percent increase in ransomware attacks over the same period. Loss and theft incidents, once the dominant breach category, now occur at a rate of less than one per month and typically involve paper records rather than electronic devices.
Within the hacking category, the tactics are also evolving. According to the ITRC, phishing, smishing, and business email compromise remained the number one root cause of data breaches in 2025, increasing slightly to 466 incidents from 458 in 2024. Ransomware, by contrast, declined for a second consecutive year, falling from 194 incidents in 2024 to 143 in 2025. Attackers are increasingly choosing to steal data and threaten to release it rather than encrypting it.
The economics have shifted. Encryption triggers immediate detection, incident response, and often law enforcement involvement. Quiet exfiltration can go undetected for months. The Cl0p ransomware group demonstrated this model at scale in 2023 when it exploited a vulnerability in MOVEit Transfer file sharing software, exfiltrating data from over 2,600 organizations without encrypting a single file. Many victims did not learn they were compromised until Cl0p posted their names on a leak site weeks later.
The ITRC also identified an emerging threat it calls "Previously Compromised Data" or PCD. Attackers are using AI to repackage records stolen in older breaches to launch new attacks, including account takeover and fraudulent account creation. Data stolen years ago is not inert. It continues to have value and continues to produce harm indefinitely.
This shift matters for how organizations think about privacy protection. The controls that mattered ten years ago, encrypting laptops, tracking portable media, securing filing cabinets, are no longer where the risk lives. The risk lives in network infrastructure, cloud environments, identity systems, and the third party vendors who manage them.
Third Party Breaches Are Growing Faster Than Direct Ones
Perhaps the most consequential trend in the data is the rise of breaches that originate not within an organization, but within its vendor ecosystem.
The ITRC's 2025 report found that supply chain attacks doubled between 2021 and 2025. Approximately 30 percent of all breaches now involve at least one third party. The number of entities affected by supply chain attacks nearly doubled in a single year, from 660 in 2024 to 1,251 in 2025, despite the number of initial attacks remaining flat.
In healthcare specifically, HHS OCR data shows that 35.8 percent of all 2025 breaches occurred at business associates rather than covered entities. Business associate breaches consistently expose more records per incident because a single vendor often processes data for dozens or hundreds of healthcare organizations simultaneously. In 2023, business associates accounted for 23 percent of breach reports but 58 percent of all exposed records (77.3 million out of 133 million total).
The underlying mechanism is vendor consolidation, and it functions like a structural load bearing wall in a building. As industries migrate to shared platforms, clearinghouses, and cloud infrastructure, the number of organizations that depend on any single vendor grows while the number of independent security boundaries shrinks. Remove that one wall and the entire floor collapses.
Change Healthcare operated as a clearinghouse processing 15 billion healthcare transactions annually. When it was breached, the downstream impact affected nearly every healthcare organization in the country. A single point of compromise produced 192.7 million victim records. The same dynamic plays out at smaller scales constantly. A billing vendor breach exposes records from hundreds of practices. An EHR platform compromise affects every provider using that system. The blast radius of a vendor breach is a function of how many organizations that vendor serves, and industry consolidation is pushing that number higher every year.
Professional services firms, the lawyers, accountants, and consultants that serve as trusted intermediaries for multiple organizations, saw the most aggressive growth in attacks over the five year period. The ITRC documented a 162 percent increase in compromises targeting professional services, from 182 in 2021 to 478 in 2025. These firms are increasingly used as stepping stones to compromise their multiple clients.
The Transparency Crisis Compounds the Problem
At this point one is likely wondering whether there is at least a silver lining in collective learning, whether organizations are sharing enough about what went wrong to help others defend. The opposite is happening. Organizations are disclosing less about breaches, not more.
According to the ITRC, the decline is steep.
- In 2020, nearly 100 percent of breached organizations disclosed how the breach occurred.
- By 2024, only 35 percent did.
- In 2025, that figure collapsed to 30 percent.
Seven out of ten breach notifications in 2025 contained no information about the attack vector. The individuals who received those notices, and the other organizations trying to learn from those incidents, were given no actionable information about what went wrong or how to prevent it.
This is a collective intelligence failure. When organizations withhold root cause information to mitigate legal or reputational exposure, they prevent the broader ecosystem from learning. Every organization that reads a breach notice and finds no attack vector information is an organization that cannot assess whether it faces the same risk. The ITRC has called repeatedly for a federal breach notification standard that would mandate disclosure of attack vector, root cause, and remediation steps. No such federal standard exists. State notification laws vary widely in what they require, and most do not mandate root cause disclosure. The privacy landscape is getting worse in part because the feedback loop that should be making it better has broken down.
The Regulatory Surface Area Has Exploded
Breaches are accelerating. At the same time, the number of regulatory frameworks organizations must comply with has multiplied at an extraordinary pace.
| Period | States With Comprehensive Privacy Laws In Effect |
| 2020 | 1 (California CCPA) |
| End of 2023 | 5 (added Virginia, Colorado, Connecticut, Utah) |
| End of 2024 | 8 (added Texas, Oregon, Montana) |
| April 2026 | 20 (added Iowa, Delaware, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island, Vermont) |
In 2020, one state had a comprehensive consumer privacy law in effect. By April 2026, twenty do. Twelve new laws took effect between January 2025 and mid 2026 alone. Alabama has passed both chambers and awaits a governor's signature. Pennsylvania, Louisiana, and Massachusetts have bills in active sessions. Each law has its own applicability thresholds, consumer rights, breach notification requirements, and enforcement mechanisms. There is no federal privacy law to preempt this patchwork.
This regulatory acceleration is happening alongside the breach acceleration documented above. More breaches trigger more notifications, which trigger more investigations, which trigger more enforcement actions, which produce more regulation. The cycle is self reinforcing. The organization that suffers a breach in 2026 does not answer to one regulator. It may answer to five or ten at once.
A US Breach Now Costs $10.22 Million and the Number Is Still Climbing
IBM's 2025 Cost of a Data Breach Report quantifies what this environment costs organizations.
The US average cost of a data breach reached $10.22 million in 2025, a 9.2 percent increase over 2024 and a new all time record for any region. Globally, breach costs fell for the first time in five years to $4.44 million, driven by faster detection through AI powered defenses. The US moved in the opposite direction, with higher regulatory fines and escalation costs driving the increase. The gap between US breach costs and the global average has never been wider.
Healthcare remains the most expensive industry for breaches for the 14th consecutive year, at $7.42 million per incident. Healthcare breaches also took the longest to identify and contain, at an average of 279 days, more than five weeks longer than the global average of 241 days. Every additional day an attacker dwells in a healthcare environment is another day of data exfiltration, another set of records exposed, another expansion of the eventual notification scope.
The consumer economic impact is equally concrete. According to the ITRC's 2025 survey, 80 percent of consumers received at least one breach notice in the past 12 months. Of those affected, 36 percent lost more than $10,000 to cybercriminals and over 20 percent of those who contacted the ITRC directly lost more than $100,000. These are people who had credentials stolen in one breach, repackaged by attackers using AI, and used to drain bank accounts months or years later. The ITRC also found that 81 percent of small businesses reported a cyberattack in the past year, and nearly 40 percent raised prices to cover remediation costs. The ITRC calls this the "cyber tax." Consumers pay for institutional security failures through higher prices whether they were personally affected or not.
Five Years of Compounding Risk Leave Security Leaders With Shrinking Margin
These trends are not independent. They compound. More breaches trigger more notifications, which trigger more enforcement under more state laws, which increases the financial and operational consequences of each incident. The organization that suffers a breach in 2026 faces a fundamentally different regulatory, legal, and economic environment than one that suffered the same breach in 2021.
It is important to consider that breach exposure is not a matter of if but simply a matter of when. The math makes this clear. With 3,322 compromises across approximately 6.5 million US employer firms (per Census Bureau data), roughly one in every 1,960 organizations appeared in a public breach report in 2025. That is the base rate before accounting for unreported incidents, third party exposure, and the fact that supply chain breaches now cascade across hundreds of downstream entities per event. Factor in that 30 percent of all breaches involve a third party, and the probability of an organization being affected, directly or through a vendor, rises substantially. Over a five year window at current rates, the cumulative exposure is closer to one in 400.
For security leaders, this data has practical implications. The complexity of the privacy landscape has grown faster than most organizations' capacity to manage it, and the window for proactive investment is closing. We advise organizations to act on four priorities immediately.
Map your third party data exposure. Thirty percent of breaches now originate at vendors, and supply chain breach cascades doubled in a single year. We recommend that every critical vendor relationship have contractual breach notification timelines and evidence of current security assessments.
Audit identity and SaaS access controls. The ShinyHunters campaign that opened this analysis exploited employee credentials to access cloud platforms without triggering network detections. Conditional access policies, phishing resistant MFA, and SaaS session monitoring are now baseline requirements.
Staff a dedicated privacy function. Twenty state privacy laws, each with different breach notification timelines and consumer rights requirements, cannot be managed with part time attention from a CISO or general counsel. We see consistently that the organizations weathering this environment have someone whose job is to know where personal data resides and what obligations attach to it.
Treat breach response as a when, not an if. At one in 400 cumulative five year exposure, the question is readiness. Tabletop exercises, pre negotiated incident response retainers, and documented notification workflows should be in place before the incident arrives. The cost of building that capability after a breach has been publicly reported is measured in both dollars and trust.
Sources:
- Identity Theft Resource Center, "2025 Annual Data Breach Report," January 2026
- Identity Theft Resource Center, "2024 Annual Data Breach Report," January 2025
- U.S. Department of Health and Human Services, Office for Civil Rights, Breach Portal (data through February 2026)
- HIPAA Journal, "Healthcare Data Breach Statistics," updated February 27, 2026
- HIPAA Journal, "2025 Healthcare Data Breach Report," January 2026
- IBM, "2025 Cost of a Data Breach Report"
- HIPAA Journal, "Average Cost of a Healthcare Data Breach Falls to $7.42 Million," August 2025
- BlueRadius Cyber, "HIPAA Breach Report 2026: OCR Data, Ransomware Trends," April 2026
- MultiState, "20 State Privacy Laws in Effect in 2026," February 2026
- DapriPro, "State Privacy Law Tracker: New Regulations Taking Effect in 2026"
- IAPP, "US State Privacy Legislation Tracker 2026"
- Federal Trade Commission, Privacy and Security Enforcement Actions
- PrivacyLawMap, "Privacy Enforcement Actions and Penalties Tracker," April 2026
-1.png)
.png)
.png)
.png)
