Medical Centers Most Under Threat from Cyberattackers

Medical organizations have an important role to play in safeguarding personal medical data. Falling short of this role can be costly and have legal implications.

Over 26% of healthcare organizations have low cybersecurity maturity, lacking all recommended threat and detection capabilities.

Medical organizations must comply with regulations and do everything possible to minimize the risk of unauthorized access to sensitive medical information.

But which states are considered ‘at risk’ from cyberattacks, and how susceptible are individuals to having their medical data breached?

States with the Most Medical Centers Impacted

With this looming threat of cyberattacks on medical centers in the United States, it’s important to know whether your state is at risk. In total, the number of medical centers affected across the US since 2023 has been 2,282.

This is proven by the unsettling recent incident in June of 2025. A ransomware attack disrupted internal systems, phone lines, and EHRs across 14 medical centers owned by Kettering Health.

Below is a breakdown of the five states considered most 'at risk’ from cyberattacks against medical centers.

1. California (CA): Since 2024, 15 medical centers continue to be under investigation for cyber-attacks, which then grew in 2025 by 52 medical centers and in 2026 by three centers to a total of 70 centers still under investigation. When adding the resolved cases, that jumps to a total of 231 medical centers since 2023. California has moved to tighten the regulatory environment. Senate Bill 446, signed into law in late 2025, introduced stricter breach notification requirements, mandating that organizations notify affected California residents within 30 days and provide detailed, plain-language descriptions of what data was exposed and what steps are being taken to address the breach. 

    

2. Texas (TX): The state continues to investigate 64 medical centers, with 22 continuing since 2024, 37 continuing since 2025 and 5 in 2026. Overall, the total number of affected medical centers is as many as 172, with 108 centers now resolved.

    

3. New York (NY): Since 2023, 1 medical center continues to be under investigation, growing in 2024 by an additional 8 centers, in 2025 by 31 centers and in 2026 by 1, for a total of 41 centers continuing to be examined. In total, 159 centers have been reported to have had a data breach since 2023, with 118 now concluded.

    

4. Florida (FL): Since 2024, 11 medical centers have been under investigation for data breaches. In 2025, this continued to build by 44, and since the start of 2026, Florida has had two centers with data breaches under investigation, for a total of 57 medical centers still under inquiry. But the total number of affected medical centers between 2023 and 2026 has been 123, with 66 now resolved.

    

5. Illinois (IL): Finishing off the top 5 states with the most medical centers impacted is Illinois. Since 2024, 15 medical centers have been under investigation for cyberattacks. In 2025, this rose to 18, and since the start of 2026, Illinois has had three centers with attacks under investigation. This has resulted in 36 medical centers with ongoing inquiries. But the total number of affected medical centers per year between 2023 and 2026 has been 110, with 74 medical center breaches determined.

 States with the Most Individuals Affected by Breaches

Medical centers themselves aren’t the only entities under threat from data breaches. Individuals are also at risk of having their private medical information exposed in cyberattacks. Within this data, it should also be noted that individuals may have been affected multiple times, depending on where records are held and that reports themselves may have been submitted within particular states, but may have affected individuals beyond state lines.

Below we’ve listed the states with individuals most ‘at risk’ from cyberattacks:

1. Minnesota (MN): Between 2023 and 2026, 48 medical centers were impacted by data breaches, with over 197 million individuals affected.
2. California (CA): California saw a total of 231 medical centers breached, which equated to a total of over 52 million individuals affected.
3. Georgia (GA): 64 medical data breaches were reported in Georgia since 2023, with an estimated 30 million people affected. On average, around 471,000 people have had their data compromised per breach.
4. Colorado (CO): In Colorado, 32 medical centers have reported data breaches between 2023 and 2026, which have impacted nearly 25 million people. On average, over 775,000 people have had their data compromised per breach.
5. Texas (TX): A total of 172 centers experienced a cyberattack, which impacted just over 20 million individuals in Texas.

It’s clear that since 2024, the number of individuals affected has decreased dramatically, which may be due to competent personal cybersecurity practices.

California has been leading in this regard, with comprehensive data privacy laws like the California Consumer Privacy Act (CCPA) and the Consumer Privacy Rights Act (CPRA), while also requiring the Office of Emergency Services to maintain a state-wide cyber response plan.

This shows how essential a good cybersecurity framework is in the long-term safeguarding of key medical data.

Methodology

For this study, the U.S. Department of Health and Human Services’ Breach Portal was exported, including both the ‘Under Investigation’ breaches as well as all archived data. Data beyond 2023 was excluded, and the number of data breaches and the number of individuals affected for the past 4 years per state were compared. The portal was accessed on the 6th of March 2026.