HomeKnowledge base › Data breaches by sector: healthcare has led for years
Data breach

Data breaches by sector: healthcare has led for years

Data breaches by sector in the Netherlands, with healthcare in the lead

Not every industry leaks equally. The Autoriteit Persoonsgegevens tracks which sectors the data breach reports come from, and that picture is strikingly stable. Year after year the same sector sits at the top. Healthcare. In 2024 there were 6,873 data breach reports from the health and welfare sector, more than from any other industry. In an earlier analysis we showed that paper is the biggest cause of data breaches. This article looks at the other side of the figures. Which sectors leak the most, why, and what you can do in your own industry.

The 2024 ranking

Across all of 2024 the Autoriteit Persoonsgegevens received 37,839 data breach reports. If we look at the sectors that filed the most reports, a clear top group emerges. Healthcare sits in first place by a wide margin. It is followed by public administration and financial services. Three sectors with one thing in common. They all process large volumes of sensitive personal data, on paper and digitally.

Leading sectors by number of data breach reports (AP, 2024)
Health and welfare 6,873
Public administration 4,874
Financial services 1,985

Source: Autoriteit Persoonsgegevens, data breach report 2024. These are the sectors with the most reports. The total of 37,839 reports also includes many bulk reports and reports from other sectors.

Why healthcare has been at the top for years

It is tempting to conclude that healthcare handles data the worst. That would not be fair. Two things are at play, and both belong to the story.

The first is that healthcare simply processes a great deal of sensitive data. Medical records, citizen service numbers, financial details. Exactly the kind of information that is valuable to criminals and where a breach has major consequences. Where a lot of sensitive data changes hands, the chance of an incident is naturally higher.

The second is less well known, but at least as important. Healthcare also reports small incidents more often than other sectors, partly because of the strict rules that care institutions are bound by. A high number of reports therefore partly says something good. Namely that there is a serious reporting culture. Healthcare's top position does not automatically mean security is worst there. It does mean that a great deal of paper and data that must stay confidential passes through healthcare, from the medication files at the pharmacy to the client records in mental health care.

Government is rising, financial services follow

Behind healthcare comes public administration. With 4,874 reports in 2024 that is a solid second place, and the number of data breaches in government has been rising in recent years. Municipalities process the data of all their residents, from certified extracts to benefit files. One misdirected letter there immediately affects a citizen. How a municipality tidies up that paper properly is covered in destroying citizen data at municipalities.

In third place is financial services with 1,985 reports. Banks, insurers, accountants and advisers work with bank details, policies and complete client files. Here too, a large part of the risk sits in old paper that keeps lying around. For accountancy firms we worked this out in destroying client files for accountants.

What the cause is, and why paper keeps coming back

The ranking says something about who reports. The cause says something about what goes wrong. And there the same picture returns as in our previous analysis. The biggest cause of data breaches is not the hacker, but human action with documents. A letter to the wrong recipient, an email with the wrong attachment, a file that goes missing. Paper and post are the largest category. If you want those figures in detail, read paper is the biggest cause of data breaches.

Cybercrime is growing, though. The number of reports after a cyberattack rose in 2024 to around 1,430, and such attacks often affect far more people per incident. One attack on an IT supplier in healthcare hit hundreds of thousands of patients in one go. Yet the sober truth remains that most incidents arise from everyday mistakes with data, not from spectacular hacks.

The good news: most of it is preventable

There is a figure in the AP report that gets too little attention, but that is hopeful for every sector. In most data breaches the cause was not bad luck, but policy. In about 40 percent of cases policy did exist, but was not followed. In about 33 percent suitable policy was missing entirely. Only a small share, about 15 percent, involved incidents that were genuinely unavoidable.

Put differently. The vast majority of data breaches could have been prevented with clear agreements that are actually observed. That is not a matter of expensive technology, but of order. Knowing what paper you have, knowing when it may go and then actually having it destroyed. For your own archive, 6 signs your archive is a GDPR risk helps to find the weak spots.

What you can do in your sector

The figures differ per industry, but the approach is the same everywhere. Run through these points.

  • Map your data flow. Know which sensitive documents you keep where, on paper and digitally.
  • Check the retention periods. Anything past its period is unnecessary risk.
  • Set policy down and stick to it. Policy that is on paper but not followed does not count.
  • Have what may go destroyed confidentially. Not with the recycling, but at the right DIN level with a certificate.
  • Know what to do in a breach. Make sure you can file a report within 72 hours.

For sectors with specific rules there are separate step-by-step plans. In education, fixed periods apply to student files. In the legal profession it comes down to the file after the case has ended. And if things do go wrong, the step-by-step plan to report a data breach within 72 hours helps.

What it costs to clear out your paper

Having paper destroyed confidentially is not a big investment. You pay a fixed price per box or roll container, from about 30 euro for the first box, with the certificate included. Within 20 km of Amsterdam we charge no call-out fee. Through pooled routes a fixed price is possible nationwide too. A one-off clear-out of years of accumulated paper can thus be handled in one go. Set against the consequences of a data breach, that is a small price.

A real-world example

A care institution clears out its archive after a merger. It turns out there are boxes of old client files whose retention period has long passed. In the bustle of the move, those boxes stood open in a corridor, accessible to anyone who walked past. Exactly the situation the AP figures are about. The institution has the files collected sealed and destroyed at the right level, and records the certificates in the record of processing. The vulnerable pile is gone, the proof is there, and at the next audit it takes a few minutes to show that the paper was demonstrably cleared out. More on that burden of proof is in demonstrable destruction for the GDPR.

Remove the sensitive paper from your sector?

Tell us how many boxes or binders are past their retention period and you get a fixed price. We collect it sealed, destroy it to the right DIN level and you receive a certificate of destruction as proof for your GDPR file. No call-out fee within 20 km of Amsterdam.

Request a quote

Frequently asked questions

Which sector has the most data breaches in the Netherlands?

The health and welfare sector. In 2024 it accounted for 6,873 data breach reports, more than any other sector. Healthcare has been the leader in the Autoriteit Persoonsgegevens figures for years.

Does this mean healthcare is the worst secured?

Not necessarily. Healthcare processes a great deal of very sensitive data, and it also reports small incidents more often than other sectors because of the strict rules. A high number of reports therefore partly reflects a strong reporting culture, not just the level of security.

Which sectors follow healthcare?

In 2024 public administration came second with 4,874 reports, followed by financial services with 1,985 reports. The numbers in government have been rising in recent years.

What is the main cause of data breaches?

Human action. A letter or email to the wrong recipient, a document that goes missing. Paper and post are the largest category, well above cyberattacks. Cybercrime is growing and often affects far more people per incident.

What can my sector do about it?

Have clear policy and stick to it. The figures show that a large share of data breaches arise because policy is missing or not followed. Map your paper flow, check retention periods and have what may go demonstrably destroyed.

Conclusion

The figures per sector tell a consistent story. Healthcare has been at the top for years, followed by public administration and financial services. That is partly because these sectors process a lot of sensitive data and partly because they report incidents faithfully. The cause is comparable in every sector. Not the hacker, but human action with documents. The good news is that most of it is preventable with clear policy that is also followed. Know what paper you have, check the periods and have what may go demonstrably destroyed. That way you remove the risk that takes the same shape in almost every industry. A pile of sensitive paper that keeps lying around too long.

See also: start with the cause in paper is the biggest cause of data breaches. Then go deeper with 6 signs your archive is a GDPR risk and the step-by-step plan to report a data breach within 72 hours.


Remove the risk from your industry? Request a quote via desnipperaar.nl or first read how demonstrable destruction for the GDPR forms your proof. We collect the sensitive paper sealed.