Information Breach Notification
,
Information Safety
,
HIPAA/HITECH
345 Main HIPAA Breaches Reported to Feds So Far This Yr, Affecting 29.9 Million
Halfway by means of 2025, the federal web site itemizing main well being knowledge breaches within the U.S. reveals a well-known scene: Many hacking incidents together with ransomware, dozens of third-party vendor incidents, and thousands and thousands of people affected by compromised private knowledge.
See Additionally: On Demand | Ransomware in 2025: Evolving Threats, Exploited Vulnerabilities, and a Unified Protection Technique
As of Monday, a snapshot of the U.S. Division of Well being and Human Providers’ HIPAA Breach Reporting Instrument web site reveals 345 well being knowledge breaches reported up to now in 2025 affecting 500 or extra people. These 345 breaches affected almost 29.9 million folks. That is fewer than the 408 breaches reported by June 30, 2024, and at the moment, these breaches affected almost 52.7 million folks – almost twice as many for a similar interval in 2025.
Hacking/IT incidents prepared the ground by far as probably the most generally reported sort of well being knowledge breach halfway in 2025. The HHS OCR web site present 258 such hacks, compromising the info of 28.8 million folks, or almost 97% of the folks affected up to now in 2025. In actual fact, 9 out of the ten largest well being knowledge breaches posted to the HHS OCR web site up to now this yr concerned a hacking incident.
The biggest of the breaches up to now posted to the HHS Workplace for Civil Rights’ web site up to now this yr was reported in April by Connecticut-based Yale New Haven Well being System as a hacking incident affecting 5.5 million sufferers (see: Yale New Haven Well being Notifying 5.5 Million of March Hack).
Breaches reported as “unauthorized entry/disclosures” incidents have been the second mostly reported breach, with 74 such incidents affecting greater than 950,000 folks.
By far, the most important of these unauthorized entry/disclosure incidents was reported by Serviceaid – a breach affecting 483,000 folks. The seller of agentic synthetic intelligence-based IT administration and workflow software program, reported in Might to HHS OCR that an inadvertent publicity of information on the internet has led to the incident affecting sufferers of its consumer Catholic Well being, a community of six hospitals and dozens of different amenities in western New York (see: Agentic AI Tech Agency Says Well being Information Leak Impacts 483,000).
10 Largest Well being Information Breaches, Mid-Yr 2025
| Breached Entity | People Affected |
|---|---|
| Yale New Haven Well being System | 5.55 Million |
| Episource | 5.4 Million |
| Blue Protect of California | 4.7 Million |
| Southeast Collection of Lockton Cos. | 1.1 Million |
| Group Well being Middle | 1 Million |
| Frederick Well being | 934,300 |
| Medusind | 701,500 |
| Kelly & Associates | 553,300 |
| United Seating and Mobility (Numotion) | 494,300 |
| Serviceaide | 483,100 |
Of the 345 breaches reported to HHS OCR in 2025 up to now, 127 incidents affecting greater than 15.8 million people have been reported as involving third-party enterprise associates.
That signifies that whereas enterprise associates have been reported on the middle of 37% of main well being knowledge breaches up to now in 2025, these incidents have been answerable for greater than half of the folks affected.
Episource, a vendor of medical coding and threat adjustment companies, final month reported the most important of these incidents – a ransomware hack affecting 5.4 million folks.
A number of of Episource’s healthcare sector shoppers that have been affected by the hack have additionally issued their very own breach notices concerning the incident, together with healthcare supply system Sharp HealthCare in California and well being insurer Horizon Blue Cross Blue Protect of New Jersey.
“Lined entities needs to be holding their enterprise associates to the identical necessities as their very own organizations, and their controls needs to be reviewed yearly,” stated Mike Hamilton, area CISO of safety agency Lumifi Cyber. “This needs to be embodied in contract language with clear ramifications for the failure to implement controls, and to restrict legal responsibility for the lined entity,” he stated.
Extra to Come
It is also price noting that as of Monday, healthcare organizations reported not less than 34 of the most important 2025 well being knowledge breaches as affecting solely 500 or 501 folks. These figures are normally used as a placeholder quantity whereas the reporting entity completes its full evaluation of its incident and the scope of protected well being data compromised.
As soon as these breach studies get up to date with extra correct numbers, the full of affected people will even doubtlessly rise considerably.
In lots of circumstances, a report of 500 and 501 folks affected by a HIPAA breach finally ends up being changed later with a completely eye-popping determine.
That was definitely the case when Change Healthcare first reported its large ransomware incident to HHS OCR in July 2024 as a breach affecting 500 people.
That quantity grew to a record-breaking 190 million victims by the point the UnitedHealth Group’ IT companies unit up to date its breach report back to HHS OCR a number of months later (see: Change Healthcare Now Counts 190 Million Information Breach Victims).
Because the HHS OCR web site started in September 2009, healthcare organizations reported 6,982 main well being knowledge breaches, affecting almost 884.6 million folks, as of Monday.
