Knowledge Breach Notification
,
Knowledge Safety
,
HIPAA/HITECH
345 Main HIPAA Breaches Reported to Feds So Far This Yr, Affecting 29.9 Million
Halfway by means of 2025, the federal web site itemizing main well being information breaches within the U.S. exhibits a well-known scene: Many hacking incidents together with ransomware, dozens of third-party vendor incidents, and hundreds of thousands of people affected by compromised private information.
See Additionally: On Demand | Ransomware in 2025: Evolving Threats, Exploited Vulnerabilities, and a Unified Protection Technique
As of Monday, a snapshot of the U.S. Division of Well being and Human Providers’ HIPAA Breach Reporting Instrument web site exhibits 345 well being information breaches reported thus far in 2025 affecting 500 or extra people. These 345 breaches affected almost 29.9 million folks. That is fewer than the 408 breaches reported by June 30, 2024, and at the moment, these breaches affected almost 52.7 million folks – almost twice as many for a similar interval in 2025.
Hacking/IT incidents prepared the ground by far as probably the most generally reported kind of well being information breach halfway in 2025. The HHS OCR web site present 258 such hacks, compromising the information of 28.8 million folks, or almost 97% of the folks affected thus far in 2025. In actual fact, 9 out of the ten largest well being information breaches posted to the HHS OCR web site thus far this 12 months concerned a hacking incident.
The most important of the breaches thus far posted to the HHS Workplace for Civil Rights’ web site thus far this 12 months was reported in April by Connecticut-based Yale New Haven Well being System as a hacking incident affecting 5.5 million sufferers (see: Yale New Haven Well being Notifying 5.5 Million of March Hack).
Breaches reported as “unauthorized entry/disclosures” incidents had been the second mostly reported breach, with 74 such incidents affecting greater than 950,000 folks.
By far, the biggest of these unauthorized entry/disclosure incidents was reported by Serviceaid – a breach affecting 483,000 folks. The seller of agentic synthetic intelligence-based IT administration and workflow software program, reported in Could to HHS OCR that an inadvertent publicity of information on the net has led to the incident affecting sufferers of its shopper Catholic Well being, a community of six hospitals and dozens of different amenities in western New York (see: Agentic AI Tech Agency Says Well being Knowledge Leak Impacts 483,000).
10 Largest Well being Knowledge Breaches, Mid-Yr 2025
| Breached Entity | People Affected |
|---|---|
| Yale New Haven Well being System | 5.55 Million |
| Episource | 5.4 Million |
| Blue Defend of California | 4.7 Million |
| Southeast Collection of Lockton Cos. | 1.1 Million |
| Group Well being Heart | 1 Million |
| Frederick Well being | 934,300 |
| Medusind | 701,500 |
| Kelly & Associates | 553,300 |
| United Seating and Mobility (Numotion) | 494,300 |
| Serviceaide | 483,100 |
Of the 345 breaches reported to HHS OCR in 2025 thus far, 127 incidents affecting greater than 15.8 million people had been reported as involving third-party enterprise associates.
That implies that whereas enterprise associates had been reported on the heart of 37% of main well being information breaches thus far in 2025, these incidents had been liable for greater than half of the folks affected.
Episource, a vendor of medical coding and danger adjustment providers, final month reported the biggest of these incidents – a ransomware hack affecting 5.4 million folks.
A number of of Episource’s healthcare sector shoppers that had been affected by the hack have additionally issued their very own breach notices concerning the incident, together with healthcare supply system Sharp HealthCare in California and well being insurer Horizon Blue Cross Blue Defend of New Jersey.
“Coated entities must be holding their enterprise associates to the identical necessities as their very own organizations, and their controls must be reviewed yearly,” mentioned Mike Hamilton, area CISO of safety agency Lumifi Cyber. “This must be embodied in contract language with clear ramifications for the failure to implement controls, and to restrict legal responsibility for the lined entity,” he mentioned.
Extra to Come
It is also price noting that as of Monday, healthcare organizations reported not less than 34 of the most important 2025 well being information breaches as affecting solely 500 or 501 folks. These figures are often used as a placeholder quantity whereas the reporting entity completes its full evaluation of its incident and the scope of protected well being info compromised.
As soon as these breach studies get up to date with extra correct numbers, the overall of affected people may even doubtlessly rise considerably.
In lots of instances, a report of 500 and 501 folks affected by a HIPAA breach finally ends up being changed later with a fully eye-popping determine.
That was actually the case when Change Healthcare first reported its huge ransomware incident to HHS OCR in July 2024 as a breach affecting 500 people.
That quantity grew to a record-breaking 190 million victims by the point the UnitedHealth Group’ IT providers unit up to date its breach report back to HHS OCR a number of months later (see: Change Healthcare Now Counts 190 Million Knowledge Breach Victims).
For the reason that HHS OCR web site started in September 2009, healthcare organizations reported 6,982 main well being information breaches, affecting almost 884.6 million folks, as of Monday.
