The Growing Concern of Healthcare Data Breaches in 2025

Healthcare data breaches continue to be a pressing concern for healthcare organizations and their business associates. In the first six months of 2025, nearly 30 million records have been implicated in large data breaches, according to the HHS Office for Civil Rights (OCR). The OCR breach portal currently lists over 500 individuals affected by healthcare data breaches.

Four of the 10 largest healthcare data breaches reported to OCR in 2025 involved provider organizations, while six impacted business associates. Notably, nine of the 10 breaches were caused by hacking or IT incidents, with only one resulting from an unauthorized disclosure.

The shift towards hacking as a primary cause of healthcare data breaches is striking. In 2017, researchers observed that hacking surpassed theft and unauthorized access as the leading cause of healthcare data breaches. This reflects a significant change in the cyber threat landscape.

Biggest Healthcare Data Breaches in 2025

Yale New Haven Health System: 5,556,702 individuals affected

In April 2025, Yale New Haven Health System reported a multimillion-record healthcare data breach. The breach occurred after an unauthorized third party gained access to the health system's network and obtained copies of sensitive data.

Yale New Haven Health System stated that it had discovered unusual activity within its IT systems on March 8, 2025, prompting an investigation. The system determined that the breach did not involve electronic medical records and did not impact its ability to provide care.

"We consider the health, safety, and privacy of patients our top priority," a notice on the health system's website stated. "We are continuously updating and enhancing our systems to protect the data we maintain and help prevent events like this from occurring in the future."

Episource: 1,124,727 individuals affected

In February 2025, IT vendor Episource reported a ransomware attack that resulted in a data breach. The company discovered unusual activity within its computer systems on Feb. 6, 2025, and determined that an unauthorized party had accessed Episource systems between Jan. 27, 2025, and Feb. 6, 2025.

The breached data included names, addresses, phone numbers, email, health insurance data, medical record numbers, treatment information, and Social Security numbers.

Other Significant Breaches

Blue Shield of California: 4,700,000 individuals affected

In February 2025, Blue Shield of California notified 4.7 million individuals of a breach caused by a configuration of Google Analytics that allowed it to share member data with Google Ads.

Blue Shield stated that the configuration could have allowed Google Ads to deliver ad campaigns back to impacted members, which would constitute a data breach.

Lockton Companies: 553,332 individuals affected

In February 2025, Kansas City-based Lockton Companies reported a large data breach after an unauthorized party accessed certain files containing sensitive information, such as names and Social Security numbers.

The firm offered identity theft protection to affected individuals and took steps to strengthen its security in the wake of the incident.

Community Health Center: 1,060,936 individuals affected

In January 2025, Community Health Center reported a data breach caused by a "skilled criminal hacker" who entered the organization's systems and copied some data.

The breached information included names, addresses, phone numbers, emails, diagnoses, test results, Social Security numbers, and health insurance information.

Fredrick Health: 1,124,727 individuals affected

In January 2025, Maryland-based Frederick Health suffered a ransomware attack that disrupted its IT systems and resulted in an uptick in patient volume at a neighboring hospital.

The breach impacted documents containing patient names, addresses, Social Security numbers, driver's license numbers, medical record numbers, dates of birth, health insurance information, and clinical information.

Medusind: 553,332 individuals affected

In January 2025, revenue cycle management vendor Medusind reported a hack that resulted in the unauthorized access of certain files containing sensitive information, such as health insurance and billing data.

The company notified patients on behalf of its healthcare organization clients and offered complimentary identity monitoring to affected individuals.

Kelly & Associates Insurance Group: 553,332 individuals affected

In December 2024, Maryland-based Kelly & Associates Insurance Group suffered unauthorized access to its systems, resulting in a data breach that impacted more than 553,000 individuals across dozens of its client organizations.

The breached data included names, Social Security numbers, dates of birth, tax ID numbers, medical information, health insurance information, and financial account information.

United Seating and Mobility: 480,000 individuals affected

In November 2024, United Seating and Mobility reported a March 2024 data breach caused by an unauthorized party accessing certain employee email accounts.

The breached data included financial account information, health insurance information, names, dates of birth, product information, medical information, and Social Security numbers.

Serviceaide: 480,000 individuals affected

In November 2024, Serviceaide reported a data breach stemming from the vendor's AI-powered enterprise service solution being inadvertently made publicly available.

The review determined that the publicly available information included names, Social Security numbers, medical record numbers, patient account numbers, health insurance information, clinical information, and usernames and passwords.