**Entities Report Several Large Healthcare Data Breaches to OCR**
In recent weeks, several large data breaches have been reported to the HHS Office for Civil Rights (OCR), collectively affecting millions of individuals across the United States. As of our publication date, more than 30 million individuals had been impacted by the hundreds of healthcare data breaches reported to OCR so far in 2025.
A recent series of breaches highlights the significant impact that a single hack can have on a healthcare provider and its patients. For instance, a standalone breach at a widely used vendor has spread to numerous entities, as seen in the Integrated Oncology Network (ION) breach.
**Dermatology Practice Suffers Data Breach Impacting Nearly 2 Million People**
Anne Arundel Dermatology, which operates over 30 locations across Maryland, Virginia, Florida, Georgia, North Carolina, Pennsylvania, and Tennessee, disclosed a 1.9-million-record data breach to OCR in July. According to the practice's breach notice, an unauthorized party accessed certain files containing health information between February 14, 2025, and May 13, 2025. The breach involved names, health insurance information, birth dates, and addresses.
This incident is now the fourth-largest breach reported to OCR in 2025, underscoring the growing threat of cyberattacks on healthcare providers. It is essential for healthcare organizations to prioritize data security measures to protect patient information from unauthorized access.
**Radiology Practice Reports 1.4M Individuals Affected by Data Breach**
Virginia-based Radiology Associates of Richmond (RAR) reported a 2024 data breach to OCR on July 1, 2025, impacting 1.4 million individuals. RAR conducted an investigation and determined that an unauthorized party accessed its network between April 2, 2024, and April 6, 2024.
The breach included personal information as well as protected health information. RAR effectively contained the breach and began notifying individuals whose information may have been included in the files accessed by the unauthorized party.
In a statement, RAR emphasized its commitment to maintaining the privacy of personal information in its possession and took measures to safeguard it. The company's breach notice highlighted the importance of evaluating and modifying practices to enhance security and privacy measures.
**Integrated Oncology Network Breach Impacts More Than 20 Providers**
ION, a Cardinal Health-owned network of oncology practices, suffered an email phishing incident that impacted at least 23 other cancer care providers across multiple states. Each provider filed separate breach reports with OCR on June 27.
Collectively, nearly 123,000 individuals were impacted. ION stated that an unauthorized party accessed a "small number" of email and SharePoint accounts between December 13, 2024, and December 16, 2024.
The emails, attachments, and SharePoint files involved in the breach contained names, addresses, financial account information, diagnoses, lab results, medication and treatment information, health insurance and claims information, and provider names. Some Social Security numbers were also involved.
**Cyberthreat Actors Continue to Target Healthcare Sector**
These recent data breaches demonstrate that cyber threats are continuing to make their mark on the healthcare sector. As a result, it is crucial for healthcare organizations to prioritize data security measures, implement robust protocols to prevent unauthorized access, and maintain open communication channels with patients and stakeholders.
The impact of these breaches highlights the need for continued vigilance and cooperation between healthcare providers, regulatory agencies, and industry experts to mitigate the risks associated with cyber threats.