**10 Largest Healthcare Data Breaches Reported to OCR in 2025**

The year 2025 has seen a significant number of large-scale healthcare data breaches, with over 35 million individuals impacted by these incidents alone. According to the Office for Civil Rights (OCR) public data breach portal, upward of 20 million of those affected were part of the 10 largest breaches reported in 2025.

The total number of individuals impacted is likely much higher, as the OCR only publishes data on its portal regarding breaches that affected 500 people or more. Furthermore, the actual figure may be higher still due to the 43-day government shutdown that began in October 2025, which stalled the posting of 2025 breach reports.

Compared to 2024, when a record 168 million individuals were impacted by data breaches, the 2025 figure is significantly lower. However, the number is still massive and reflects the ongoing threat to patient privacy posed by cyberattacks and IT incidents in the healthcare sector.

**1. Yale New Haven Health System - 5,556,702 Individuals Affected**

Yale New Haven Health System (YNHHS) reported a multimillion-record data breach in April 2025, with an unauthorized third party gaining access to its network and obtaining copies of sensitive data, including names, birthdates, phone numbers, addresses, email addresses, patient type, medical record numbers, and Social Security numbers.

Despite the breach, YNHHS emphasized that it had taken steps to update and enhance its systems to protect patient data and prevent similar incidents in the future. The health system's electronic medical records (EMRs) were not involved in the breach, and operations continued uninterrupted.

**2. Episource - 4,500,000 Individuals Affected**

IT vendor Episource suffered a ransomware attack in February 2025, resulting in a data breach that affected over 4.5 million individuals. The company discovered unusual activity in its computer systems on Feb. 6, 2025, and launched an investigation to determine the extent of the breach.

The data involved in the breach included combinations of name, address, phone number, email, health insurance data, medical record numbers, treatment information, and Social Security numbers. Episource stated that it had taken steps to mitigate the incident and prevent similar events from occurring in the future.

**3. Blue Shield of California - 4,700,000 Individuals Affected**

Blue Shield of California notified over 4.7 million individuals of a breach stemming from a configuration error in Google Analytics that allowed it to share member data with Google Ads. The health insurance company stated that the incident did not involve any bad actors and emphasized that no protected information was used for advertising purposes.

**4. DaVita - 2,700,000 Individuals Affected**

Kidney care company DaVita suffered a ransomware attack in April 2025, with interlock ransomware actors claiming responsibility for the incident. The breach resulted in the encryption of certain elements of DaVita's network and involved sensitive data from its dialysis labs database.

The affected patient information included names, addresses, Social Security numbers, health insurance information, dates of birth, health conditions, and certain dialysis lab test results. DaVita emphasized that it had taken steps to enhance education for its workforce and strengthen data security protocols in response to the incident.

**5. Anne Arundel Dermatology - 1,905,000 Individuals Affected**

Anne Arundel Dermatology disclosed a 1.9-million-record data breach to OCR in July 2025. The dermatology practice operates over 30 locations across several states and reported that an unauthorized party accessed certain files containing health information between Feb. 14, 2025, and May 13, 2025.

**6. Radiology Associates of Richmond - 1,419,091 Individuals Affected**

Virginia-based Radiology Associates of Richmond (RAR) suffered a data breach in 2024, which it reported to OCR on July 1, 2025. The incident impacted over 1.4 million individuals and occurred when an unauthorized party accessed RAR's network between April 2, 2024, and April 6, 2024.

**7. Southeast Series of Lockton Companies - 1,124,727 Individuals Affected**

Kansas City, Missouri-based Southeast Series of Lockton Companies reported a large data breach to OCR in February 2025. The company discovered suspicious activity on a single computer in November 2024 and immediately engaged law enforcement and third-party cybersecurity experts to investigate.

**8. Community Health Center - 1,060,936 Individuals Affected**

Community Health Center, a Middletown, Connecticut-based organization that provides primary care services, reported a data breach that occurred in January 2025. The company stated that an unauthorized party accessed certain files containing health information between Feb. 14, 2025, and May 13, 2025.

**9. Frederick Health - 943,000 Individuals Affected**

Maryland-based Frederick Health suffered a ransomware attack on Jan. 27, 2025, that disrupted its IT systems and resulted in an uptick in patient volume at a neighboring hospital. The healthcare organization reported that an unauthorized party gained access to the network and copied certain files from a file share server.

**10. McLaren Health Care - 743,131 Individuals Affected**

Michigan-based healthcare system McLaren Health Care suffered a criminal cyberattack in August 2024 that resulted in disruptions to its information technology and phone systems. The health system reported that the unauthorized network access occurred between July 17, 2024, and Aug. 3, 2024.