10.2 Million Individuals Affected by Two Healthcare Data Breaches

Two massive healthcare data breaches have recently been reported by HIPAA-regulated entities which combined have affected more than 10.2 million individuals. Reported to OCR in quick succession this April, they are the two largest data breaches of 2025 so far and rank as two of the largest healthcare data breaches of all time.

The largest of the two breaches was reported to OCR on April 11, 2025, by Yale New Haven Health System, a nonprofit health system serving patients in Connecticut, New York, and Rhode Island. Hackers gained access to the electronic protected health information (ePHI) of 5,556,702 individuals, and data was exfiltrated from its network.

Yale New Haven Health System, the largest healthcare network in Connecticut, announced the breach 3 days after the security incident was detected. Unauthorized activity was identified within its network, and the cybersecurity firm Mandiant was engaged to assist with the investigation. Yale New Haven Health System said the rapid response to the security incident helped to contain it and prevent any disruption to patient care. The electronic medical record system was unaffected, although there was some disruption to its phone system and internet connection.

OCR was notified about the data breach a month after the initial announcement, and notification letters started to be sent to the affected individuals on April 14, 2025. The compromised data includes full names, dates of birth, addresses, telephone numbers, email addresses, race/ethnicity, Social Security numbers, patient type, and medical record numbers. Yale New Haven Health System confirmed that financial information, medical records, and treatment information were not compromised. It is unclear which group was behind the attack or if a ransom was paid.

The second breach was reported to OCR on April 9, 2025, by the health plan Blue Shield of California and potentially involved the impermissible disclosure of the ePHI of 4,700,000 individuals. While the number of affected individuals is considerable, the breach is far less serious than the incident at Yale New Haven Health System.

Blue Shield of California explained in its April 9, 2025, breach notification letters that plan member data had been impermissibly disclosed to Google and had been used to serve personalized ads to plan members. The impermissible disclosure was identified on February 11, 2025, and the forensic investigation confirmed that plan member data was disclosed between April 2021 and January 2024.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

Like many health plans, Blue Shield of California had added Google Analytics code to its websites; however, the code was configured in a way that allowed member data to be shared with Google’s advertising platform, Google Ads, and that information may have included members’ protected health information. Blue Shield of California said the connection to the Google Ads platform was severed in January 2024.

The investigation confirmed that the following types of information may have been disclosed: insurance plan name, type, and group number; city; zip code; gender; family size; Blue Shield assigned identifiers for members’ online accounts; medical claim service date and service provider, patient name, and patient financial responsibility; and “Find a Doctor” search criteria and results (location, plan name. and type, provider name and type). There has been no detected misuse of the data; however, individuals may have been served personalized ads based on the disclosed information, which could have been related to specific medical issues.

Data breaches of this magnitude are certain to result in class action data breach lawsuits. Several law firms have already opened investigations into the data breaches, and the first lawsuits can be expected to be filed soon if they have not been already.

Largest Ever Healthcare Data Breaches

Year Reported HIPAA-Regulated Entity State Entity Type Records Breached Cause of Breach
2024 Change Healthcare, Inc. MN Business Associate 190,000,000 Hacking/IT Incident
2015 Anthem Inc. IN Health Plan 78,800,000 Hacking/IT Incident
2023 Welltok, Inc. CO Business Associate 14,762,475 Hacking/IT Incident
2024 Kaiser Foundation Health Plan, Inc. CA Health Plan 13,400,000 Unauthorized Access/Disclosure
2019 Optum360, LLC MN Business Associate 11,500,000 Hacking/IT Incident
2023 HCA Healthcare TN Business Associate 11,270,000 Hacking/IT Incident
2015 Premera Blue Cross WA Health Plan 11,000,000 Hacking/IT Incident
2019 Laboratory Corporation of America Holdings dba LabCorp NC Healthcare Provider 10,251,784 Hacking/IT Incident
2015 Excellus Health Plan, Inc. NY Health Plan 9,358,891 Hacking/IT Incident
2023 Perry Johnson & Associates, Inc. dba PJ&A NV Business Associate 9,302,588 Hacking/IT Incident
2023 Maximus, Inc. VA Business Associate 9,179,226 Hacking/IT Incident
2023 Managed Care of North America GA Business Associate 8,627,242 Hacking/IT Incident
2014 Community Health Systems Professional Services Corporation TN Healthcare Provider 6,121,158 Hacking/IT Incident
2023 PharMerica Corporation KY Healthcare Provider 5,815,591 Hacking/IT Incident
2025 Yale New Haven Health System CT Healthcare Provider 5,556,702 Hacking/IT Incident
2011 Science Applications International Corporation (SA VA Business Associate 4,900,000 Loss
2025 Blue Shield of California CA Health Plan 4,700,000 Unauthorized Access/Disclosure
2023 HealthEC LLC NJ Business Associate 4,656,293 Hacking/IT Incident
2015 University of California, Los Angeles Health CA Healthcare Provider 4,500,000 Hacking/IT Incident
2014 Community Health Systems Professional Services Corporation TN Business Associate 4,500,000 Theft

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/