10.2 Million Individuals Affected by Two Healthcare Data Breaches
Two massive healthcare data breaches have recently been reported by HIPAA-regulated entities which combined have affected more than 10.2 million individuals. Reported to OCR in quick succession this April, they are the two largest data breaches of 2025 so far and rank as two of the largest healthcare data breaches of all time.
The largest of the two breaches was reported to OCR on April 11, 2025, by Yale New Haven Health System, a nonprofit health system serving patients in Connecticut, New York, and Rhode Island. Hackers gained access to the electronic protected health information (ePHI) of 5,556,702 individuals, and data was exfiltrated from its network.
Yale New Haven Health System, the largest healthcare network in Connecticut, announced the breach 3 days after the security incident was detected. Unauthorized activity was identified within its network, and the cybersecurity firm Mandiant was engaged to assist with the investigation. Yale New Haven Health System said the rapid response to the security incident helped to contain it and prevent any disruption to patient care. The electronic medical record system was unaffected, although there was some disruption to its phone system and internet connection.
OCR was notified about the data breach a month after the initial announcement, and notification letters started to be sent to the affected individuals on April 14, 2025. The compromised data includes full names, dates of birth, addresses, telephone numbers, email addresses, race/ethnicity, Social Security numbers, patient type, and medical record numbers. Yale New Haven Health System confirmed that financial information, medical records, and treatment information were not compromised. It is unclear which group was behind the attack or if a ransom was paid.
The second breach was reported to OCR on April 9, 2025, by the health plan Blue Shield of California and potentially involved the impermissible disclosure of the ePHI of 4,700,000 individuals. While the number of affected individuals is considerable, the breach is far less serious than the incident at Yale New Haven Health System.
Blue Shield of California explained in its April 9, 2025, breach notification letters that plan member data had been impermissibly disclosed to Google and had been used to serve personalized ads to plan members. The impermissible disclosure was identified on February 11, 2025, and the forensic investigation confirmed that plan member data was disclosed between April 2021 and January 2024.
Like many health plans, Blue Shield of California had added Google Analytics code to its websites; however, the code was configured in a way that allowed member data to be shared with Google’s advertising platform, Google Ads, and that information may have included members’ protected health information. Blue Shield of California said the connection to the Google Ads platform was severed in January 2024.
The investigation confirmed that the following types of information may have been disclosed: insurance plan name, type, and group number; city; zip code; gender; family size; Blue Shield assigned identifiers for members’ online accounts; medical claim service date and service provider, patient name, and patient financial responsibility; and “Find a Doctor” search criteria and results (location, plan name. and type, provider name and type). There has been no detected misuse of the data; however, individuals may have been served personalized ads based on the disclosed information, which could have been related to specific medical issues.
Data breaches of this magnitude are certain to result in class action data breach lawsuits. Several law firms have already opened investigations into the data breaches, and the first lawsuits can be expected to be filed soon if they have not been already.
Largest Ever Healthcare Data Breaches
| Year Reported | HIPAA-Regulated Entity | State | Entity Type | Records Breached | Cause of Breach |
| 2024 | Change Healthcare, Inc. | MN | Business Associate | 190,000,000 | Hacking/IT Incident |
| 2015 | Anthem Inc. | IN | Health Plan | 78,800,000 | Hacking/IT Incident |
| 2023 | Welltok, Inc. | CO | Business Associate | 14,762,475 | Hacking/IT Incident |
| 2024 | Kaiser Foundation Health Plan, Inc. | CA | Health Plan | 13,400,000 | Unauthorized Access/Disclosure |
| 2019 | Optum360, LLC | MN | Business Associate | 11,500,000 | Hacking/IT Incident |
| 2023 | HCA Healthcare | TN | Business Associate | 11,270,000 | Hacking/IT Incident |
| 2015 | Premera Blue Cross | WA | Health Plan | 11,000,000 | Hacking/IT Incident |
| 2019 | Laboratory Corporation of America Holdings dba LabCorp | NC | Healthcare Provider | 10,251,784 | Hacking/IT Incident |
| 2015 | Excellus Health Plan, Inc. | NY | Health Plan | 9,358,891 | Hacking/IT Incident |
| 2023 | Perry Johnson & Associates, Inc. dba PJ&A | NV | Business Associate | 9,302,588 | Hacking/IT Incident |
| 2023 | Maximus, Inc. | VA | Business Associate | 9,179,226 | Hacking/IT Incident |
| 2023 | Managed Care of North America | GA | Business Associate | 8,627,242 | Hacking/IT Incident |
| 2014 | Community Health Systems Professional Services Corporation | TN | Healthcare Provider | 6,121,158 | Hacking/IT Incident |
| 2023 | PharMerica Corporation | KY | Healthcare Provider | 5,815,591 | Hacking/IT Incident |
| 2025 | Yale New Haven Health System | CT | Healthcare Provider | 5,556,702 | Hacking/IT Incident |
| 2011 | Science Applications International Corporation (SA | VA | Business Associate | 4,900,000 | Loss |
| 2025 | Blue Shield of California | CA | Health Plan | 4,700,000 | Unauthorized Access/Disclosure |
| 2023 | HealthEC LLC | NJ | Business Associate | 4,656,293 | Hacking/IT Incident |
| 2015 | University of California, Los Angeles Health | CA | Healthcare Provider | 4,500,000 | Hacking/IT Incident |
| 2014 | Community Health Systems Professional Services Corporation | TN | Business Associate | 4,500,000 | Theft |
