The HIPAA Guide - Celebrating Over 15 Years Online

Biggest Healthcare Data Breaches in H1 2025

July 17, 2025HIPAA News Today: Breaches, Violations, and Fines0

There has been a slight year-over-year decrease in healthcare data breaches and breached healthcare records. According to the latest data from the HHS’ Office for Civil Rights (OCR), there were 408 large healthcare data breaches in H1 2024, which affected 53,198,595 individuals. Large data breaches are those that affect 500 or more individuals, which, per HIPAA, must be made public by OCR via its data breach portal. While there may be some adjustments to the H1 2025 data as lengthy breach investigations conclude and estimates are adjusted, this year’s figures currently show a fall in the number of breaches and breached healthcare records.

In H1 2025, 379 large healthcare data breaches were reported to OCR, and 31,052,837 individuals had their protected health information exposed or impermissibly disclosed.  That’s a 7.1% year-over-year fall in data breaches and a 41.6% fall in the number of affected individuals. It should be noted that in July 2024, the OCR breach portal indicated a 9.5% fall in the number of affected individuals compared to the same period the previous year; however, 2024 ended with record numbers of individuals affected by healthcare data breaches. Currently, the total for 2024 stands at 281,634,341 affected individuals due to the massive data breach at Change Healthcare, which affected 190 million individuals.

In H1 2025, hacking and other IT incidents accounted for 77.6% of all large data breaches (294 incidents) and 96.8% of breached records (30,059,709 affected individuals).  Unauthorized access/disclosure incidents accounted for 20.1% of data breaches (76 incidents) and 3.1% of breached records (951,892 affected individuals). There were 8 theft incidents affecting 40,735 individuals, and 1 improper disposal incident affecting a yet to be confirmed number of individuals.

The Biggest Healthcare Data Breaches in 2025

All but one of the top 10 breaches in H1 2025 were hacking incidents, which have been the leading cause of healthcare data breaches since 2017. Half of the top 5 data breaches were reported by healthcare providers and half by business associates.

Yale New Haven Health System: 5,556,702 Affected Individuals

The biggest healthcare data breach so far this year was reported by Yale New Haven Health System, the largest health system in the state of Connecticut. Hackers breached its network and stole files containing patient names, birth dates, email addresses, medical record numbers, Social Security numbers, and other sensitive data. The intrusion was detected on March 8, 2025, the same day that hackers breached its network, although not in time to prevent the exfiltration of patient data.

Episource, LLC: 5,418,866 Affected Individuals

Not far behind was the hacking incident at Episource, a provider of risk adjustment and medical coding services to healthcare providers and health plans. The intrusion was detected on February 6, 2025, when files were encrypted by ransomware. The ransomware group first gained access to its network on January 27, 2025, and exfiltrated data before encrypting files. The stolen data included names, contact information, health insurance information, medical record numbers, treatment information, Social Security numbers, and other sensitive data.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

Blue Shield of California: 4,700,000 Affected Individuals

The data breach at Blue Shield of California was the only breach in the top 10 that was not a hacking incident. The health insurer had added Google Analytics code to its website to collect visitor data to improve its web services; however, the code was misconfigured, which resulted in member data being shared with the Google Ads platform. The affected members may have been served with targeted ads based on their interactions on the Blue Shield of California website. Notification letters were sent to 4.7 million members as a precaution, as any member who visited the website between 2021 and 2024 may have been affected.

Southeast Series of Lockton Companies, LLC: 1,124,727 Affected Individuals

Southeast Series of Lockton Companies, a Kansas City, Missouri-based insurance brokerage firm that provides employee benefit services, experienced a hacking incident involving a single individual account and computer. The hacker only had access for a few hours on November 20, 2024, but that was enough time to exfiltrate patient data. The exposed files contained the protected health information of 1,124,727 individuals, including names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, and financial information.

Community Health Center, Inc.: 1,060,936 Affected Individuals

Community Health Center, a primary care provider in Middleton, Connecticut, had its systems breached by a hacker. Community Health Systems detected the intrusion on January 2, 2025; however, systems were first breached on October 14, 2024. Data was exfiltrated from its network, but there was no file encryption. The protected health information of 1,060,936 individuals was compromised in the incident, including names, addresses, phone numbers, email addresses, dates of birth, diagnoses, test results, treatment information, health insurance information, and Social Security numbers.

Frederick Health Medical Group: 934,326 Affected Individuals

Frederick Health Medical Group, a network of specialty healthcare providers in Maryland, suffered a ransomware attack on or around January 27, 2025, that resulted in file encryption on a single file share server. The investigation confirmed that the ransomware group exfiltrated files containing patient information before encrypting files. The compromised data included names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, medical record numbers, health insurance information, and/or clinical information. The file review confirmed that 934,326 individuals were affected.

McLaren Health Care: 743,131 Affected Individuals

McLaren Health Care, a Michigan healthcare provider, experienced a ransomware attack on August 5, 2024, that affected McLaren Health Care and its Karmanos Cancer Centers. The Inc Ransom group claimed responsibility for the attack and first breached its network on ransomware group first breached its network on July 17, 2024. It took until May 5, 2025, to review the affected files and confirm that the protected health information of 743,131 individuals was potentially stolen, including names, Social Security numbers, driver’s license numbers, medical information, and health insurance information.

Medusind Inc.: 701,475 Affected Individuals

Medusind, a Florida-based medical and dental billing and revenue cycle management company, had its systems hacked on December 29, 2023. The intrusion was detected and blocked the same day; however, it took until January 2025 to announce the data breach. The hackers obtained names, contact information, Security numbers, medical histories, health insurance and billing information, financial information, and other sensitive data. The file review confirmed that 701,475 individuals were affected.

Kelly & Associates Insurance Group, Inc.: 553,332 Affected Individuals

Kelly & Associates Insurance Group, which does business as Kelly Benefits, a Maryland-based employee benefits administrator, discovered a computer intrusion on December 17, 2024. The investigation confirmed that its network was first breached on December 12, 2024, and files were copied from the network. The data breach was initially reported as affecting 32,234 individuals; however, as the investigation progressed, it was discovered that 553,332 individuals had their data stolen in the attack. More than 40 of its clients were affected. The stolen data included names, dates of birth, Social Security numbers, health insurance information, financial account information, and medical information.

United Seating and Mobility, LLC d/b/a Numotion: 494,326 Affected Individuals

United Seating and Mobility, which does business as Numotion and provides mobility aids such as wheelchairs, rounds out the top ten with a hacking incident that affected 494,326 individuals. Hackers had access to its network between September 2, 2024, and November 18, 2024, and exfiltrated files containing names, dates of birth, medical information, product information, and Social Security numbers. In contrast to the other hacking incidents in the top ten, this was an email account breach rather than a network server hacking incident.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/

The HIPAA Guide is a registered trademark. Copyright © 2007-2026 The HIPAA Guide. All rights reserved.