January 2025 Healthcare Data Breach Report
December was a relatively quiet month for healthcare data breaches but data breaches were reported at a higher-than-average level in January, with 66 large healthcare data breaches reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). OCR requires all data breaches at HIPAA-regulated entities to be reported, although only publishes breach report data for breaches that affect 500 or more individuals, which hereafter are referred to as large healthcare data breaches.
Over the past 12 months, an average of 61 healthcare data breaches have been reported each month, with January 8.2% up on that average, making it one of the worst months for data breaches in the past 12 months. It should be noted that a single incident at a business associate – HCF Management – was reported individually by each of the 24 affected entities. Had that incident been reported as a single breach, January’s figures would look substantially better.
While there was a 32% month-over-month increase in data breaches, there was a 34% fall in the number of individuals affected by data breaches, falling from 4.14 million individuals in December to 2,729,560 individuals in January. On average, over the past 12 months, 14,896,672 records have been exposed each month, although that figure is majorly skewed by the 190 million-record data breach at Change Healthcare. January’s total is well below the median monthly number of 5,381,188 affected individuals.
Currently, and the figures are still likely to change due to ongoing investigations of data breaches from last year, there were 729 data breaches affecting 185,798,538 individuals in 2024 – a record number of affected individuals, but a slight year-over-year fall in data breaches from the 747 breaches reported in 2023.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The Biggest Healthcare Data Breaches in January 2025
In January there were 12 data breaches affecting 10,000 or more individuals, well down on the 19 such breaches reported in December. One of the standout data breaches was the hacking incident at Community Health Center in Connecticut. A hacker breached the network and stole data, but did not encrypt files. A ransom demand was issued, payment of which was required to prevent the publication of the stolen data and ‘ensure’ its deletion. The lack of encryption meant there was no impact on operations or delays to services.
This type of extortion-only attack is becoming more common, with hacking groups concentrating on the extortion element of the attack. The threat of publication of stolen data is often the main factor influencing the decision to pay the ransom. There is increasing reluctance to pay ransom demands – according to a recent Chainalysis report, ransom payments are down 35% YOY – and there has been an increase in attacks as a result as hackers try to make up for the shortfall in earnings.
Four of the 12 breaches were reported by business associates, plus a further two occurred at business associates but were reported by the affected providers. These attacks often involve records from multiple providers and can result in widespread disruption, as the February 2024 ransomware attack on Change Healthcare clearly demonstrated. All but one of the 12 largest data breaches of the month were hacking/IT incidents.
The unauthorized access incident stands out as it involved multiple employees. Snooping on healthcare records is a relatively common occurrence, occasionally involving multiple employees, especially when a high-profile individual is admitted to a hospital. The unauthorized access at the Texas Health Services Commission was atypical as it appears to have involved multiple individuals accessing healthcare records for personal gain. Nine members of staff were terminated over the violations, with 3 of those individuals referred to law enforcement. Two of the employees involved are alleged to have changed personal information numbers on Lone Star food stamp cards and made illegal purchases. These privacy violations continued for three and a half years before the unauthorized access was detected, which raises serious questions about the monitoring of employee access to records.
Two of the biggest healthcare data breaches of the month involved unauthorized access to email accounts, one of which was a confirmed phishing incident. Both incidents involved unauthorized access to single email accounts, yet those accounts contained large amounts of patient data. Multifactor authentication can help to secure email accounts but given the high risk of email account breaches and the prevalence of multifactor authentication defeating phishing kits, regulated entities should limit the amount of data stored in email accounts.
| Name of Regulated Entity | State | Regulated Entity Type | Individuals Affected | Cause of Breach |
| Community Health Center, Inc. | CT | Healthcare Provider | 1,060,936 | Hacking incident – Data theft confirmed |
| Medusind Inc. | FL | Business Associate | 694,054 | Hacking incident – Data theft confirmed |
| Allegheny Health Network Home Medical Equipment LLC and Allegheny Health Network Home Infusion LLC | PA | Healthcare Provider | 292,773 | Cyberattack on a business associate (IntraSystems) |
| Asheville Eye Associates, PLLC | NC | Healthcare Provider | 193,306 | Ransomware attack with data theft (Dragonforce) |
| University Diagnostic Medical Imaging, PC | NY | Healthcare Provider | 138,080 | Hacking incident |
| Buffalo Surgery Center | NY | Healthcare Provider | 64,000 | Hacking incident that also affected Excelsior Orthopaedics and Northtowns Orthopedics |
| Texas Health and Human Services Commission | TX | Health Plan | 61,104 | Unauthorized Access of records by employees – potential criminal charges for employees |
| Pediatric Home Respiratory Services, LLC d/b/a Pediatric Home Service | MN | Healthcare Provider | 41,792 | Hacking incident |
| Lucent Health Solutions, LLC | TN | Business Associate | 37,000 | Email account breach – phishing |
| Bankers Cooperative Group, Inc. | NJ | Business Associate | 14,403 | Email account breach |
| Heritage Health Care | OH | Healthcare Provider | 12,162 | Hacking incident at business associate (HCF Management) – data theft confirmed |
| McNall & Associates, P.C. | AK | Business Associate | 10,175 | Hacking incident |
The reporting deadline under the HIPAA Breach Notification Rule is 60 days from the date of discovery of a data breach. In order to meet that reporting deadline, HIPAA-regulated entities often provide OCR with an estimate of the number of affected individuals, and then update the total when the investigation concludes. It is common for a placeholder figure of 500 or 501 individuals to be used. In January, 5 data breaches were reported as affecting 500 or 501 individuals. Some or all of those incidents may turn out to affect considerably more individuals.
| Name of Regulated Entity | State | Regulated Entity Type | Individuals Affected | Type of Breach |
| North Los Angeles County Regional Center | CA | Business Associate | 500 | Hacking/IT Incident |
| OrthoMinds, LLC | GA | Business Associate | 501 | Hacking/IT Incident |
| Benefits Management Group, Inc. | IL | Business Associate | 501 | Hacking/IT Incident |
| Behavioral Health Resources | WA | Healthcare Provider | 501 | Hacking/IT Incident |
| Newport Harbor Pathology Medical Group, Inc. | CA | Healthcare Provider | 501 | Hacking/IT Incident |
Main Causes of January 2025 Healthcare Data Breaches
As has been the case for many months, the majority of the month’s data breaches were due to hacking and other IT incidents, with hacking incidents making up the bulk of the month’s data breaches. There has been a growing trend of withholding details from breach notices, and not just in healthcare. The lack of information makes it hard for victims to gauge the level of risk they face. For instance, informing breach victims that personal data “may have been viewed or copied”, when the stolen data has been uploaded to a ransomware group’s data leak site for weeks prior to the notification letters being mailed.
The lack of information makes it hard to track the causes of these breaches accurately; however, many are due to ransomware and extortion-related incidents. Cybersecurity companies that track ransomware attacks have reported an increase in attacks in 2024, with GuidePoint Security’s research indicating a 13% increase in healthcare victims in 2024, with more concerning figures from Black Kite, which reports a 32.16% increase in healthcare ransomware attacks in 2024, including a significant jump in Q4, 2024 to 121 attacks, when 8.22% were on healthcare organizations. Since there is often a considerable delay in reporting due to the length of time taken to investigate the attacks and determine if patient data was compromised, this rise in attacks may not be apparent in breach report data for several months.
There are some indications that Russia may be prepared to take action against the ransomware groups that operate freely in the country. Russia has long harbored cybercriminal and ransomware groups that appear to be allowed to operate unrestricted, provided they do not conduct attacks at home or in the Commonwealth of Independent States. Potentially, as a prelude to a peace deal with Ukraine and stronger ties with the United States under the Trump administration, action may start to be taken against these groups. Surprisingly, the prolific and vocal Russian hacker Mikhail Pavlovich Matveev, aka Wazawaka, who claimed to have conducted many ransomware attacks, was arrested in Russia in November. Matveev was one of many individuals arrested in Russia on cybercrime charges in Q4, 2024. A pledge to combat ransomware attacks could well be a part of the new “friendly” relationship with the United States under the Trump Administration.
In the meantime, a relatively new ransomware group has been rapidly increasing its attacks after an aggressive campaign to recruit initial access brokers and affiliates. ReliaQuest has tracked a 1,425% increase in posts to the BlackLock (El Dorado) ransomware group’s data leak site and warns that the group may become the most dominant ransomware group in 2025, filling the void left by ALPHV/BlackCat.
Hacking and other IT incidents tend to involve large numbers of healthcare records, more so than other types of data breaches. In January, across the 51 hacking/IT incidents, the records of at least 2,649,026 individuals were exposed, viewed, or stolen, with an average breach size of 51,942 affected individuals and a median breach size of 2,709 affected individuals. There were 13 unauthorized access/disclosure incidents affecting a total of 77,983 individuals, with an average breach size of 5,999 individuals and a median breach size of 1,000 individuals. There were two theft incidents affecting a total of 2,551 individuals with no loss or improper disposal incidents reported. The most common location of breached protected health information was network servers, with almost a dozen email-related breaches and half a dozen incidents involving paper records.
Where did the Data Breaches Occur?
The entity reporting a data breach may not be the entity that experienced the breach. When a data breach occurs at a business associate, it is ultimately the responsibility of each affected covered entity to ensure the data breach is reported to OCR, the affected individuals, and the media. Depending on the nature of the business associate agreement and other factors, the business associate may issue notifications or the affected covered entities may report the breach. In some cases, that responsibility is split with some affected entities reporting the breach while the business associate reports the breach on behalf of other affected entities.
The raw data on the OCR breach portal shows 50 breaches reported by healthcare providers (1,895,607 affected individuals), 12 breaches reported by business associates (770,306 affected individuals), and 4 breach reports by health plans (63,647 affected individuals). The charts below show adjusted figures based on where the breach occurred rather than the entity that reported the breach, to ensure that data breaches at business associates are accurately reflected.
Geographical Distribution of Healthcare Data Breaches
The data breaches in January were widely dispersed, with HIPAA-regulated entities in 30 states and the District of Columbia reporting data breaches. Ohio was the worst affected state with 18 breaches, but 17 of those breach reports relate to the same incident at HCF Management. 8 covered entities in Pennsylvania reported breaches, with 7 of those breach reports also due to the HCF Management breach.
| State | Breaches |
| Ohio | 18 |
| Pennsylvania | 8 |
| Texas | 4 |
| California & New York | 3 |
| Georgia, Michigan, New Jersey & Wisconsin | 2 |
| Alabama, Alaska, Connecticut, Delaware, Florida, Idaho, Illinois, Indiana, Kansas, Kentucky, Massachusetts, Minnesota, Missouri, Montana, Nebraska, New Mexico, North Carolina, Oklahoma, Oregon, Tennessee, Washington & the District of Columbia | 1 |
HIPAA Enforcement Activity in January 2025
OCR finished 2024 with resolutions to several HIPAA compliance investigations – 9 in total – some of which were announced in early January even though the investigations were resolved in December. Those enforcement actions were included in our December 2024 healthcare data breach report to reflect the administration that closed the investigations.
The administration change, which includes changes to the leadership at the HHS and OCR, may affect HIPAA enforcement activities, but it is too early to tell what direction OCR will take regarding HIPAA enforcement, and if the current drives targeting noncompliance with the HIPAA Privacy Rule’s right of access and the HIPAA Security Rule risk analysis requirements will continue in 2025, or if the Trump administration will target other areas of noncompliance.
