May 2025 Healthcare Data Breach Report
In May, 60 data breaches affecting 500 or more individuals were reported to the HHS’ Office for Civil Rights (OCR), slightly below the 12-month average of 57 data breaches a month, and 11.8% fewer data breaches than April 2025.
Data breaches were reported in similar numbers to May 2024, and well below the number of data breaches in the same period between 2021 and 2023. So far in 2025, 311 data breaches affecting 500 or more individuals have been reported to OCR – a 13.1% decrease from the 358 data breaches reported in the first five months of 2024.
May had one of the lowest numbers of breached healthcare records in recent years, with 1,889,653 individuals affected by healthcare data breaches in May, well below the 12-month average of 21,269,259 affected individuals a month (median 4,171,894 individuals) and the lowest May total since 2020.
In the first 5 months of 2025, 23,106,676 individuals were affected by healthcare data breaches – a 52.4% decrease from the 48,502,775 affected individuals in the first 5 months of 2024.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Biggest Healthcare Data Breaches in May 2025
There were 24 data breaches affecting 10,000 or more individuals in May, and only 4 data breaches affecting more than 100,000 individuals. The largest data breach of the month occurred at the business associate Serviceaide, a provider of agentic AI-powered agents for IT and workflow management. A database containing the protected health information of 483,126 patients of Catholic Health in Buffalo could be accessed online without a password.
The second-largest data breach also occurred at a business associate. Ocuco, an Irish provider of optical software solutions for eyecare businesses, experienced a hacking incident. At the time of writing, no announcement had been made about the data breach; however, the Killsec ransomware group claimed responsibility for the incident.
The SafePay ransomware group claimed responsibility for an attack on Marlboro-Chesterfield Pathology and gained access to the protected health information of 235,911 individuals. Harbin Clinic was the worst-affected client of the debt collection firm Nationwide Recovery Service, with hackers stealing the protected health information of 176,149 individuals. At least 15 clients of Nationwide Recovery Service are known to have been affected and had data stolen in the cyberattack. The total currently stands at more than 501,000 affected individuals, and that number is certain to grow over the coming weeks.
The most unusual data breach of the month affected patients and staff members at Northwell Health. A former employee of the Northwell Health Sleep Disorders Center installed hidden cameras in the bathrooms of Northwell Health facilities. The cameras were placed in fake smoke detectors and recorded individuals using the facilities. Since individuals could be identified from the recordings, this was reported as a PHI breach. All individuals who had appointments while the cameras were installed were notified that they had potentially been affected. The former employee has been arrested and faces between 18 months to 4 years in prison if convicted.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| Serviceaide, Inc. | CA | Business Associate | 483,126 | Unsecured database exposed PHI online |
| Ocuco Inc | FL | Business Associate | 240,961 | Hacking incident – Killsec ransomware group claimed responsibility |
| Marlboro-Chesterfield Pathology, P.C. | NC | Healthcare Provider | 235,911 | Hacking incident with confirmed data theft – The SafePay ransomware group claimed responsibility |
| Harbin Clinic, LLC | GA | Healthcare Provider | 176,149 | Hacking incident at a business associate (Nationwide Recovery Service) – Data theft confirmed |
| Covenant Surgical Partners, Inc. | TX | Business Associate | 88,609 | Hacking incident |
| Shelby Dermatology d.b.a Dermatologists of Birmingham | AL | Healthcare Provider | 86,414 | Hacking incident |
| Weiser Valley Hospital District dba Weiser Memorial Hospital | ID | Healthcare Provider | 59,990 | Hacking incident with confirmed data theft |
| The Cooper Health System | NJ | Healthcare Provider | 57,412 | Hacking incident |
| Instituto de Ojos de Puerto Rico | PR | Healthcare Provider | 50,000 | Hacking incident |
| UChicago Medicine Medical Group | IL | Healthcare Provider | 38,656 | Hacking incident at a business associate (Nationwide Recovery Service) – Data theft confirmed |
| Gateway Community Services, Inc. | FL | Healthcare Provider | 34,498 | Hacking incident with confirmed data theft |
| The Neurological Institute of Savannah & Center for Spine, P.C | GA | Healthcare Provider | 32,548 | Hacking incident with confirmed data theft – The RansomHub ransomware group claimed responsibility |
| Shore Medical Center | NJ | Healthcare Provider | 31,177 | Hacking incident at a business associate (Nationwide Recovery Service) – Data theft confirmed |
| Hunter Health Clinic | KS | Healthcare Provider | 28,431 | Unauthorized access to an employee’s email account |
| Compassion Health Care, Inc. | NC | Healthcare Provider | 23,282 | Hacking incident (ransomware) with confirmed data theft |
| Tri-City Cardiology Consultants, P.C. | AZ | Healthcare Provider | 22,753 | Hacking incident |
| Northwestern Community Services Board | VA | Healthcare Provider | 21,856 | Hacking incident |
| Community Hospital of Anaconda | MT | Healthcare Provider | 21,243 | Hacking incident |
| Sonrisas Dental Health | CA | Healthcare Provider | 15,644 | Hacking incident with confirmed data theft |
| Oliver Street Dermatology Management LLC | TX | Business Associate | 13,717 | Hacking incident |
| North Shore University Hospital Sleep Disorders Center | NY | Healthcare Provider | 13,332 | Former employee installed cameras in bathrooms and recorded videos that included identifying information, such as facial images |
| Radiology Chartered | WI | Healthcare Provider | 12,656 | Hacking incident at a business associate (Nationwide Recovery Service) – Data theft confirmed |
| Next Step Healthcare LLC | MA | Healthcare Provider | 12,090 | Hacking incident |
| Missouri Department of Conservation | MO | Health Plan | 10,260 | Hacking incident |
The breach reporting deadline of the HIPAA Breach Notification Rule is 60 days from the date of discovery of a data breach. If the reporting deadline is reached and the total number of affected individuals has not yet been determined, an estimate should be provided of the number of affected individuals. Many regulated entities use a figure of 500 or 501 affected individuals, then update the figure when the investigation concludes. In June, 9 regulated entities reported breaches with a 500 or 501 figure. These data breaches could turn out to be substantially larger.
| Name of Regulated Entity | State | Covered Entity Type | Individuals Affected | Type of Breach |
| Cahaba Center for Mental Health | AL | Healthcare Provider | 501 | Hacking/IT Incident |
| Doctors Hospital at Renaissance, LTD | TX | Healthcare Provider | 501 | Hacking/IT Incident |
| Union County Children and Youth Services | PA | Healthcare Provider | 501 | Hacking/IT Incident |
| Minnesota Orthodontics and Dentofacial Orthopedics, P.A. | MN | Healthcare Provider | 501 | Hacking/IT Incident |
| CardioVascular Health Clinic | OK | Healthcare Provider | 501 | Hacking/IT Incident |
| Absolute Dental Group, LLC | NV | Business Associate | 501* | Hacking/IT Incident |
| DermCare Management | FL | Business Associate | 501 | Hacking/IT Incident |
| Anesthesia Associates of Morristown, P.A. | NJ | Healthcare Provider | 501 | Improper Disposal |
| Anne Arundel County Department of Health | MD | Healthcare Provider | 500 | Hacking/IT Incident |
*Absolute Dental provided OCR with an updated total in August 2025, confirming that 1.2 million individuals were affected.
Causes of May 2025 Healthcare Data Breaches
Hacking and other IT incidents dominated the breach reports, accounting for 76.7% of the month’s data breaches. Across the 46 hacking/IT incidents, 1,368,928 individuals were affected – 72% of the month’s total. The average breach size was 29,759 records, and the median breach size was 6,610 records.
There were 13 unauthorized access/disclosure incidents affecting a total of 520,224 individuals. The average breach size was 40,017 records, and the median breach size was 1,786 records. A single improper disposal incident was reported, although it is unclear how many individuals were affected, as a placeholder figure of 501 individuals was used. For the second consecutive month, no theft or loss incidents were reported. The most common location of breach of protected health information was network servers, and there were 9 incidents involving unauthorized access to email accounts.
HIPAA-Regulated Entities Affected by May 2025 Healthcare Data Breaches
In May, 45 data breaches of 500 or more records were reported by healthcare providers, business associates reported 11 data breaches, and there were 4 data breaches at health plans. Depending on the terms of the business associate agreements, a data breach at a business associate may be reported by the business associate, the affected covered entities, or a combination of the two.
Taking this into account, in May, 37 data breaches occurred at healthcare providers, 20 occurred at business associates, and 3 occurred at health plans. Although there were more than twice as many data breaches at healthcare providers than business associates, more individuals were affected by business associate data breaches, as shown in the pie charts below.
Geographical Distribution of Healthcare Data Breaches
Data breaches affecting 500 or more individuals were reported by HIPAA-regulated entities in 33 U.S. states and Puerto Rico in May. New Jersey, New York, and Pennsylvania experienced the most data breaches, with 4 breaches reported by entities based in each of those states. In terms of affected individuals, California topped the list with 498,770 individuals affected by its two data breaches, followed by Florida (275,960 individuals) and North Carolina (262,716 individuals).
| State | Data Breaches |
| New Jersey, New York, Pennsylvania & Texas | 4 |
| Florida, Georgia & North Carolina | 3 |
| Alabama, Arizona, California, Illinois, Iowa, Louisiana, Maine & Massachusetts | 2 |
| Colorado, Idaho, Indiana, Kansas, Maryland, Minnesota, Missouri, Montana, Nebraska, Nevada, Oklahoma, Oregon, Rhode Island, Tennessee, Virginia, Washington, West Virginia, Wisconsin & Puerto Rico | 1 |
HIPAA Enforcement in May 2025
OCR announced three settlements to resolve alleged HIPAA violations in May. The penalty amounts varied significantly, ranging from $5,000 to $800,000. The biggest penalty was imposed on BayCare Health System, a Florida-based non-profit health system. BayCare Health System was investigated after OCR received a complaint from a patient about unauthorized access to her physical and electronic protected health information. The woman claimed to have been contacted by an unknown individual who provided evidence of access to her records. OCR determined that the records had been accessed by a former staff member of a physician’s practice. OCR determined that there was a failure to limit access to PHI to the minimum necessary information, a failure to review records of activity in information systems, and a risk management failure. The case was settled with an $800,000 financial penalty.
Comstar, LLC, a provider of billing, collection, and related services to non-profit and municipal emergency ambulance services, was investigated over a ransomware attack that involved unauthorized access to the protected health information of 585,621 individuals. OCR’s investigation determined that a HIPAA-compliant risk analysis had not been conducted and agreed to settle the HIPAA violation for $75,000.
Vision Upright MRI, a small California-based MRI service provider, was investigated over a hacking incident and data breach involving the protected health information of 21,778 individuals. OCR determined that a risk analysis had not been conducted, and the data breach had not been reported to OCR. The alleged HIPAA violations were settled for $5,000.
When civil monetary penalties are imposed, it is usually clear how the penalty amount has been calculated; however, it is not always clear when cases are settled. OCR has previously stated that several factors are considered, such as the severity of the HIPAA violations, the number of individuals affected, the impact of the data breach on those individuals, if recognized security practices had been adopted continuously for the previous 12 months, and the ability of the regulated entity to pay a fine. It is unclear which, if any, of these factors played a part in the low penalty for Vision Upright MRI compared to the penalty for Comstar.
