February 2025 Healthcare Data Breach Report
There has been a 36% month-over-month reduction in healthcare data breaches, with 46 large healthcare data breaches reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in February – the lowest monthly total since September 2024.
Large data breaches are incidents that involve the protected health information (PHI) of 500 or more individuals. Aside from last year when there was an atypically high number of data breaches in February (67), February data breaches have been reported in similar numbers since 2020, with between 46 and 49 breaches reported each February.
For the second consecutive month, the number of individuals affected by healthcare data breaches has fallen, dropping from 3.7 million individuals in December 2024 to 3.1 million in January and 1.2 million in February. February saw the lowest number of individuals affected by healthcare data breaches since May 2020 at the height of the COVID-19 pandemic.
While falling data breaches and reduced breach severity are good news, the high number of healthcare data breaches in 2024 and almost 277 million individuals affected by healthcare data breaches last year suggest February’s data is most likely a blip. Several cybersecurity firms have predicted healthcare cyberattacks are likely to continue to be reported in high numbers and may increase over the course of the year.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Biggest Healthcare Data Breaches in February 2025
In February, 16 data breaches were reported to OCR that affected 10,000 or more individuals – 11 hacking/IT incidents, 3 unauthorized access/disclosure incidents, and 2 theft incidents. The 5 biggest healthcare data breaches were all hacking incidents, with the largest data breach reported by the Texas health plan New Era Life Insurance Companies, involving the protected health information of 335,000 individuals.
Three of the top 16 data breaches were confirmed ransomware attacks and a further three involved compromised email accounts. Ransomware may have been used in more hacking incidents; however, ransomware attacks are generally not reported as such, with the term ransomware rarely mentioned in breach notifications. There has been a growing trend of disclosing little information about the nature of the attack in breach notification letters to reduce reputation damage and legal risk.
It is unusual for theft incidents to make the 10,000+ record list, but this month there were two. While one was a fairly standard breach – the theft of an employee’s mobile phone – the theft incident at Stram Center for Integrative Medicine was due to a malicious insider, who stole and misused the payment card information of at least one patient. The review of access logs indicated more than 15,000 patients may have had their data stolen. The former employee was arrested over the theft and card misuse and is facing criminal charges.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | |
| New Era Life Insurance Companies | TX | Health Plan | 335,506 | Hacking incident – data theft confirmed |
| Legacy Professionals, LLP | IL | Business Associate | 216,752 | Hacking incident – data theft confirmed |
| Authority of the City of Bainbridge and Decatur County (“Memorial Hospital & Manor”) | GA | Healthcare Provider | 120,085 | Ransomware attack – data theft confirmed |
| VectraRx Mail Pharmacy Services, LLC | AZ | Healthcare Provider | 109,383 | Hacking incident |
| Primary Health-SMMPP, L.C. | AZ | Business Associate | 67,567 | Hacking incident |
| Charleston Area Medical Center | WV | Healthcare Provider | 67,413 | Email accounts compromised in phishing incident |
| Heartland Medical Clinic, Inc. dba Heartland Community Health Center | KS | Healthcare Provider | 43,768 | Email account compromised |
| Restorix Health, Inc. | LA | Business Associate | 38,553 | Email account compromised |
| Carolina Arthritis Associates | NC | Healthcare Provider | 36,961 | Hacking incident |
| Total Medical Imaging | FL | Healthcare Provider | 27,000 | Hacking incident at a business associate |
| Lake Washington Vascular | WA | Healthcare Provider | 21,534 | Ransomware attack – Qilin threat group |
| UNITED BACKCARE PS dba Pacific Rehabilitation Centers | WA | Healthcare Provider | 18,900 | Ransomware attack |
| City of McKinney | TX | Health Plan | 17,751 | Hacking incident |
| Stram Center for Integrative Medicine | NY | Healthcare Provider | 15,263 | Theft of patient data by employee – data misuse identified |
| Roswell Park Comprehensive Cancer Center | NY | Healthcare Provider | 11,435 | Theft of phone containing patients’ PHI |
| U.S. HEALTHWORKS-SMMPP, L.C. | AZ | Business Associate | 10,673 | Hacking incident |
In February, 6 healthcare data breaches were reported to OCR that affected 500 or 501 individuals. These figures are commonly used as placeholders to meet the reporting requirements of the HIPAA Breach Notification Rule. When the total number of individuals affected is not known by the breach reporting deadline, an estimate is used, with 500 or 501 the most commonly used figures. These six data breaches are likely to turn out to affect considerably more individuals than the breach portal suggests. For example, the record-breaking data breach at Change Healthcare in February 2024 was initially reported to OCR as affecting at least 500 individuals, before the estimate was revised to 100 million, then again to 190 million.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Type of Breach |
| Ottawa Family Physicians | KS | Healthcare Provider | 501 | Hacking/IT Incident |
| Blue & Co., LLC | IN | Business Associate | 501 | Hacking/IT Incident |
| ARC Community Services, Inc. | WI | Healthcare Provider | 501 | Hacking/IT Incident |
| Central New York Cardiology | NY | Healthcare Provider | 500 | Hacking/IT Incident |
| Somnia, Inc. | NY | Business Associate | 500 | Hacking/IT Incident |
| CPS Solutions, LLC | OH | Business Associate | 500 | Hacking/IT Incident |
Causes of February 2025 Healthcare Data Breaches
The majority of the month’s data breaches (74%) were due to hacking and other types of IT incidents. Across these 34 incidents, the protected health information of 1,102,405 individuals was exposed or stolen. Hacking/IT incidents accounted for 89% of the month’s affected individuals. The average breach size was 32,424 individuals and the median breach size was 4,056 individuals.
There were 8 unauthorized access/disclosure incidents in February affecting a total of 98,936 individuals -8% of the month’s affected individuals. The average breach size was 12,367 individuals and the median breach size was 5,893 individuals. There were 4 theft incidents reported in February that affected 36,860 individuals. The average breach size was 9,215 individuals and the median breach size was 9,954 individuals. No loss or improper disposal incidents were reported in February.
The most common location of breached protected health information was network servers, which is unsurprising due to the large number of hacking incidents. Email is a common location of breached healthcare information, with February reports indicating 14 email-related breaches. The high number of email incidents highlights the importance of implementing an advanced email security solution, multifactor authentication for email accounts, and providing regular security awareness training to the workforce, with a strong focus on phishing and social engineering avoidance.
Where Did the Data Breaches Occur?
The entity reporting a data breach may not be the entity that experienced the breach. When a data breach occurs at a business associate, it is ultimately the responsibility of each affected covered entity to ensure the data breach is reported to OCR, the affected individuals, and the media. Depending on the nature of the business associate agreement and other factors, the business associate may issue notifications, or the affected covered entities may report the breach. In some cases, that responsibility is split with some affected entities reporting the breach while the business associate reports the breach on behalf of other affected entities.
The raw data on the OCR breach portal shows 30 data breaches reported by healthcare providers (524,163 affected individuals), 11 data breaches reported by business associates (345,127 affected individuals), and 5 breaches reported by health plans (368,911 affected individuals). The charts below show adjusted figures based on where the breach occurred rather than the entity that reported the breach, to ensure that data breaches at business associates are accurately reflected.
Geographical Distribution of February 2025 Healthcare Data Breaches
Large healthcare data breaches were reported by HIPAA-regulated entities in 25 U.S. states in February 2025, with New York the worst affected with 7 data breaches, followed by Arizona and Texas with 4 data breaches. New York topped the list for data breaches, but they were relatively small, affecting a total of 39,178 individuals. In terms of the number of individuals affected, Texas topped the list with 354,947 individuals across its 4 data breaches. Illinois was second with 216,752 affected individuals, even though only one breach was reported in the state, and the third spot goes to Arizona, with 190,855 affected individuals.
| State | Data Breaches |
| New York | 7 |
| Arizona & Texas | 4 |
| Indiana | 3 |
| Florida, Georgia, Iowa, Kansas, Missouri, Ohio, & Washington | 2 |
| California, Hawaii, Illinois, Kentucky, Louisiana, Maryland, Michigan, Minnesota, Nebraska, North Carolina, Oklahoma, Tennessee, Wisconsin & West Virginia | 1 |
HIPAA Enforcement Activity in February 2025
The first OCR enforcement action under the Trump administration was announced in February. Warby Parker Inc., a manufacturer and online retailer of prescription eyewear, paid a $1.5 million civil monetary penalty to resolve multiple violations of the HIPAA Rules. The first breach that prompted an investigation was filed in December 2018 – a credential stuffing attack that involved unauthorized access to 197,986 customer accounts. Further credential stuffing incidents were reported in September 2019, January 2020, April 2020, and June 2022, although those incidents only affected 484 individuals in total. The OCR investigation identified compliance failures in the area of risk analysis, risk management, and reviews of records of activity in systems containing ePHI. State attorneys general can also take action against HIPAA-regulated entities over HIPAA violations, although there have been no announced fines or settlements so far in 2025.
About This Report
The data for this report was obtained from the HHS’ Office for Civil Rights on February 19, 2025, and has been supplemented with data from The HIPAA Journal and third-party data breach reporting. OCR has previously stated that it generally takes up to two weeks from the reporting date to publication on the OCR breach portal, and occasionally longer due to the checks that need to be performed. The data could therefore change, but these monthly breach reports are not updated after publication.
For regularly updated breach reporting data, check our healthcare data breach statistics page, our HIPAA violation cases page for the latest information on fines and settlements, and next month’s data breach report which is due to be published on or before March 21, 2025.
