ITRC: 23 Million Individuals Affected by Data Breaches in Q3, 2025
The latest data from the Identity Theft Resource Center (ITRC) has confirmed that system compromises and data breaches are still being reported in high numbers, although there has been a slight reduction in incidents compared to the previous quarter. In Q2 2025, ITRC tracked 913 compromise incidents, plus a further 835 incidents in Q3. So far this year, ITRC has tracked 2,563 compromises, resulting in almost 202 million victim notices.
Given the high number of data compromises in each quarter this year, 2025 looks likely to be a record-breaking year, with only a further 640 compromises required in the last quarter of the year to set a new record. While compromises are up, the number of victim notices sent so far is down considerably from last year’s record-breaking total due to a reduction in mega data breaches. That said, there have been some sizeable data breaches this year.
In the first half of the year, five of the top ten biggest data breaches involved protected health information, with the data breaches at Yale New Haven Health System, Episource, and Blue Shield of California affecting more than 15.6 million patients. In Q3, while the biggest data breach was at TransUnion, involving 4.46 million victim notices, the next four largest data breaches occurred at healthcare organizations: the ransomware attack on the kidney dialysis provider DaVita (2,689,826 victims), and the cyberattacks on Anne Arundel Dermatology (1,905,000 victims), Radiology Associates of Richmond (1,419,091 victims), and Absolute Dental Group (1,223,635 victims).
Out of the 835 compromises in Q3, there were 749 confirmed data breaches involving 23,053,451 victim notices. Out of those data breaches, 691 were cyberattacks (22,985,802 victims), 46 were due to system and human error (62,297 victims), 33 breaches/exposures were supply chain attacks (3,793,381 victims), and 19 were due to physical attacks (5,352 victims). The highest number of data compromises occurred in the financial services sector (188 compromises), followed by healthcare (149 compromises), professional services (114 compromises), manufacturing (76 compromises), and education (45 compromises).
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The trend of withholding details of the attack vector in breach notices is continuing to grow, with 71% of victim notices in Q3 missing that information, up from 69% in the first half of the year. The attack vector can help victims of the breach gauge the level of risk they face. Failing to state the exact cause of the breach can place victims at an increased risk of identity theft and fraud. The advice from ITRC, given the frequency at which cyberattacks and data breaches now occur, is to place a credit freeze with each of the three main credit reporting agencies (Experian, Equifax & TransUnion), regardless of whether personal data has been compromised. In addition, it is important to practice good cyber hygiene, set unique 12+ character passphrases on all accounts, and ensure that multi-factor authentication is activated wherever possible.
