June 2025 Healthcare Data Breach Report
There has been a 16.67% month-over-month increase in healthcare data breaches, and a 302.71% month-over-month increase in the number of individuals whose protected health information was exposed or impermissibly disclosed.
In June, HIPAA-regulated entities notified the HHS’ Office for Civil Rights (OCR) about 70 data breaches impacting 500 or more individuals, which is well above the 12-month average of 59 large data breaches per month. The high total is largely due to a phishing incident at a business associate that affected at least 25 cancer care and oncology practices.
There was a sizeable increase in the number of individuals affected by healthcare data breaches, which increased by 302% from May 2025. Across the 70 reported data breaches, the protected health information of 7,609,868 individuals was exposed or impermissibly disclosed.
The median data breach size over the past 12 months is 4.7 million healthcare records a month. The average number of affected individuals, 21.65 million, is skewed by the 190 million-record data breach at Change Healthcare. The sizeable increase in June was largely due to a mega data breach at Episource, which affected 5.4 million individuals.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Biggest Healthcare Data Breaches in June 2025
The biggest data breach of the month was reported by Episource, an Optum subsidiary that provides medical coding, risk adjustment services, and software solutions for healthcare providers and health plans. Episource reported the data breach to OCR as affecting 5,418,866 individuals. Sharp HealthCare and Sharp Community Medical Group chose to report the breach themselves, which adds another 27,000 individuals to the total. It is unclear if all affected entities have reported the breach. No known hacking or ransomware group appears to have claimed responsibility for the attack.
McLaren Health Care in Michigan reported a ransomware attack in June that affected 743,131 individuals and involved the exfiltration of protected health information from its network. While notifications were issued in June, the attack was detected in early August 2024, with the hackers first gaining access to its network in July 2024. The delayed notification was due to the complexity of the data review. The Inc Ransom group claimed responsibility for the attack, but there is no listing on its data leak site, which suggests the ransom may have been paid.
The third largest breach of the month was reported by another business associate, Compumedics USA, Inc., a vendor that provides diagnostic and research technologies for sleep disorders for use in sleep study clinics. It is unclear if ransomware was used, but Compumedics has confirmed that patient data was stolen in the attack. The data breach affected 318,150 individuals.
One data breach that stands out was the phishing incident affecting Integrated Oncology Network, a business associate that helps community oncology practices deliver patient-centered cancer care. At least 25 radiology and oncology practices in 12 US states reported data breaches to OCR due to the phishing incident, which is known to have affected almost 123,000 individuals. That total may grow further, as it is unclear if all affected oncology practices have now reported the data breach. The breach involved unauthorized access to emails, attachments, and SharePoint accounts.
An unusual data breach was reported this month by Sentara Health, a healthcare provider serving patients in Virginia, Northeastern North Carolina, and Florida. Sentara Health had recruited three individuals for remote working positions that involved access to patient data. Those individuals had virtual meetings with their managers in the weeks after commencing employment, when it was noticed that they were not the individuals who were hired. The work duties had been farmed out to other individuals, with the hired individuals taking a percentage of the pay.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| Episource, LLC | CA | Business Associate | 5,418,866 | Hacking incident – Data theft confirmed |
| McLaren Health Care | MI | Healthcare Provider | 743,131 | Ransomware attack – Data theft confirmed |
| Compumedics USA, Inc. | NC | Business Associate | 318,150 | Hacking incident – Data theft confirmed |
| Central Kentucky Radiology | KY | Healthcare Provider | 166,953 | Ransomware attack – Data theft confirmed |
| Southern Connecticut Vascular Center, LLC | CT | Healthcare Provider | 154,417 | Hacking incident |
| Select Medical Holdings Corporation | PA | Healthcare Provider | 119,525 | Hacking incident at business associate (Nationwide Recovery Service) |
| Horizon Healthcare RCM | IN | Healthcare Clearing House | 77,410 | Ransomware attack – Data theft confirmed |
| TRG, LLC | OR | Healthcare Provider | 70,434 | Hacking incident at business associate (Nationwide Recovery Service) |
| Decisely Insurance Services, LLC | GA | Business Associate | 65,405 | Hacked cloud storage platform – Data theft confirmed |
| Gardner Orthopedics LLC | FL | Healthcare Provider | 47,000 | Ransomware attack – Data theft confirmed |
| Renkim Corporation | MI | Business Associate | 46,592 | Hacking incident – Data theft likely |
| Cumberland County Hospital Association | KY | Healthcare Provider | 36,659 | Hacking incident |
| Rural Health Services | SC | Healthcare Provider | 36,542 | Hacking incident |
| Sharp HealthCare | CA | Healthcare Provider | 24,971 | Hacking incident at business associate (Episource) |
| Esse Health | MO | Healthcare Provider | 23,671 | Ransomware attack – Data theft confirmed |
| Texas Center for Infectious Disease Associates | TX | Healthcare Provider | 19,481 | Hacking incident – Network accessed following security breach at former billing vendor |
| Los Angeles County Developmental Services Fdn., Inc. dba Frank D. Lanterman Regional Ctr. | CA | Healthcare Provider | 19,000 | Compromised email account |
| California Cancer Associates for Research and Excellence – High Desert | CA | Healthcare Provider | 17,250 | Email account breach at business associate (Integrated Oncology Network) |
| Sensata Technologies, Inc. Health and Welfare Benefit Plan | MA | Health Plan | 15,630 | Ransomware attack – Data theft confirmed |
| Lake City Cancer Care, LLC | FL | Healthcare Provider | 15,142 | Email account breach at business associate (Integrated Oncology Network) |
| Apex Global Solutions, LLC | NY | Business Associate | 14,741 | Hacking incident |
| Sentara Health | VA | Healthcare Provider | 13,278 | Unauthorized access to electronic medical records – Employee farmed out work to other individuals |
| Radiation Oncology Network of Southern California, LLC | CA | Healthcare Provider | 12,944 | Email account breach at business associate (Integrated Oncology Network) |
| Rocky Mountain Oncology Care | WY | Healthcare Provider | 10,268 | Email account breach at business associate (Integrated Oncology Network) |
| Iron County Medical Center | MO | Healthcare Provider | 10,239 | Compromised email account (Phishing) |
In June, four healthcare data breaches were reported with suspected placeholder estimates of the number of affected individuals. Under the HIPAA Breach Notification Rule, an estimate of the number of affected individuals should be provided to OCR if the actual total is not known 60 days after the discovery of the breach. The total can then be updated when the investigation concludes. It is a common practice to report data breaches under these circumstances using a placeholder figure of 500 or 501 individuals. Given that three of the data breaches occurred at business associates, the actual number of affected individuals is likely to be significantly higher.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| PDCM Insurance | IA | Business Associate | 501 | Hacking/IT Incident |
| Cerner Corporation | MO | Business Associate | 501 | Hacking/IT Incident |
| Diversified Services Enterprises | FL | Business Associate | 501 | Hacking/IT Incident |
| Clement Manor | WI | Healthcare Provider | 500 | Hacking/IT Incident |
Causes of June 2025 Healthcare Data Breaches
In June, 59 data breaches were reported as hacking and other IT incidents, which accounted for the vast majority of breached healthcare reports. Across those 59 incidents, the protected health information of 7,580,148 individuals was exposed or stolen – 99.61% of all breached records in June. The average breach size was 128,477 affected individuals, and the median breach size was 4,824 individuals.
There were 11 unauthorized access/disclosure incidents, affecting a total of 29,720 individuals. The average breach size was 2,702 affected individuals, and the median breach size was 1,099 individuals. No loss, theft, or improper disposal incidents were reported in June.
The most common location of breached protected health information in June was email accounts rather than network servers, which usually tops the list. In total, 36 data breaches involved protected health information stored in email accounts, 26 of which were due to the same incident. The protected health information of 169,076 individuals was exposed across those 36 data breaches. These breaches highlight the importance of conducting regular security awareness training sessions and phishing simulations. Training and phishing simulations have been proven to reduce susceptibility to phishing attempts, and conditioning employees to report suspicious emails to their security teams can greatly reduce the severity of a data breach.
Data Breaches at HIPAA-Regulated Entities
Healthcare providers reported 54 data breaches of 500 or more records to OCR in June, which affected 1,642,856 individuals. Data breaches were reported by 13 business associates (5,873,366 affected individuals), 2 health plans (77,410 affected individuals), and 1 healthcare clearinghouse (16,2369 affected individuals).
The entity reporting a data breach is not always the entity that experienced the data breach, as the phishing incident at ION this month demonstrated. It is ultimately the responsibility of each affected covered entity to ensure that notifications are issued when a data breach occurs at a business associate; however, HIPAA allows covered entities to delegate that responsibility to a business associate. As a consequence, business associate data breaches are often underrepresented in the breach data. The charts below show where the breach occurred, rather than the entity reporting the data breach.
Geographical Distribution of Healthcare Data Breaches
HIPAA-regulated entities in 29 states reported data breaches in June. California topped the list for data breaches with 14 incidents reported, 7 of which were due to the phishing incident at ION, and 3 were due to the Episource cyberattack.
| State | Breaches |
| California | 14 |
| Florida & Texas | 6 |
| Georgia, Kentucky, Michigan & Ohio | 4 |
| Missouri | 3 |
| Alaska, Indiana, Louisiana & New York | 2 |
| Arkansas, Colorado, Connecticut, Idaho, Iowa, Maryland, Massachusetts, Minnesota, North Carolina, Oklahoma, Oregon, Pennsylvania, South Carolina, Tennessee, Virginia, Wisconsin & Wyoming | 1 |
California was the worst-affected state in terms of the number of affected individuals. North Carolina and Connecticut made the top five, even though only one breach was reported in each of those states.
| State | Individuals Affected |
| California | 5,518,558 |
| Michigan | 795,480 |
| North Carolina | 318,150 |
| Kentucky | 209,648 |
| Connecticut | 154,417 |
HIPAA Enforcement in June 2025
There were no announcements about HIPAA enforcement actions by the HHS’ Office for Civil Rights or state attorneys general in June. Between January 1, 2025, and June 30, 2025, OCR imposed 17 penalties on HIPAA-regulated entities to resolve noncompliance with the HIPAA Rules, and $7,610,566 has been collected in settlements and civil monetary penalties.
