Largest Healthcare Data Breaches of 2025
It has been another bad year for healthcare data breaches, although the breach report data currently show a considerable improvement over last year, with the number of large data breaches and the number of affected individuals both falling considerably. As of December 31, 2025, almost 57 million individuals are known to have been affected by healthcare data breaches in 2025, and at least 642 data breaches affecting 500 or more individuals are currently shown on the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) breach portal.
There is a delay between data breaches being reported to OCR and being added to the OCR breach portal. While the delay between OCR being notified and the breach being added to the data breach portal is usually up to two weeks, data breach additions came to a grinding halt due to the 43-day government shutdown, and based on the low totals for October and November, it appears that the backlog has yet to be cleared, so the figures are likely to increase over the coming weeks. They will be reflected on our Healthcare Data Breach Statistics page
The year-over-year improvement is unsurprising given that 2024 was a record-breaking year in terms of the number of affected individuals. Last year, a gargantuan data breach occurred at Change Healthcare, which affected an estimated 192,700,000 individuals. That single data breach accounted for 66.7% of the 288,985,951 affected individuals in 2024. In 2024, 742 data breaches affecting 500 or more individuals were reported to OCR, and so far, 642 data breaches are listed on the OCR data breach portal for 2025 – a 13.5% reduction in large healthcare data breaches.
The Largest Healthcare Data Breaches of 2025
The table below shows the largest healthcare data breaches of 2025 known at the time of publication, including one breach that has yet to be confirmed by OCR – Aflac – and another that warrants inclusion – the data breach at Oracle Health, where the number of affected individuals has yet to be disclosed. At the time of publication, 15 healthcare data breaches were reported in 2025 that affected more than 500,000 individuals
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
| HIPAA-Regulated Entity | State | Entity Type | Individuals Affected |
| Conduent Business Services LLC | NJ | Business Associate | TBC – Currently known to be more than 25 million |
| Aflac | GA | Health Plan | 13,924,906 |
| Yale New Haven Health System | CT | Healthcare Provider | 5,556,702 |
| Episource, LLC | CA | Business Associate | 5,418,866 |
| Blue Shield of California | CA | Business Associate | 4,700,000 |
| DaVita Inc. | CO | Healthcare Provider | 2,689,826 |
| Anne Arundel Dermatology | MD | Healthcare Provider | 1,905,000 |
| Radiology Associates of Richmond, Inc. | VA | Healthcare Provider | 1,419,091 |
| Southeast Series of Lockton Companies, LLC (Lockton) | GA | Business Associate | 1,124,727 |
| Community Health Center, Inc. | CT | Healthcare Provider | 1,060,936 |
| Frederick Health | MD | Healthcare Provider | 934,326 |
| McLaren Health Care | MI | Healthcare Provider | 743,131 |
| Medusind Inc. | FL | Business Associate | 701,475 |
| Kelly & Associates Insurance Group, Inc. | MD | Business Associate | 553,332 |
| United Seating and Mobility, LLC d/b/a Numotion | TN | Healthcare Provider | 529,004 |
| Oracle Health (Cerner) | MO | Business Associate | Unknown* |
* The Conduent Business Services data breach is currently listed on the OCR data breach portal as affecting 42,616 individuals, but has been reported to the Oregon Attorney General as affecting almost 10.52 million individuals nationwide, and the Texas Attorney General was informed that 15,49 million individuals in the state have been affected. The total number of victims has yet to be determined/disclosed.
Conduent Business Services – 25 Million+ Individuals
The largest healthcare data breach of 2025 by some distance was reported by the HIPAA business associate, Conduent Business Services. Conduent is a business associate of HIPAA-covered entities and government agencies that provides a range of back-office services. Conduent reported a data breach to OCR in October 2025 as involving unauthorized access to the protected health information of 42,616 individuals, including names, dates of birth, Social Security numbers, treatment information, and claims information.
Since then, the Oregon Attorney General has been informed that the data breach was far more severe, involving unauthorized access to the sensitive data of more than 10.5 million individuals. The Texas Attorney General was later informed that 14,791,500 individuals in Texas were affected, and that total was later increased to 15,494,592 individuals. Other state attorneys general have also received notifications confirming that some of their state residents have been affected, but the investigation is ongoing, and a final total has yet to be provided. As it stands, more than 25 million individuals are known to have been affected.
The incident was described as a security incident that caused an outage, resulting in temporary disruption to its services – terminology often used to describe a ransomware attack. The Safepay ransomware group claimed responsibility for the attack and added Conduent to its data leak site, although the listing has now been removed, suggesting the ransom was paid.
Aflac – 13.9 Million Individuals
In a June 12, 2025, filing with the U.S. Securities and Exchange Commission (SEC), the insurance giant Aflac disclosed a cyberattack by a threat actor that “may be affiliated with a known cyber-criminal organization.” While not confirmed by Aflac, that group is widely believed to be the Scattered Spider threat group, which at the time was targeting the insurance industry. The data breach was reported to OCR on August 8, 2025, using a placeholder figure of 500 affected individuals, as the investigation was ongoing at the time. The hackers gained access to names, addresses, dates of birth, government-issued ID numbers such as passports and state ID card numbers, driver’s license numbers, Social Security numbers, medical information, and health insurance information.
As the year drew to a close, Aflac confirmed that there had been unauthorized access to the sensitive data of 22.65 million individuals globally. The OCR breach portal has since been updated to confirm that the protected health information of at least 13,924,906 individuals was compromised in the incident.
Yale New Haven Health System – 5.56 million individuals
The largest healthcare data breach of 2025, currently listed on the OCR data breach portal, affected Yale New Haven Health System, the largest health system in the state of Connecticut. Yale New Haven Health System reported the data breach to OCR in April 2025, after its investigation determined that hackers breached its network on March 8, 2025, and obtained the sensitive data of 5,556,702 individuals.
The electronic medical record system was not accessed, and the hackers were unable to access financial information; however, they did obtain names, contact information, demographic information, medical record numbers, and Social Security numbers. Yale New Haven Health faced multiple class action lawsuits over the data breach, which were settled rapidly. Yale New Haven Health agreed to an $18 million settlement to resolve a consolidated class action lawsuit that amalgamated 18 separate complaints, just 7 months after the data breach occurred.
Episource, LLC – 5.42 million individuals
The UnitedHealth (Optum) subsidiary Episource, a provider of medical coding, risk adjustment services, and software solutions for healthcare providers and health plans, experienced a ransomware attack in February 2025 that involved the exfiltration of files containing sensitive patient data. Data compromised in the attack included names, contact information, medical information, and health insurance information. The ransomware group gained access to EpiSource’s AWS environment,
The investigation confirmed that the ransomware group had access to its network from January 27, 2025, to February 6, 2025, and potentially obtained the protected health information of 5,418,866 individuals. Multiple healthcare provider clients were affected by the attack, including Sharp HealthCare and Sharp Community Medical Group.
Blue Shield of California – 4.7 million individuals
The health insurance provider Blue Shield of California was one of many healthcare entities to experience data breaches involving tracking software on their websites. In this case, Blue Shield of California had added Google Analytics code to certain websites, which was configured in a way that resulted in member data being shared with Google Ads for almost 3 years. In certain cases, the protected health information shared with Google may have been used to serve members with personalized Google Ads related to their interactions on Blue Shield of California websites. For instance, if the “Find a Doctor” service was used, then search criteria and results may have been disclosed.
While the scale of the breach – up to 4.7 million individuals – makes it one of the worst of the year, notification letters were issued to all members who accessed the websites over 3 years, there was limited potential for harm, and no indications that any bad actor was able to access plan members’ data.
DaVita – 2.69 million individuals
The Denver, CO-based kidney dialysis service provider DaVita experienced a ransomware attack in April 2025. DaVita operates more than 2,600 kidney dialysis centers across the United States, and while the attack caused temporary operational disruption, critical care provided to patients across the United States was unaffected.
The ransomware group was able to access a laboratory database containing the protected health information of 2,689,826 individuals, including demographic information, clinical information, and tax information. The Interlock ransomware group claimed responsibility for the attack and had access to DaVita systems from March 24, 2025, to April 12, 2025.
Anne Arundel Dermatology – 1.91 million individuals
Anne Arundel Dermatology, a dermatology practice with more than 30 locations in 7 U.S. states, experienced a hacking incident that saw unauthorized individuals access its network from February 14, 2025, to May 13, 2025. The systems compromised in the attack contained the protected health information of up to 1,905,000 individuals, including names, addresses, dates of birth, and health insurance information.
Since it was not possible to determine which records were viewed or copied, notification letters were mailed to all potentially affected individuals. Anne Arundel Dermatology was one of several dermatology practices to be targeted by hackers in 2025.
Radiology Associates of Richmond – 1.42 million individuals
Radiology Associates of Richmond, a provider of medical imaging services at seven hospitals in Virginia and multiple outpatient facilities within the state, experienced a cyberattack in April 2024, although the data breach was not reported to OCR until July 2025.
The hackers had access to its network from April 2, 2024, to April 6, 2024, and exfiltrated files containing the protected health information of 1,419,091 patients, including names, dates of birth, email addresses, Social Security numbers, account numbers, routing numbers, medical information, and health insurance information.
Southeast Series of Lockton Companies – 1.12 million individuals
Southeast Series of Lockton Companies (Lockton), an insurance brokerage company that provides employee benefits services, reported a data breach to OCR on February 28, 2025, that involved unauthorized access to its computer network on November 20, 2025. While initially reported as involving unauthorized access to the protected health information of 1,706 individuals, the total was later revised to 1,124,727 individuals.
Hackers had access to a single account and computer for a few hours, but during that time, they may have viewed or acquired names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, and financial information.
Community Health Center – 1.06 million individuals
Community Health Center, a nonprofit healthcare provider in Middletown, Connecticut, identified unauthorized access to its computer network on January 2, 2025. The investigation confirmed that a hacker first accessed its network without authorization on October 14, 2024, and retained access until the intrusion was detected on January 2, 2025.
The attack did not involve file encryption; however, the hackers had access to sensitive patient data such as names, addresses, phone numbers, email addresses, dates of birth, diagnoses, test results, treatment information, health insurance information, and Social Security numbers. The investigation confirmed that up to 1,060,936 individuals were potentially affected.
Frederick Health – 934,000 individuals
Frederick Health Medical Group, a Maryland-based healthcare group, announced on January 27, 2025, that it had fallen victim to a ransomware attack. The group behind the attack was not disclosed, and remains unknown.
The investigation confirmed that the protected health information of up to 934,326 individuals was potentially compromised, including names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, medical record numbers, health insurance information, and/or clinical information related to patients’ care.
McLaren Health Care – 743,000 individuals
McLaren Health Care in Michigan experienced a ransomware attack in August 2024 that involved unauthorized access to systems used by McLaren Health Care and its Karmanos cancer centers between July 17, 2024, and August 3, 2024. The file review was extensive and time-consuming, revealing on May 5, 2025, that sensitive data had been compromised in the incident.
The data breach affected 743,131 individuals and involved unauthorized access to names, Social Security numbers, driver’s license numbers, medical information, and health insurance information. While not reported as a ransomware attack, the Inc Ransom ransomware group claimed responsibility. While McLaren Health Care was added to the Inc Ransom data leak site, the listing has been removed, suggesting the ransom was paid. This was McLaren Health Care’s second ransomware attack in the space of a year.
Medusind – 701,000 individuals
Medusind, a Florida-based revenue cycle management vendor and practice management software provider, reported a cyberattack and data breach to OCR in early January that was first identified on December 23, 2023. Initially, the data breach was determined to have affected 360,934 individuals; however, the total was increased on two further occasions, with a final tally of 701,475 individuals.
The hackers had access to names, demographic information, health insurance and billing information, debit/credit card numbers or bank account information, Social Security numbers, and other government-issued ID numbers. Medusind faced multiple class action lawsuits over the data breach and settled the consolidated lawsuit for $5 million.
Kelly & Associates Insurance Group – 553,000 individuals
Kelly & Associates, doing business as Kelly Benefits, discovered a cyberattack in December 2024 and determined that hackers had access to its network from December 12, 2024, to December 17, 2024. During that time, they exfiltrated files containing names, dates of birth, Social Security numbers, health insurance information, financial account information, and medical information.
The data breach was not reported to OCR until April 2025, and notification letters were issued on a rolling basis. In late June 2025, the final victim tally was confirmed as 553,332 individuals. The delay in issuing notifications was due to the amount of data involved and the complexity of the file review.
United Seating and Mobility (Numotion) – 529,000 individuals
United Seating & Mobility, doing business as Numotion, a wheelchair and mobility equipment provider, identified unauthorized access to employee email accounts in November 2024. The investigation confirmed that the accounts were compromised between September 2, 2024, and November 18, 2024, as a result of responses to phishing emails.
The data breach was first reported to OCR in March 2025, as involving unauthorized access to the protected health information of 494,326 individuals, but the total was later revised to 529,004 individuals. The hackers were able to access names, dates of birth, product information, payment and financial account information, health insurance information, and medical information.
Oracle Health – Unknown
Oracle Health announced a hacking incident in late March 2025 involving unauthorized access to two legacy Cerner servers. Oracle Health acquired Cerner, an electronic medical record company, in December 2021, and the two servers were awaiting migration to Oracle Cloud.
A hacker claimed to have stolen data, and Oracle Health’s forensic investigation confirmed that the breach occurred on or after January 22, 2025. While Oracle Health confirmed that data had been stolen, the number of individuals affected has not been publicly disclosed. Recently, Oracle Health’s attorneys confirmed to an attorney representing some of the victims in a class action lawsuit that up to 80 hospitals may have been affected.
Oracle Health said it would notify the affected providers, and it is up to each one to determine if there was a reportable data breach and, if so, to report it to regulators. No list of the affected hospitals has been released, so it is difficult to accurately gauge the scale of the data breach, but it is suspected that the breach could have involved unauthorized access to millions of patient records.
