March 2025 Healthcare Data Breach Report
Breach reporting data from the HHS’ Office for Civil Rights (OCR) is starting to show a reduction in healthcare data breaches. In 2024, an average of 61 large healthcare data breaches were reported each month (median: 60), and over the past two months, an average of 51 breaches have been reported each month. Excluding January, which includes breach reporting from Thanksgiving weekend, a busy time for cybercriminals, the average is the same.
In March, 53 data breaches affecting 500 or more individuals were reported to OCR by HIPAA-regulated entities. That’s the lowest March total since 2022 and a 46% reduction from the 98 data breaches reported in March 2023.
There has also been a considerable decrease in the number of individuals affected by healthcare data breaches, which fell for the third straight month to the lowest monthly total since January 2023. In March 2025, 1,754,097 individuals had their protected health information exposed, stolen, or impermissibly disclosed in a healthcare data breach, a 23% reduction from the 2,277,555 individuals affected in February 2025 and a 43.8% reduction from the 3,121,358 affected individuals in January 2025.
Last year, excluding the Change Healthcare data breach (190M records) as an outlier, an average of 7,369,560 individuals were affected by healthcare data breaches each month (median: 6,571,438). The total for March 2025 is 76.2% lower than the monthly average last year. On average, more individuals were affected by data breaches each month in 2024 than were affected by healthcare data breaches in January, February, and March 2025 combined.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Comparing March’s total to the corresponding period over the past five years, March 2025 saw the lowest number of individuals affected by healthcare data breaches since March 2020.
Biggest Healthcare Data Breaches in March 2025
In March 2025, 18 healthcare data breaches were reported to OCR that affected 10,000 or more individuals, including 6 breaches affecting 100,000 or more individuals. All of these data breaches were reported as hacking/IT incidents, although March was somewhat atypical due to two email-related data breaches in the top three biggest data breaches of the month, including the largest reported breach at Numotion, which saw the protected health information of almost half a million individuals exposed after several employee email accounts were compromised. Given the high risk of phishing attacks, these breaches raise questions about why such large amounts of patient data were stored in email accounts and had not been archived or stored in more secure locations.
Unfortunately, due to the growing trend of limiting the information provided to breach victims in individual and substitute notification letters, it is difficult to identify any ransomware trends from the breach data. Ransomware is rarely mentioned in breach notification letters, even though that information is invaluable to breach victims to help them accurately assess the level of risk they face from a data breach. Ransomware groups typically publish stolen data if the ransom is not paid, so these breaches can have more serious consequences for breach victims than other breach types.
There are also four breaches in the list below where the breached entity has not added a substitute breach notice to their website, and does not appear to have made any media announcement about the data breach, as required by the HIPAA Breach Notification Rule.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Location of Breached Information | Cause of Breach |
| United Seating and Mobility, LLC d/b/a Numotion | TN | Healthcare Provider | 494,326 | Compromised employee email accounts | |
| Sunflower Medical Group, P.A. | KS | Healthcare Provider | 220,968 | Network Server | Hacking incident – data theft confirmed |
| CDHA Management, LLC and Spark DSO, LLC dba Chord Specialty Dental Partners | TN | Healthcare Provider | 173,430 | Compromised employee email accounts | |
| Community Dental Care, Inc. | MN | Healthcare Provider | 134,903 | Network Server | Hacking incident – data theft confirmed |
| Community Care Alliance | RI | Healthcare Provider | 114,975 | Network Server | Ransomware attack (Rhysida) – data theft confirmed |
| Hillcrest Convalescent Center, Inc. | NC | Healthcare Provider | 106,194 | Network Server | Hacking incident – data theft confirmed |
| Mercer County Joint Township Community Hospital | OH | Healthcare Provider | 88,541 | Network Server | Hacking incident – Network server |
| Concord Orthopaedics | NH | Healthcare Provider | 72,815 | Other | Hacking incident involving patient registration and appointment scheduling software |
| Western Wayne Family Physicians | MI | Healthcare Provider | 62,000 | Network Server | Hacking incident – No public breach information |
| OCH Regional Medical Center | MS | Healthcare Provider | 51,266 | Other | Hacking incident in 2023 |
| William F Rinehart DMD PA | SC | Healthcare Provider | 25,000 | Network Server | Hacking incident – No public breach information |
| Vision Upright MRI | CA | Healthcare Provider | 23,031 | Network Server | Hacking incident – No public breach information |
| Bay Cove Human Services, Inc. | MA | Healthcare Provider | 21,295 | Network Server | Hacking incident – Network server |
| Hand & Plastic Surgery Centre, PLC | MI | Healthcare Provider | 19,846 | Network Server | Hacking incident – Network server |
| Howard Health Systems dba Howard Memorial Hospital | AR | Healthcare Provider | 17,703 | Network Server | Hacking incident – Network server |
| Dove Healthcare | WI | Healthcare Provider | 16,255 | Network Server | Hacking incident – Network server |
| Georgia Urology | GA | Healthcare Provider | 12,398 | Compromised employee email accounts | |
| Nice Healthcare Management Company, Inc | MN | Healthcare Provider | 10,000 | Network Server | Hacking incident at business associate – No public breach information |
While the breach data shows low numbers of affected individuals, 7 healthcare data breaches were reported in March as affecting 500 or 501 individuals. These are commonly used placeholder figures when breach investigations continue past the deadline for reporting under the HIPAA Breach Notification Rule. As these investigations conclude, the totals should be updated, which could see the monthly number of affected individuals increase significantly.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Type of Breach |
| Family Centers, Inc. | CT | Healthcare Provider | 501 | Network server hacking incident |
| North Hudson Community Action Corporation | NJ | Healthcare Provider | 501 | Network server hacking incident |
| Pineland Community Service Board | GA | Healthcare Provider | 501 | Network server hacking incident |
| SimonMed Imaging | AZ | Healthcare Provider | 500 | Network server hacking incident |
| Fundamental Administrative Services, LLC | MD | Business Associate | 500 | Network server hacking incident |
| Welts, White, & Fontaine PC | NH | Business Associate | 500 | Network server hacking incident |
| Columbia Eye Clinic | SC | Healthcare Provider | 500 | Network server hacking incident |
Causes of March 2025 Healthcare Data Breaches
In March, hacking and other IT incidents accounted for the majority of healthcare data breaches affecting 500 or more individuals. There were 42 reported hacking incidents, which is 79% of the month’s reported breaches. Across those 42 incidents, the records of 1,733,464 individuals were exposed, stolen, or impermissibly disclosed, which is 95.2% of the month’s total. On average, these incidents affected 40,058 individuals, and the median number of affected individuals was 5,415 per incident.
There were 9 unauthorized access/disclosure incidents in March, 16.98% of the month’s total breaches, and 82,833 individuals were affected, 4.72% of the month’s affected individuals. The average number of affected individuals was 9,204 per breach, and the median breach size was 1,552 individuals. There were 2 theft incidents, which is 3.77% of the month’s total, and 1,324 individuals (0.08%) were affected. There were no reported loss or improper disposal incidents.
Network servers were the most common location of breached protected health information, and there were 16 incidents involving compromised data in email accounts.
Data Breaches at HIPAA-Regulated Entities
The majority of data breaches were reported by healthcare providers in March, with 45 incidents affecting 1,733,464 individuals. There were 5 data breaches at health plans affecting 18,911 individuals, and 3 data breaches reported by business associates of HIPAA-regulated entities, affecting just 1,722 individuals.
Those figures come from the reporting entity, rather than the entity that suffered the breach. Depending on the nature of the business associate agreement, a covered entity may report a breach that occurred at a business associate, which means breaches at business associates are often underrepresented in many healthcare data breach reports. The charts below are based on where the breach occurred, rather than the reporting entity.
Geographical Distribution of Healthcare Data Breaches
In March 2025, HIPAA-regulated entities in 33 U.S. states reported data breaches that affected 500 or more individuals. Michigan and Minnesota were the worst-affected states with four breaches in each state; however, in terms of individuals affected, Tennessee was the worst hit, with two breaches affecting 667,756 individuals, followed by Kansas with a single breach that affected 220,968 individuals.
| State | Breaches |
| Michigan & Minnesota | 4 |
| Connecticut & Pennsylvania | 3 |
| California, Georgia, Louisiana, Mississippi, New Hampshire, North Carolina, Ohio, South Carolina, Tennessee & Texas | 2 |
| Arizona, Arkansas, Colorado, Florida, Indiana, Kansas, Kentucky, Maryland, Massachusetts, Missouri, New Jersey, New Mexico, New York, Oklahoma, Rhode Island, Utah, Virginia, Washington & Wisconsin | 1 |
HIPAA Enforcement in March 2025
OCR announced two enforcement actions in March 2025 to resolve alleged violations of the HIPAA Rules, one under the HIPAA Right of Access enforcement initiative that has been running since late 2019, and the other under the more recent enforcement initiative targeting noncompliance with the risk analysis implementation specification of the HIPAA Security Rule.
OCR launched an investigation of Oregon Health & Science University after receiving a complaint from a patient who claimed not to have been provided with a full set of his records within the 30 days permitted by the HIPAA Privacy Rule. The patient had made several requests, and the records were finally provided 16 months after the initial request was made. OCR imposed a civil money penalty of $200,000 to resolve the alleged HIPAA Right of Access violation.
Health Fitness Corporation, an Illinois business associate, was investigated after filing a breach report with OCR about a credential stuffing incident. While investigating, OCR received further breach reports about similar incidents. OCR’s investigation determined that a comprehensive, accurate, organization-wide risk analysis had not been conducted to the standard demanded by the HIPAA Rules. The case was settled, and Health Fitness Corporation paid a $227,816 financial penalty. There were no announcements by state Attorneys General in March regarding financial penalties for HIPAA violations.
