10 largest healthcare data breaches reported to OCR in 2025

More than 35 million individuals were impacted by large healthcare data breaches reported to the HHS Office for Civil Rights in 2025, according to data displayed on OCR's public data breach portal. Upward of 20 million of those individuals were affected by the 10 largest breaches alone. 

The total is likely to rise as OCR continues to post 2025 breach reports, which stalled for weeks during the 43-day government shutdown that began in October 2025. Furthermore, the actual total number of individuals impacted by breaches in 2025 is likely much higher, as the OCR only publishes data on its portal regarding breaches that affected 500 people or more. 

This year's total is significantly lower than in 2024, which saw a record 168 million individuals impacted, largely due to the Change Healthcare cyberattack. However, the 2025 figure is still massive, and data breaches continued to disrupt operations and threaten patient privacy throughout 2025. 

Most of the data breaches reported to OCR in 2025 were attributed to hacking or IT incidents, which have remained the most common cause of healthcare data breaches for nearly a decade. 

While some of the following data breaches occurred in 2024, this list reflects breaches reported to OCR in 2025. 

Yale New Haven Health System: 5,556,702 individuals affected 

Yale New Haven Health System (YNHHS), the largest health system in Connecticut, reported a multimillion-record healthcare data breach in April 2025. YNHHS said that it discovered unusual activity within its IT systems on March 8, 2025, prompting it to launch an investigation. 

YNHHS determined that an unauthorized third party had gained access to its network and obtained copies of data, including names, birthdates, phone numbers, race or ethnicity, addresses, email addresses, patient type, medical record numbers and Social Security numbers. 

YNHHS's EMRs were not involved in the breach, and the incident did not impact the health system's ability to provide care. 

"YNHHS considers the health, safety, and privacy of patients our top priority," a notice on the health system's website stated. "We are continuously updating and enhancing our systems to protect the data we maintain and to help prevent events such as this from occurring in the future." 

Episource: 5,418,866 individuals affected 

Episource, an IT vendor that provides risk adjustment and medical coding services to health plans and providers, suffered a ransomware attack in February 2025 that resulted in a data breach. 

The company found unusual activity in its computer systems on Feb. 6, 2025. Episource launched an investigation and determined that a cybercriminal had accessed Episource systems between Jan. 27, 2025, and Feb. 6, 2025, and copied some data. 

The data involved in the breach varied but included some combination of name, address, phone number, email, health insurance data, medical record numbers, treatment information and other sensitive data, such as Social Security numbers. 

"We have taken several steps to mitigate and help prevent events like this from happening in the future. We investigated and called law enforcement," Episource stated. "We are also making our computer systems even stronger than before." 

Blue Shield of California: 4,700,000 individuals affected 

Blue Shield of California notified 4.7 million individuals of a breach that stemmed from a configuration of Google Analytics that allowed it to share member data with Google Ads. Blue Shield said that it used Google Analytics to track website usage of its members in order to improve its services. 

However, Blue Shield stated that the configuration could have allowed Google Ads to deliver ad campaigns back to impacted members, which would constitute a data breach. 

Blue Shield notified most of its members of the incident, as it could have affected any member who accessed their member information on the affected Blue Shield websites from 2021 to 2024. 

"We want to reassure our members that no bad actor was involved, and, to our knowledge, Google has not used the information for any purpose other than these ads or shared the protected information with anyone," Blue Shield stated. 

Blue Shield said that it severed the connection between Google Analytics and Google Ads on its sites in January 2024. What's more, Blue Shield conducted a review of its websites to ensure that no other analytics tracking software was sharing protected health information 

DaVita: 2,689,826 individuals affected 

Kidney care company DaVita suffered a ransomware attack in April 2025 that encrypted certain elements of the company's network. DaVita provides kidney dialysis services at more than 2,600 outpatient centers in the U.S. and 367 outpatient centers in 11 other countries. 

Interlock ransomware actors claimed responsibility for the attack, which resulted in a large data breach. 

DaVita's official breach notice stated that the incident began on March 24, 2025, and was not contained until April 12, when experts were able to block the cyberthreat actors from DaVita's servers. 

DaVita determined that sensitive data from its dialysis labs database was involved in the incident. The impacted patient information included names, addresses, Social Security numbers, health insurance information, dates of birth, health conditions and certain dialysis lab test results. For some impacted individuals, pictures of checks written to DaVita and tax identification numbers were involved. 

"As the sophistication of cyber incidents increases, we remain vigilant, continue to work with authorities and external experts, and enhance both education of our workforce and data security protocols to adapt to this increased sophistication," DaVita stated in its notice to customers.

Anne Arundel Dermatology: 1,905,000 individuals affected 

Anne Arundel Dermatology disclosed a 1.9-million-record data breach to OCR in July. The dermatology practice operates more than 30 locations across Maryland, Florida, Virginia, Georgia, North Carolina, Pennsylvania and Tennessee. 

Anne Arundel Dermatology said that an unauthorized party accessed certain files containing health information between Feb. 14, 2025, and May 13, 2025. 

The incident involved names, health insurance information, birth dates and addresses. 

Radiology Associates of Richmond: 1,419,091 individuals affected

Virginia-based Radiology Associates of Richmond (RAR) suffered a data breach in 2024, which it reported to OCR on July 1, 2025. The incident impacted 1.4 million individuals and occurred when an unauthorized party accessed RAR's network between April 2, 2024, and April 6, 2024. 

RAR completed its investigation into the incident in May 2025 and informed impacted individuals. 

"RAR is committed to maintaining the privacy of personal information in our possession and have taken  
many precautions to safeguard it," the company's breach notice stated. "We continually evaluate and modify our practices and internal controls to enhance the security and privacy of your personal information." 

Southeast Series of Lockton Companies: 1,124,727 individuals affected 

Kansas City, Missouri-based Southeast Series of Lockton Companies reported a large data breach to OCR in February 2025. Lockton is an independent insurance brokerage firm that provides services to several industries, including education, energy and healthcare. 

According to a filing Lockton submitted to the Maine Attorney General's Office, Lockton first discovered suspicious activity on a single computer in November 2024. The company immediately engaged law enforcement and third-party cybersecurity experts to investigate. 

The investigation revealed that an unauthorized party had accessed a single account and obtained certain files containing sensitive information, such as names, addresses and Social Security numbers. 

Lockton began notifying impacted individuals of the breach in February, following a comprehensive review of the data. The firm offered identity theft protection to affected individuals. 

Community Health Center: 1,060,936 individuals affected 

Community Health Center, a Middletown, Connecticut-based organization that provides primary care services, reported a data breach that occurred in January 2025. Upon noticing unusual activity within its computer systems, Community Health Center found that a "skilled criminal hacker" had entered its systems and taken some data. 

"Fortunately, the criminal hacker did not delete or lock any of our data, and the criminal's activity did not affect our daily operations," a notice provided to state attorneys general stated. "We believe we stopped the criminal hacker's access within hours, and that there is no current threat to our systems." 

The information included in the breach included names, addresses, phone numbers, emails, diagnoses, dates of birth, treatment details, test results, Social Security numbers and health insurance information. 

Community Health Center said it began using special software to detect suspicious activity and took other steps to strengthen its security in the wake of the incident. 

Frederick Health: 934,326 individuals affected 

Maryland-based Frederick Health suffered a ransomware attack on Jan. 27, 2025, that disrupted its IT systems and reportedly resulted in an uptick in patient volume at a neighboring hospital. 

The healthcare organization, which operates 25 locations and a network of specialty providers, immediately activated its incident response protocols and took steps to secure its systems. Further investigation determined that an unauthorized party had gained access to the network and copied certain files from a file share server. 

The impacted documents contained patient names, addresses, Social Security numbers, driver's license numbers, medical record numbers, dates of birth, health insurance information and clinical information. 

"We take this incident very seriously and deeply regret any inconvenience or concern this incident may have caused," Frederick Health stated. "To help prevent a similar incident from occurring in the future, we have implemented, and will continue to adopt, additional safeguards to further protect and monitor our systems." 

McLaren Health Care: 743,131 individuals affected 

Michigan-based healthcare system McLaren Health Care suffered a criminal cyberattack in August 2024 that resulted in disruptions to its information technology and phone systems. The health system is made up of 13 hospitals, as well as a physician network and several ambulatory surgery centers. 

McLaren had to activate downtime procedures and cancel some non-emergency appointments and tests as it worked to recover from the cyberattack. According to the official breach notice, the unauthorized network access occurred between July 17, 2024, and Aug. 3, 2024. 

The information involved in the breach included names, Social Security numbers, billing or claims information, physician information, dates of birth, diagnoses, medical record numbers and prescription information. 

As 2025 continues, the OCR data breach portal will continue to reflect the vast number of breaches that regularly impact healthcare organizations and their business associates. 

Jill Hughes has covered healthcare cybersecurity and privacy news since 2021.