
Pramote Lertnitivanit/istock via
Biggest healthcare data breaches reported in 2025, so far
More than 29 million individuals were affected by healthcare data breaches in the first half of 2025.
Healthcare data breaches remain a challenge for healthcare organizations and their business associates, as exemplified by the nearly 30 million records implicated in large data breaches in the first six months of 2025.
The HHS Office for Civil Rights (OCR) displays healthcare data breaches impacting more than 500 individuals on its breach portal, giving covered entities and the public a peek into this pervasive issue.
Four of the 10 biggest healthcare data breaches (by number of individuals impacted) reported to OCR in 2025 affected provider organizations, while the remaining six impacted business associates.
Notably, nine of the 10 breaches involved hacking or IT incidents, while just one was caused by an unauthorized disclosure. As previously reported, researchers observed that it was not until 2017 that hacking became the primary cause of healthcare data breaches, surpassing theft and unauthorized access and reflecting a shift in the cyberthreat landscape.
While some of the following data breaches occurred in 2024, this list reflects breaches reported to OCR in 2025.
Yale New Haven Health System: 5,556,702 individuals affected
Yale New Haven Health System (YNHHS), the largest health system in Connecticut, reported a multimillion-record healthcare data breach in April 2025. YNHHS said that it discovered unusual activity within its IT systems on March 8, 2025, prompting it to launch an investigation.
YNHHS determined that an unauthorized third party had gained access to its network and obtained copies of data, including names, birthdates, phone numbers, race or ethnicity, addresses, email addresses, patient type, medical record numbers and Social Security numbers.
YNHHS's electronic medical records were not involved in the breach, and the incident did not impact the health system's ability to provide care.
"YNHHS considers the health, safety, and privacy of patients our top priority," a notice on the health system's website stated. "We are continuously updating and enhancing our systems to protect the data we maintain and to help prevent events such as this from occurring in the future."
Episource: 5,418,866 individuals affected
Episource, an IT vendor that provides risk adjustment and medical coding services to health plans and providers, suffered a ransomware attack in February 2025 that resulted in a data breach.
The company found unusual activity in its computer systems on Feb. 6, 2025. Episource launched an investigation and determined that a cybercriminal had accessed Episource systems between Jan. 27, 2025, and Feb. 6, 2025, and copied some data.
The data involved in the breach varied but included some combination of name, address, phone number, email, health insurance data, medical record numbers, treatment information and other sensitive data, such as Social Security numbers.
"We have taken several steps to mitigate and help prevent events like this from happening in the future. We investigated and called law enforcement," Episource stated. "We are also making our computer systems even stronger than before."
Blue Shield of California: 4,700,000 individuals affected
Blue Shield of California notified 4.7 million individuals of a breach that stemmed from a configuration of Google Analytics that allowed it to share member data with Google Ads. Blue Shieldsaid that it used Google Analytics to track website usage of its members in order to improve its services.
However, Blue Shield stated that the configuration could have allowed Google Ads to deliver ad campaigns back to impacted members, which would constitute a data breach.
Blue Shield notified most of its members of the incident, as it could have affected any member who accessed their member information on the affected Blue Shield websites from 2021 to 2024.
"We want to reassure our members that no bad actor was involved, and, to our knowledge, Google has not used the information for any purpose other than these ads or shared the protected information with anyone," Blue Shield stated.
Blue Shield said that it severed the connection between Google Analytics and Google Ads on its sites in January 2024. What's more, Blue Shield conducted a review of its websites to ensure that no other analytics tracking software was sharing protected health information
Southeast Series of Lockton Companies: 1,124,727 individuals affected
Kansas City, Missouri-based Southeast Series of Lockton Companies reported a large data breach to OCR in February 2025. Lockton is an independent insurance brokerage firm that provides services to several industries, including education, energy and healthcare.
According to a filing that Lockton submitted to the Maine Attorney General's Office, Lockton first discovered suspicious activity on a single computer in November 2024. The company immediately engaged law enforcement and third-party cybersecurity experts to investigate.
The investigation revealed that an unauthorized party had accessed a single account and obtained certain files containing sensitive information, such as names, addresses and Social Security numbers.
Lockton began notifying impacted individuals of the breach in February following a comprehensive review of the data. The firm offered identity theft protection to affected individuals.
Community Health Center: 1,060,936 individuals affected
Community Health Center, a Middletown, Connecticut-based organization that provides primary care services, reported a data breach that occurred in January 2025. Upon noticing unusual activity within its computer systems, Community Health Center found that a "skilled criminal hacker" had entered its systems and taken some data.
"Fortunately, the criminal hacker did not delete or lock any of our data, and the criminal's activity did not affect our daily operations," a notice provided to state attorneys general stated. "We believe we stopped the criminal hacker's access within hours, and that there is no current threat to our systems."
The information included in the breach included names, addresses, phone numbers, emails, diagnoses, dates of birth, treatment details, test results, Social Security numbers and health insurance information.
Community Health Center said it began using special software to detect suspicious activity and took other steps to strengthen its security in the wake of the incident.
Frederick Health: 934,326 individuals affected
Maryland-based Frederick Health suffered a ransomware attack on Jan. 27, 2025, that disrupted its IT systems and reportedly resulted in an uptick in patient volume at a neighboring hospital.
The healthcare organization, which operates 25 locations and a network of specialty providers, immediately activated its incident response protocols and took steps to secure its systems. Further investigation determined that an unauthorized party had gained access to the network and copied certain files from a file share server.
The impacted documents contained patient names, addresses, Social Security numbers, driver's license numbers, medical record numbers, dates of birth, health insurance information and clinical information.
"We take this incident very seriously and deeply regret any inconvenience or concern this incident may have caused," Frederick Health stated. "To help prevent a similar incident from occurring in the future, we have implemented, and will continue to adopt, additional safeguards to further protect and monitor our systems."
Medusind: 701,475 individuals affected
Revenue cycle management vendor Medusind suffered a hack in December 2023 that it notified consumers of in January 2025.
On Dec. 29, 2023, the dental and medical billing provider discovered suspicious activity within its IT network and took the impacted systems offline the same day. Further investigation revealed that an unauthorized party had obtained copies of certain files.
The impacted files included health insurance and billing information, payment information, medical history, prescription information, Social Security numbers and contact information.
The Florida-based company notified patients on behalf of its healthcare organization clients and offered complimentary identity monitoring to affected individuals.
Kelly & Associates Insurance Group: 553,332 individuals affected
Maryland-based Kelly & Associates Insurance Group, also known as Kelly Benefits, suffered unauthorized access to its systems in December 2024. A hacker copied files on its network, resulting in a data breach.
Kelly Benefits reported several supplemental notices to state attorneys general as it worked to determine the extent of the data breach, which ultimately impacted more than 553,000 individuals across dozens of its client organizations.
The data involved in the breach included names, Social Security numbers, dates of birth, tax ID numbers, medical information, health insurance information and financial account information.
Kelly Benefits provided notice on behalf of more than 40 organizations, including Aetna Life Insurance Company, Vision Benefits of America and United Healthcare.
"As is our typical practice, Kelly Benefits will continue to review our already robust security policies, procedures, and tools as part of our ongoing commitment to information security," Kelly Benefits stated.
The company is now facing multiple lawsuits over the breach.
Numotion: 494,326 individuals affected
United Seating and Mobility, which does business as Numotion, reported a March 2024 data breach to OCR in March 2025. Numotion is a wheelchair and mobility equipment provider.
According to its breach notice, an unauthorized party accessed certain employee email accounts on several occasions between Sept. 2, 2024, and Nov. 18, 2024. Numotion's review of the impacted email accounts revealed that some patient information may have been viewed.
The data involved in the breach included financial account information, health insurance information, names, dates of birth, product information, medical information and Social Security numbers.
Numotion said there was no indication that any information had been used for fraud or identity theft.
Serviceaide: 483,126 individuals affected
More than 480,000 Catholic Health patients were impacted by a November 2024 data breach stemming from Serviceaide, a vendor that provides AI-powered enterprise service, automation and digital service management solutions.
Serviceaide provided IT support management services to Buffalo, New York-based Catholic Health. On Nov. 15, 2024, Serviceaide discovered that certain information within its Catholic Health Elasticsearch database was inadvertently made publicly available between Sept. 19, 2024, and Nov. 5, 2024.
"Please note, the investigation did not identify any evidence that information was copied, but we are unable to rule out this type of activity," Serviceaide stated in its May 2025 breach notice.
"As such, a data review vendor was engaged to conduct a comprehensive and time-intensive review of the potentially impacted data to identify any personal health information contained therein and to whom that information relates."
The review determined that the publicly available information included names, Social Security numbers, medical record numbers, patient account numbers, health insurance information, clinical information, and usernames and passwords.
"Upon learning of this incident, we secured the Catholic Health Elasticsearch database, performed an investigation, and reviewed the potentially impacted data to identify any individuals as quickly as possible," Serviceaide stated.
As we enter the second half of 2025, the OCR data breach portal will continue to reflect the vast number of breaches that impact healthcare organizations and their business associates regularly.
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.