Biggest healthcare data breaches reported in 2025, so far

Yale New Haven Health System: 5,556,702 individuals affected

Yale New Haven Health System (YNHHS), the largest health system in Connecticut, reported a multimillion-record healthcare data breach in April 2025. YNHHS said that it discovered unusual activity within its IT systems on March 8, 2025, prompting it to launch an investigation.

YNHHS determined that an unauthorized third party had gained access to its network and obtained copies of data, including names, birthdates, phone numbers, race or ethnicity, addresses, email addresses, patient type, medical record numbers and Social Security numbers.

YNHHS's electronic medical records were not involved in the breach, and the incident did not impact the health system's ability to provide care.

"YNHHS considers the health, safety, and privacy of patients our top priority," a notice on the health system's website stated. "We are continuously updating and enhancing our systems to protect the data we maintain and to help prevent events such as this from occurring in the future."

Episource: 5,418,866 individuals affected

Episource, an IT vendor that provides risk adjustment and medical coding services to health plans and providers, suffered a ransomware attack in February 2025 that resulted in a data breach.

The company found unusual activity in its computer systems on Feb. 6, 2025. Episource launched an investigation and determined that a cybercriminal had accessed Episource systems between Jan. 27, 2025, and Feb. 6, 2025, and copied some data.

The data involved in the breach varied but included some combination of name, address, phone number, email, health insurance data, medical record numbers, treatment information and other sensitive data, such as Social Security numbers.

"We have taken several steps to mitigate and help prevent events like this from happening in the future. We investigated and called law enforcement," Episource stated. "We are also making our computer systems even stronger than before."

Blue Shield of California: 4,700,000 individuals affected

Blue Shield of California notified 4.7 million individuals of a breach that stemmed from a configuration of Google Analytics that allowed it to share member data with Google Ads. Blue Shield said that it used Google Analytics to track website usage of its members in order to improve its services.

However, Blue Shield stated that the configuration could have allowed Google Ads to deliver ad campaigns back to impacted members, which would constitute a data breach.

Blue Shield notified most of its members of the incident, as it could have affected any member who accessed their member information on the affected Blue Shield websites from 2021 to 2024.

"We want to reassure our members that no bad actor was involved, and, to our knowledge, Google has not used the information for any purpose other than these ads or shared the protected information with anyone," Blue Shield stated.

Blue Shield said that it severed the connection between Google Analytics and Google Ads on its sites in January 2024. What's more, Blue Shield conducted a review of its websites to ensure that no other analytics tracking software was sharing protected health information

DaVita: 2,689,826 individuals affected

Kidney care company DaVita suffered a ransomware attack in April 2025 that encrypted certain elements of the company's network. DaVita provides kidney dialysis services at more than 2,600 outpatient centers in the U.S. and 367 outpatient centers in 11 other countries.

Interlock ransomware actors claimed responsibility for the attack, which resulted in a large data breach.

DaVita's official breach notice stated that the incident began on March 24, 2025, and was not contained until April 12, when experts were able to block the cyberthreat actors from DaVita's servers.

DaVita determined that sensitive data from its dialysis labs database was involved in the incident. The impacted patient information included names, addresses, Social Security numbers, health insurance information, dates of birth, health condition and certain dialysis lab test results. For some impacted individuals, pictures of checks written to DaVita and tax identification numbers were involved.

"As the sophistication of cyber incidents increases, we remain vigilant, continue to work with authorities and external experts, and enhance both education of our workforce and data security protocols to adapt to this increased sophistication," DaVita stated in its notice to customers.

Anne Arundel Dermatology: 1,905,000 individuals affected

Anne Arundel Dermatology disclosed a 1.9-million-record data breach to OCR in July. The dermatology practice operates more than 30 locations across Maryland, Florida, Virginia, Georgia, North Carolina, Pennsylvania and Tennessee.

Anne Arundel Dermatology said that an unauthorized party accessed certain files containing health information between Feb. 14, 2025, and May 13, 2025.

The incident involved names, health insurance information, birth dates and addresses.

Radiology Associates of Richmond: 1,419,091 individuals affected

Virginia-based Radiology Associates of Richmond (RAR) suffered a data breach in 2024 that it reported to OCR on July 1, 2025. The incident impacted 1.4 million individuals and occurred when an unauthorized party accessed RAR's network between April 2, 2024, and April 6, 2024.

RAR completed its investigation into the incident in May 2025 and informed impacted individuals.

"RAR is committed to maintaining the privacy of personal information in our possession and have taken
many precautions to safeguard it," the company's breach notice stated. "We continually evaluate and modify our practices and internal controls to enhance the security and privacy of your personal information."

Southeast Series of Lockton Companies: 1,124,727 individuals affected

Kansas City, Missouri-based Southeast Series of Lockton Companies reported a large data breach to OCR in February 2025. Lockton is an independent insurance brokerage firm that provides services to several industries, including education, energy and healthcare.

According to a filing that Lockton submitted to the Maine Attorney General's Office, Lockton first discovered suspicious activity on a single computer in November 2024. The company immediately engaged law enforcement and third-party cybersecurity experts to investigate.

The investigation revealed that an unauthorized party had accessed a single account and obtained certain files containing sensitive information, such as names, addresses and Social Security numbers.

Lockton began notifying impacted individuals of the breach in February following a comprehensive review of the data. The firm offered identity theft protection to affected individuals.

Community Health Center: 1,060,936 individuals affected

Community Health Center, a Middletown, Connecticut-based organization that provides primary care services, reported a data breach that occurred in January 2025. Upon noticing unusual activity within its computer systems, Community Health Center found that a "skilled criminal hacker" had entered its systems and taken some data.

"Fortunately, the criminal hacker did not delete or lock any of our data, and the criminal's activity did not affect our daily operations," a notice provided to state attorneys general stated. "We believe we stopped the criminal hacker's access within hours, and that there is no current threat to our systems."

The information included in the breach included names, addresses, phone numbers, emails, diagnoses, dates of birth, treatment details, test results, Social Security numbers and health insurance information.

Community Health Center said it began using special software to detect suspicious activity and took other steps to strengthen its security in the wake of the incident.

Frederick Health 934,326 individuals affected

Maryland-based Frederick Health suffered a ransomware attack on Jan. 27, 2025, that disrupted its IT systems and reportedly resulted in an uptick in patient volume at a neighboring hospital.

The healthcare organization, which operates 25 locations and a network of specialty providers, immediately activated its incident response protocols and took steps to secure its systems. Further investigation determined that an unauthorized party had gained access to the network and copied certain files from a file share server.

The impacted documents contained patient names, addresses, Social Security numbers, driver's license numbers, medical record numbers, dates of birth, health insurance information and clinical information.

"We take this incident very seriously and deeply regret any inconvenience or concern this incident may have caused," Frederick Health stated. "To help prevent a similar incident from occurring in the future, we have implemented, and will continue to adopt, additional safeguards to further protect and monitor our systems."

McLaren Health Care: 743,131 individuals affected

Michigan-based healthcare system McLaren Health Care suffered a criminal cyberattack in August 2024 that resulted in disruptions to its information technology and phone systems. The health system is made up of 13 hospitals as well as a physician network and several ambulatory surgery centers.

McLaren had to activate downtime procedures and cancel some non-emergency appointments and tests as it worked to recover from the cyberattack. According to the official breach notice, the unauthorized network access occurred between July 17, 2024, and Aug. 3, 2024.

The information involved in the breach included names, Social Security numbers, billing or claims information, physician information, dates of birth, diagnoses, medical record numbers and prescription information.

As 2025 continues, the OCR data breach portal will continue to reflect the vast number of breaches that regularly impact healthcare organizations and their business associates.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.