Natali_Mis/istock via Getty Imag
Entities report several large healthcare data breaches to OCR
Millions of individuals were impacted by the most recent healthcare data breaches reported to HHS.
In recent weeks, several large data breaches have been reported to the HHS Office for Civil Rights, or OCR, collectively affecting millions of individuals across the U.S. At the time of publication, more than 30 million individuals had been impacted by the hundreds of healthcare data breaches reported to OCR so far in 2025.
As exemplified below, large, standalone breaches show the impact that a single hack can have on a healthcare provider and its patients. Similarly, one incident at a widely used vendor can spread to numerous entities and spur multiple breach reports, as shown in the Integrated Oncology Network breach.
Cause, scope and origin aside, these recently reported data breaches show that cyberthreat actors are continuing to make their mark on the healthcare sector.
Dermatology practice suffers data breach impacting nearly 2 million people
Anne Arundel Dermatology, which operates more than 30 locations across Maryland, Virginia, Florida, Georgia, North Carolina, Pennsylvania and Tennessee, disclosed a 1.9-million-record data breach to OCR in July.
According to the practice's breach notice, an unauthorized party accessed certain files containing health information between Feb. 14, 2025, and May 13, 2025. Anne Arundel Dermatology launched an investigation and determined that the hack involved names, health insurance information, birth dates and addresses.
The incident is now the fourth-largest breach reported to OCR in 2025.
1.4M individuals affected by data breach at radiology practice
Virginia-based Radiology Associates of Richmond (RAR) reported a 2024 data breach to OCR on July 1, 2025, impacting 1.4 million individuals. RAR conducted an investigation and determined that an unauthorized party accessed its network between April 2, 2024, and April 6, 2024.
RAR completed its review of the impacted data on May 2, 2025. The breach included personal information as well as protected health information. RAR said it effectively contained the breach and began notifying individuals whose information may have been included in the files accessed by the unauthorized party.
"RAR is committed to maintaining the privacy of personal information in our possession and have taken
many precautions to safeguard it," the company's breach notice stated. "We continually evaluate and modify our practices and internal controls to enhance the security and privacy of your personal information."
The RAR breach is the fifth-largest data breach reported to OCR in 2025, so far.
Integrated Oncology Network breach impacts more than 20 providers
Integrated Oncology Network (ION), a Cardinal Health-owned network of oncology practices, suffered an email phishing incident that impacted at least 23 other cancer care providers across multiple states. Each provider filed separate breach reports with OCR on June 27. Collectively, nearly 123,000 individuals were impacted.
ION said that an unauthorized party accessed a "small number" of email and SharePoint accounts between Dec. 13, 2024, and Dec. 16, 2024.
"Although the likely purpose of the unauthorized access was to perpetuate an email phishing scheme, certain emails and SharePoint files were accessed by the unauthorized parties," ION stated.
The emails, attachments and SharePoint files involved in the breach contained names, addresses, financial account information, diagnoses, lab results, medication and treatment information, health insurance and claims information and provider names. Some Social Security numbers were also involved.
ION notified the impacted physician practices of the breach on June 13, 2025, and mailed letters to impacted patients.
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.
