Data Breach Notification,
Data Security,
HIPAA/HITECH
345 Major HIPAA Breaches Reported to Feds So Far This Year, Affecting 29.9 Million
As of mid-2025, recent data from the federal government highlights a recurring trend in the U.S. healthcare sector: hacking incidents, particularly ransomware attacks, alongside breaches involving third-party vendors, represent severe threats, impacting millions of individuals.
According to the U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool, there have been 345 reported breaches affecting 500 or more individuals this year, totaling approximately 29.9 million individuals impacted. This marks a decrease from the 408 breaches affecting nearly 52.7 million people reported by the same date in 2024, nearly doubling last year’s figures.
Notably, hacking and IT incidents overwhelmingly dominate the breach landscape, accounting for 258 reported cases that compromised the data of 28.8 million individuals—close to 97% of those affected this year. Furthermore, nine of the ten largest breaches posted to the HHS Office for Civil Rights involved hacking incidents. The most significant breach thus far was reported by Yale New Haven Health System, impacting 5.5 million patients due to a hacking event identified in April.
Following in severity are incidents categorized as “unauthorized access/disclosures,” with 74 cases impacting over 950,000 people. The largest of these unauthorized incidents stemmed from Serviceaid, affecting 483,000 individuals due to inadvertent data exposure linked to its workings with Catholic Health, a network in New York.
Mid-Year Analysis of Health Data Breaches
From the 345 breaches reported in 2025, 127 incidents involved third-party business associates and resulted in more than 15.8 million individuals affected. This suggests that while business associates were at the core of 37% of breaches, they contributed to over half of those impacted. A notable example is Episource, which experienced a ransomware attack that impacted 5.4 million individuals.
Experts emphasize the need for covered entities to enforce stringent security measures among their business associates. Mike Hamilton from Lumifi Cyber stresses that business associates should be held to the same standards and regulations, with annual audits backing up contractual obligations to ensure cybersecurity protocols are followed diligently.
Future Implications
As of this reporting period, healthcare organizations indicated that at least 34 major breaches only involved 500 or 501 individuals. This placeholder figure is typically used while organizations assess the full scope and impact on protected health information. As the analysis progresses, these numbers are likely to rise significantly. Indeed, there are instances where initial reports of minor impacts have transitioned into cases affecting millions, as demonstrated by the Change Healthcare incident.
Since the launch of the HHS OCR reporting system in September 2009, there have been 6,982 major health data breaches disclosed, affecting nearly 884.6 million individuals. The ongoing trends underscore the critical need for robust cybersecurity frameworks and vigilance within the healthcare sector.
