The HIPAA Journal recently published its 2025 Healthcare Data Breach Report, revealing a notable reduction in healthcare data breaches over the past year. According to Steve Alder’s analysis, data downloaded from the Office for Civil Rights (OCR) indicates a 4.3 percent decline in breaches compared to the previous year.
Despite this seemingly positive trend, Alder cautioned that it is premature to draw definitive conclusions, as the 2025 data is still being updated on the OCR breach portal. Notably, the portal did not receive any new breach reports during the 43-day federal government shutdown in late 2025. Alder suggested that consequently, the additional data in 2026 may present a more stark picture than prior years.
The report indicates that breaches have stabilized within the range of 700 to 750 annually, averaging about two significant healthcare data breaches each day—effectively doubling the occurrence rate seen in 2018. Furthermore, the number of individuals impacted by these breaches has dramatically decreased. Specifically, at least 61,556,256 people had their protected health information (PHI) compromised in 2025, marking a 78.7 percent reduction from 2024 figures.
The most significant breach of 2025 involved a hacking incident at Aflac insurance, affecting over 22.6 million individuals globally and leading to unauthorized access to the PHI of nearly 14 million U.S. residents. This incident underscores the urgent need for vigilance in protecting sensitive data against such cyber threats.
Alder also highlighted a concerning trend: many entities suffering breaches are increasingly hesitant to disclose the specific nature of the attack—whether it involves data theft, extortion, malware, or ransomware. In terms of breach types, the report notes slight reductions in incidents categorized under hacking, loss or theft of devices, and improper disposal, but a significant 17.4 percent increase in unauthorized access or disclosure incidents.
A majority of breaches (61.5 percent) involved exposed or stolen PHI residing on network servers. Additionally, 24.9 percent stemmed from compromised email accounts, while physical forms of PHI, such as paper records, accounted for 5.6 percent of breaches. Unauthorized access to electronic medical records represented 4.6 percent of incidents.
Currently, the OCR’s breach portal lists a total of 523 incidents involving healthcare providers, along with 56 breaches associated with health plans and two at healthcare clearinghouses. Additionally, business associates of HIPAA-covered entities reported another 128 data breaches, contributing to a comprehensive understanding of the ongoing cybersecurity challenges facing the healthcare sector.