Cybersecurity Breaches Impact Over 35 Million Americans in 2025
More than 35 million individuals encountered significant compromises due to large-scale healthcare data breaches reported to the HHS Office for Civil Rights (OCR) throughout 2025. This alarming trend, highlighted in OCR’s public breach report database, reflects the ongoing risks faced by healthcare organizations and their clients. Notably, over 20 million individuals were affected by just the ten largest breaches, underscoring the widespread vulnerabilities impacting data security in the sector.
As OCR continues to update its breach reports from 2025, the total number of affected individuals is expected to climb. Reporting was interrupted for weeks during the 43-day government shutdown beginning in October 2025, leading to potential underreporting. The OCR’s disclosure typically reflects only incidents that affect 500 or more individuals, indicating that the actual number of victims may be much higher.
While this year’s figures saw a decline compared to the record 168 million individuals affected in 2024—largely due to the infamous Change Healthcare cyberattack—the 2025 statistics remain staggering. Data breaches continued to pose threats to patient privacy and disrupt operations across healthcare facilities throughout the year.
It is important to note that some breaches documented in 2025 may have taken place in the preceding year, illustrating the lag in reporting and investigation processes. One poignant example comes from Yale New Haven Health System, which revealed in April 2025 a massive breach impacting 5,556,702 individuals. The health system detected unusual activities in its IT systems on March 8, prompting an investigation that uncovered unauthorized access to sensitive data, including names, birth dates, addresses, and Social Security numbers. Crucially, electronic medical records were not compromised, and patient care was not affected.
Another significant breach involved Episource, an IT vendor specializing in risk adjustment and medical coding services for healthcare entities, impacting 5,418,866 individuals. This incident resulted from a ransomware attack discovered on February 6, 2025, which allowed malicious actors to access systems between January 27 and February 6. The data compromised included personal identification details and sensitive medical information. In response to the breach, Episource increased its cybersecurity measures and engaged with law enforcement.
Blue Shield of California also faced scrutiny after reporting a breach affecting 4.7 million members. This incident stemmed from a Google Analytics configuration that unintentionally shared member data with Google Ads. Although the organization assured that no malevolent actors exploited this data, the potential for harm raised substantial privacy concerns.
Other organizations, including DaVita, Community Health Center, and Frederick Health, reported significant incidents that collectively impacted millions more. DaVita’s ransomware attack, which compromised 2,689,826 individuals, exposed sensitive information such as health records and Social Security numbers. In contrast, Community Health Center reported an intrusion by a hacker, yet noted that no data was deleted or locked, allowing for uninterrupted operations.
The primary MITRE ATT&CK tactics reflected in these incidents include initial access through unauthorized system exploitation, data exfiltration, and persistence in maintaining a foothold within compromised networks. The varied methods employed reveal a troubling trend of increasingly sophisticated cyber threats targeting healthcare entities, forcing organizations to remain vigilant and adaptable in their cybersecurity protocols.
As we move through 2025, the OCR breach portal will continue to serve as a barometer of the pervasive data security challenges confronting healthcare providers. Stakeholders across the industry are urged to prioritize robust cybersecurity measures, addressing the vulnerabilities that leave patient data exposed to potential exploitation.
