Biggest healthcare data breaches reported in 2025

Large breach reports in 2025 show fewer headline events than 2024, but exposure volumes remain high, with many incidents still working through reporting pipelines.

What happened

Healthcare organizations continued reporting large-scale breaches throughout 2025, with more than 35 million individuals affected across ransomware incidents, vendor compromises, and unauthorized access cases. Reporting delays linked to investigative backlogs and operational disruptions mean that year end totals are still subject to revision as additional filings are posted to federal systems.

Going deeper

Many of the largest breaches followed a familiar pattern. Attackers gained access to a high-value system, often through a third party or shared service provider, and remained undetected long enough to allow large-scale data exposure. In several cases, organizations initially reported smaller figures, then expanded impact totals after forensic reviews and data mining exercises were completed. Vendor-related incidents continued to play an outsized role, as a single compromise frequently affected multiple healthcare clients and their patient populations.

In the know

The largest healthcare breaches disclosed or confirmed during 2025 include:

• Aflac, more than 22.6 million individuals affected
• Conduent Business Services, more than 10.5 million individuals affected
• Yale New Haven Health System, approximately 5.56 million individuals affected
• Episource, approximately 5.42 million individuals affected
• Blue Shield of California, approximately 4.7 million individuals affected
• DaVita, approximately 2.69 million individuals affected
• Anne Arundel Dermatology, approximately 1.9 million individuals affected
• Radiology Associates of Richmond, approximately 1.42 million individuals affected
• Lockton Companies Southeast Series, approximately 1.12 million individuals affected
• Community Health Center, approximately 1.06 million individuals affected
• Frederick Health, approximately 934,000 individuals affected
• McLaren Health Care, approximately 743,000 individuals affected
• Medusind, approximately 701,000 individuals affected
• Kelly Benefits, approximately 553,000 individuals affected

Several of these incidents remain under review, and totals may change as regulators update public records.

What was said

Across 2025 disclosures, organizations generally framed incidents as ongoing investigations, often noting that core clinical systems were not always accessed, while still acknowledging exposure of personal and health-related data elements. Many also warned recipients to watch for follow-up phishing, suspicious calls, or account reset lures that reference the breached organization, since identity details from breach data are frequently reused to make social engineering more convincing.

The big picture

Breach disclosures in 2025 suggest the healthcare sector is moving into a more dangerous phase rather than stabilizing. While the number of headline-grabbing incidents fell from the record-setting levels of 2024, attackers continued to refine how they operate. “We saw a clear shift from opportunistic attacks to highly coordinated, multi-stage operations,” said Dave Bailey, vice president of security services at Clearwater. “Threat actors treated healthcare like a high-value supply chain.” That approach helps explain why vendor compromises and shared platforms remained a dominant driver of large patient exposure totals throughout the year.

Heading into 2026, experts expect these patterns to intensify rather than fade. Bailey warned that attackers are moving beyond simple encryption toward disruption that directly affects care delivery. “We will see more disruptive attacks masquerading as traditional ransomware events,” he said, predicting efforts to corrupt backups, damage infrastructure, and prolong downtime. Tom Walsh, president of tw-Security, added that identity-based attacks are also increasing as healthcare organizations rely more heavily on cloud systems. “When an attacker obtains a user's session identifier… they can use that to impersonate that user,” Walsh said, noting that these techniques allow attackers to remain undetected long enough to steal data or interfere with operations.

FAQs

Why do annual breach totals change after year-end?

Large incidents take time to investigate. Organizations often file initial figures, then update counts after forensic review, data mining, and address verification, which can push numbers higher later.

What types of incidents tend to drive the highest patient counts?

Vendor compromises, clearinghouse or billing platform incidents, and large health system attacks often create the biggest totals, because a single event can touch many member, patient, or customer records across multiple entities.

Why do healthcare breaches often include both identity data and clinical identifiers?

Healthcare workflows link demographic data to billing and clinical records. Even when full charts are not taken, datasets commonly include names, contact details, dates of birth, insurance identifiers, and internal record numbers.

What should people do if they receive a breach notice but see no fraud yet?

Treat it as a phishing risk. Avoid clicking links in unexpected messages, verify communications through official channels, monitor accounts and credit reports, and consider a fraud alert or credit freeze if Social Security numbers or government IDs were involved.

How do regulators typically assess whether an organization did enough to protect data?

Reviews often look for basics done consistently: access controls, multifactor authentication, logging and monitoring, vendor oversight, incident response readiness, and whether detection and notification timelines were reasonable given what the organization knew and when.