A review of reports filed in the first half of the year reveals the scale of ongoing cybersecurity challenges in the healthcare sector.
More than 29 million individuals were impacted by healthcare data breaches reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) in the first six months of 2025. The OCR portal tracks incidents affecting over 500 people, showing both the frequency and severity of data breaches in the healthcare sector.
So far, nine of the ten largest breaches were the result of hacking or IT-related incidents. The affected organizations range from health systems to IT vendors and insurance providers. In total, four of the ten biggest breaches involved provider organizations, while six involved business associates, third parties that support healthcare entities and often handle protected health information (PHI).
Some of the most severe breaches reported include:
Other organizations impacted include Frederick Health, Medusind, Kelly Benefits, Numotion, and Serviceaide, many of whom have confirmed that Social Security numbers, insurance data, or clinical information were involved.
While some breaches occurred in late 2024, they were formally reported to OCR in 2025 after investigations and data reviews were completed. Several organizations noted that their operational services were not disrupted, but all confirmed unauthorized access to sensitive information.
Organizations affected by the breaches generally expressed regret and stated their commitment to improving cybersecurity. Many initiated investigations, notified law enforcement, and offered free identity monitoring to impacted individuals. In the case of Blue Shield of California, the breach was not the result of hacking, but of a data-sharing configuration that may have exposed member information to targeted advertising.
Most entities cited updates to their monitoring systems and policy reviews in response to the incidents. Some, like Kelly Benefits, now face multiple lawsuits.
The first half of 2025 has seen multiple data breaches affecting healthcare organizations and their vendors. As more third-party service providers handle protected health information, breaches involving business associates continue to surface. Healthcare data remains attractive to attackers due to its sensitivity, longevity, and limited ability to be changed once exposed.
Recent incidents have stemmed from various sources, including phishing, ransomware, misconfigured analytics tools, and vendor system issues. The OCR breach portal continues to provide visibility into emerging trends and offers a way to assess how the sector is responding to these risks.
Business associates often manage sensitive data for multiple healthcare clients but may not have equally strong security practices or breach detection capabilities, making them frequent entry points for attackers.
Healthcare records include long-term personal identifiers (e.g., Social Security numbers, medical histories) that can be used for identity theft, insurance fraud, and even blackmail—often years after a breach occurs.
Under HIPAA, a breach is any impermissible use or disclosure of protected health information. OCR requires notification for breaches affecting 500 or more individuals and posts those publicly.
They should read the letter carefully, enroll in any free identity monitoring services offered, monitor their credit and health insurance statements, and consider placing fraud alerts with credit bureaus.
Yes. OCR may launch investigations, issue civil monetary penalties, or mandate corrective action plans, particularly when there’s evidence of long-standing compliance failures or preventable security gaps.