It is no secret that cybercriminals commonly target the healthcare sector due to the valuable, sensitive data these organizations collect and store. While 2025 recorded the greatest number of data breaches to date, current statistics show healthcare-specific breaches decreased by 4.3% year-over-year, according to data from the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). However, the HIPPA Journal’s 2025 Healthcare Data Breach Report notes that it may be too early to consider this statistic a fact set in stone. 

The report explains, “When we compiled our 2024 healthcare data breach report in January 2025, 725 large healthcare data breaches were listed on the OCR breach portal. That total increased to 742 data breaches over the following few months. While a similar number of late additions would still mean an annual decrease in data breaches, there was a 43-day shutdown of the federal government in late 2025 due to the failure of Congress to pass appropriations legislation. During that period, no data breaches were added to the OCR breach portal. The late additions in 2026 could therefore be considerably higher than in previous years.” 

Nevertheless, the report offers comprehensive look at the state of healthcare data breaches in 2025, as it is currently understood. Here, Security magazine breaks down the top 20 breaches in healthcare. 

Top 20 Healthcare Data Breaches of 2025

1. Aflac 

Aflac Incorporated (“Aflac”) experienced a hacking incident that was initially reported to have impacted 22 million individuals, but was later discovered to have affected 13 million. This makes the Aflac breach the largest healthcare breach of 2025. 

• Breach Type: Hacking
• Individuals Impacted: 13,924,906

2. Yale New Haven Health System

Yale New Haven Health System faced a breach of protected health information for more than 5.5 million people. The patient data within compromised records included names, patient types, birthdates, addresses, email addresses, phone numbers, race/ethnicity, medical record numbers, and Social Security numbers. 

• Breach Type: Hacking
• Individuals Impacted: 5,556,702

3. Episource, LLC

Medical billing entity Episource had approximately 5.4 million individuals’ records compromised, including data that varied from person to person. While the HIPPA Journal classifies this breach as a hacking incident, reporting around the time suggested it was a ransomware attack. 

• Breach Type: Hacking
• Individuals Impacted: 5,418,866

4. Blue Shield of California 

This incident involved an exposure of protected health information due to a misconfiguration of Google Analytics, which shared data with Google Ads for approximately three years. 

• Breach Type: Exposure
• Individuals Impacted: 4,700,000

5. DaVita Inc. 

Hackers exfiltrated and encrypted sensitive data on DaVita’s networks, temporarily disrupting operations and compromising the data of more than 2.5 million individuals. 

• Breach Type: Ransomware
• Individuals Impacted: 2,689,826  

6. Anne Arundel Dermatology

A network intrusion was discovered on May 13, 2024. Upon investigation, the organization determined the affected data included names, dates of birth, addresses, medical/health insurance data, and other personal information. 

• Breach Type: Hack
• Individuals Impacted: 1,905,000

7. Radiology Associates of Richmond, Inc.

Between Apr. 2 and Apr. 6, 2024, hackers accessed and exfiltrated files from the Radiology Associates of Richmond, Inc. network. In addition to names, birthdates, and email addresses being compromised, the incident also affected account numbers, routing numbers, medical/health insurance information, and Social Security numbers.  

• Breach Type: Hack
• Individuals Impacted: 1,419,091

8. Southeast Series of Lockton Companies, LLC (Lockton)

A hacker accessed a singular account and computer within the Southeast Series of Lockton’s environment, but that was all that was needed to gain access to the protected health information of more than 1 million individuals. 

• Breach Type: Hack
• Individuals Impacted: 1,124,727

9. Community Health Center, Inc.

Unauthorized activity was discovered on Community Health Center’s systems on Jan. 2, 2025. While data was exfiltrated, it did not appear to be ransomed. Compromised data included names, birthdates, phone numbers, email addresses, test results/diagnoses, treatment/health insurance data, and Social Security numbers. 

• Breach Type: Hack
• Individuals Impacted: 1,060,936

10. Frederick Health

Frederick Health experienced a ransomware attack, which affected the data of more than 900,000 people. The ransomware group stole drivers’ license numbers, Social Security numbers, medical record numbers, health insurance data, and more. 

• Breach Type: Ransomware
• Individuals Impacted: 934,326

11. McLaren Health Care

Although unauthorized access of McLaren Health Care’s systems occurred between Jul. 17, 2024, and Aug. 2024, it wasn’t until May 5, 2025 that a forensic analysis of the incident was completed. This marked the second ransomware attack the organization experienced within a year. 

• Breach Type: Ransomware 
• Individuals Impacted: 743,131 

12. Medusind Inc.

This billing support vendor discovered the breach in December 2023, but began notifying affected individuals more than a year later. Initially, it was estimated around 360,000 were affected, but that number soon rose to 690,000 and then 700,000. 

• Breach Type: Hack 
• Individuals Impacted: 701,475 

13. Kelly & Associates Insurance Group, Inc.

The Kelly & Associates Insurance Group network was hacked between Dec. 12 and Dec. 17 2024, and files containing sensitive data were exfiltrated. 45 of the organization’s clients were impacted. 

• Breach Type: Hack
• Individuals Impacted: 553,332

14. Decisely Insurance Services, LLC

Initially, it was reported that around 65,000 were impacted by this incident. However, that estimate soon rose to approximately 530,000. Affected data included names, birthdates, phone numbers, digital signatures, passport numbers, and Social Security numbers.

• Breach Type: Hack 
• Individuals Impacted: 537,603

15. United Seating and Mobility, LLC d/b/a Numotion

The mobility equipment provider faced unauthorized access to personal and protected health information after a malicious actor accessed employee email accounts via a phishing scheme. 

• Breach Type: Phishing 
• Individuals Impacted: 529,004  

16. Serviceaide, Inc.

On Nov. 15, 2024, it was discovered that data within Serviceaide’s Catholic Health Elasticsearch database was exposed and accessible without proper authentication. The database had been exposed for approximately six weeks, and while there had been no evidence to suggest the data was misused, the possibility couldn’t be ruled out. 

• Breach Type: Exposure
• Individuals Impacted: 483,126

17. Goshen Medical Center

Unauthorized access of the organization’s network was discovered on Mar. 4, 2025. An investigation confirmed that this unauthorized party may have viewed or taken patient data, including names, birthdates, addresses, driver’s license numbers, medical record numbers, and Social Security numbers. 

• Breach Type: Hack 
• Individuals Impacted: 456,385 

18. Ascension Health

Due to a security incident targeting one of its former business partners,  Ascension Health experienced a breach. While its own systems were unaffected, it was determined the organization unintentionally divulged patient data to the affected former business partner, and that data had been affected by the incident. 

• Breach Type: Hack (against former business associate)
• Individuals Impacted: 437,329

19. Northwest Radiologists, Inc./Mount Baker Imaging

Between Jan. 20, 2025 and Jan. 25, 2025, certain information within the organization’s network was accessed without authorization. In addition to full names, compromised data may have included one or more of the following: address, email address, phone number, birthdate, driver’s license/state identification card number, provider name, health insurance information, treatment/diagnosis information, treatment cost, medical record number/patient identification number, and Social Security number. 

• Breach Type: Hack 
• Individuals Impacted: 362,713 

20. Onsite Mammography

An employee’s email account experienced suspicious activity, revealing an unauthorized user had gained access to that singular account for a brief time. A review of the affected account confirmed the exposure of over 350,000 individuals’ health data. 

• Breach Type: Email account compromise
• Individuals Impacted: 357,265

It is important to note that this list could be subject to change, as some healthcare breaches from 2025 are still undergoing investigation and could reveal larger amounts of individuals impacted than initially suspected.