30 Million Hit by Healthcare Data Breaches in H1 2025

Healthcare organizations continue to grapple with rising cyber threats, as more than 29 million individuals were affected by major healthcare data breaches in the first half of 2025, according to the U.S. Department of Health and Human Services Office for Civil Rights (OCR). All of the top 10 breaches stemmed from hacking or IT incidents, highlighting the growing sophistication of cyberattacks on the healthcare sector.

The Yale New Haven Health System reported the largest breach, with 5.56 million records compromised following unauthorized access to its network. Episource, an IT vendor, followed closely with 5.42 million records exposed in a ransomware attack. Blue Shield of California notified 4.7 million members after discovering that a misconfigured Google Analytics tool inadvertently shared user data with Google Ads.

Other significant breaches included DaVita (2.68 million records), Anne Arundel Dermatology (1.9 million), and Radiology Associates of Richmond (1.4 million). Additional incidents impacted Lockton Companies, Community Health Center, Frederick Health, and McLaren Health Care, each affecting between 700,000 and 1.1 million individuals.

Experts say the ongoing shift from theft to hacking as the dominant breach cause—first observed in 2017—illustrates the growing risks tied to healthcare’s digital transformation. Patient data such as medical histories, Social Security numbers, and insurance details remain prime targets for cybercriminals.

With ransomware groups exploiting third-party vulnerabilities and targeting sensitive medical data, 2025 is on track to become one of the worst years on record for healthcare cybersecurity breaches, emphasizing the urgent need for stronger digital resilience.