Healthcare Data Breach Statistics 2025: Key Trends, Costs, and Records Exposed

Healthcare Data Breach Frequency in 2025

Healthcare entities reported 710 large breaches (affecting 500+ individuals) to the HHS Office for Civil Rights (OCR) for 2025, reflecting a modest 4.3% year-over-year decline and a continued plateau in the 700–750 range—roughly two large incidents per day. ([hipaajournal.com](https://www.hipaajournal.com/2025-healthcare-data-breach-report/))

At least 61.6 million people experienced protected health information (PHI) exposure in 2025—down 78.7% from 2024, when the Change Healthcare incident alone drove unprecedented record counts. Average breach size fell from 389,707 individuals in 2024 to 86,699 in 2025, with the median dropping from 6,702 to 4,011. ([hipaajournal.com](https://www.hipaajournal.com/2025-healthcare-data-breach-report/))

“Mega” incidents also cooled: 9 breaches exceeded 1 million records in 2025 compared with 18 the year prior, helping curb overall PHI exposure even as the cadence of healthcare cybersecurity incidents remained high. ([hipaajournal.com](https://www.hipaajournal.com/2025-healthcare-data-breach-report/))

Average Cost of Healthcare Data Breaches

IBM’s 2025 Cost of a Data Breach Report pinned the global average breach cost at $4.44M, while the United States set a new high-water mark at $10.22M. Healthcare remained the most expensive industry at $7.42M per breach—down $2.35M from 2024 but still well above every other sector. ([newsroom.ibm.com](https://newsroom.ibm.com/2025-07-30-ibm-report-13-of-organizations-reported-breaches-of-ai-models-or-applications%2C-97-of-which-reported-lacking-proper-ai-access-controls?utm_source=openai))

Independent coverage echoed these findings, noting healthcare’s leadership in breach costs at $7.42M in 2025, alongside the first global cost decline in five years. ([helpnetsecurity.com](https://www.helpnetsecurity.com/2025/08/04/ibm-cost-data-breach-report-2025/?utm_source=openai))

For healthcare breach cost analysis at a finer level, IBM’s dataset indicates PHI exposure averages about $408 per compromised record—driven by intensive notification, remediation, and post-breach support. ([databreachcost.com](https://databreachcost.com/cost/per-record?utm_source=openai))

How providers can reduce impact (healthcare data breach mitigation)

• Automate detection/response and harden identity controls to shorten dwell time, a key cost driver highlighted in 2025 findings.
• Exercise a tested incident response plan with business continuity for clinical workflows and revenue cycle operations.
• Tighten third-party risk oversight and contingency planning, given business associate exposure across the ecosystem.

Across these moves, OCR breach reporting rigor and timely HIPAA breach notification help contain downstream harm and restore trust. ([newsroom.ibm.com](https://newsroom.ibm.com/2025-07-30-ibm-report-13-of-organizations-reported-breaches-of-ai-models-or-applications%2C-97-of-which-reported-lacking-proper-ai-access-controls?utm_source=openai))

Largest Healthcare Data Breaches and Records Exposed

The largest 2025 incident was ultimately attributed to a business associate: Conduent Business Services. Updated figures provided to OCR in mid‑2026 indicate PHI exposure for approximately 62,224,658 individuals—placing it among the largest healthcare breaches on record. ([hipaajournal.com](https://www.hipaajournal.com/largest-healthcare-data-breaches-of-2025/?utm_source=openai))

Among covered entities, Aflac confirmed PHI exposure for about 13,924,906 individuals in the United States (22.65M globally), following a June 2025 cyberattack widely linked to sophisticated social‑engineering tactics. ([hipaajournal.com](https://www.hipaajournal.com/aflac-data-breach/?utm_source=openai))

Other notable 2025 breaches (records exposed)

• Yale New Haven Health System – 5,556,702 (hacking/IT incident). ([hipaajournal.com](https://www.hipaajournal.com/2025-healthcare-data-breach-report/))
• Episource – 5,418,866 (ransomware/data theft). ([hipaajournal.com](https://www.hipaajournal.com/2025-healthcare-data-breach-report/))
• Blue Shield of California – 4,700,000 (PHI disclosure via website tracking tools). ([hipaajournal.com](https://www.hipaajournal.com/2025-healthcare-data-breach-report/))
• DaVita – 2,689,826 (ransomware). ([hipaajournal.com](https://www.hipaajournal.com/2025-healthcare-data-breach-report/))
• Anne Arundel Dermatology – 1,905,000 (hacking/IT incident). ([hipaajournal.com](https://www.hipaajournal.com/2025-healthcare-data-breach-report/))

Overall, 2025 saw fewer “mega” events but sustained PHI exposure from both direct attacks on covered entities and indirect compromises via business associates—underscoring why business associate breach reporting and oversight remain central to risk governance. ([hipaajournal.com](https://www.hipaajournal.com/2025-healthcare-data-breach-report/))

Primary Causes of Healthcare Data Breaches

Hacking/IT incidents continued to dominate in 2025, with network servers and email accounts the most common locations of breached PHI. Misconfigurations and web tracking technologies also generated sizable disclosures—demonstrating that not all PHI exposure stems from classic intrusions. ([hipaajournal.com](https://www.hipaajournal.com/2025-healthcare-data-breach-report/))

Zooming in on year‑end activity, December’s pattern was even more skewed: 80.5% of reported incidents were hacking/IT events, reflecting the sector’s persistent susceptibility to credential abuse, lateral movement, and extortion operations. ([hipaajournal.com](https://www.hipaajournal.com/december-2025-healthcare-data-breach-report/))

Targeted steps that map to top causes

• Reduce attack surface: enforce MFA, privileged access management, and continuous patching for externally exposed services.
• Contain faster: deploy EDR/XDR, network segmentation, and rehearsed isolation procedures that preserve clinical operations.
• Harden email and web: implement phishing‑resistant authentication, secure email gateways, and strict analytics/tracker governance.

Breach Reporting Trends and Delays

Under HIPAA breach notification, covered entities must notify affected individuals and OCR without unreasonable delay and no later than 60 days after discovery for large incidents; submissions occur via OCR’s online portal. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html?utm_source=openai))

In practice, OCR verifies reports before posting, and entities frequently file with “placeholder” counts (often 500 or 501) when investigations are incomplete—figures that are later revised upward. ([hipaajournal.com](https://www.hipaajournal.com/december-2025-healthcare-data-breach-report/))

Business associate breach reporting can be performed by the associate or by each impacted covered entity; responsibility ultimately rests with the covered entity to ensure notifications are completed, a dynamic that can fragment timelines and magnify workload. ([hipaajournal.com](https://www.hipaajournal.com/december-2025-healthcare-data-breach-report/))

OCR also expanded its remit to accept substance use disorder confidentiality (Part 2) breach reports using the same portal, strengthening federal oversight and standardizing intake as new privacy rules phased in during 2026. ([techtarget.com](https://www.techtarget.com/healthtechsecurity/news/366639162/OCR-launches-Part-2-civil-enforcement-program-new-breach-portal-features?utm_source=openai))

Impact of Government Shutdown on Breach Reporting

The federal government shutdown from October 1 to November 12, 2025—at 43 days, the longest full shutdown on record—furloughed staff and disrupted routine operations across agencies. ([en.wikipedia.org](https://en.wikipedia.org/wiki/2025_United_States_federal_government_shutdown?utm_source=openai))

During the shutdown, OCR did not add breach reports to its portal, and subsequent weeks were spent clearing the backlog. Analysts therefore flagged unusually low monthly tallies for September through December 2025, with late postings continuing into early 2026. ([hipaajournal.com](https://www.hipaajournal.com/december-2025-healthcare-data-breach-report/))

Monthly Breach Analysis for December 2025

December closed with 41 large incidents—one of 2025’s lowest monthly counts—and 345,564 individuals newly affected, marking the lowest December total since 2019. Hacking/IT incidents accounted for 80.5% of events, while unauthorized access/disclosure represented most of the remainder. ([hipaajournal.com](https://www.hipaajournal.com/december-2025-healthcare-data-breach-report/))

By reporter type, healthcare providers submitted 29 incidents, health plans 6, and business associates 6. Several entries used 500/501 as interim totals pending investigation completion—another sign that protected health information (PHI) exposure can be understated at first report. ([hipaajournal.com](https://www.hipaajournal.com/december-2025-healthcare-data-breach-report/))

The month’s largest disclosures included Fieldtex Products and AllerVie Health, alongside provider‑reported fallout from a business associate incident at TriZetto—illustrating how OCR breach reporting often surfaces upstream vendor issues. ([hipaajournal.com](https://www.hipaajournal.com/december-2025-healthcare-data-breach-report/))

Conclusion

In 2025, healthcare data breach frequency stayed high but record exposure fell sharply due to fewer mega events. Average breach costs eased yet remained industry‑leading, and the largest impacts often flowed through business associates. With OCR breach reporting (including HIPAA and Part 2) and HIPAA breach notification obligations in play, the most resilient programs pair rapid detection and containment with disciplined third‑party oversight and clear patient communications. ([hipaajournal.com](https://www.hipaajournal.com/2025-healthcare-data-breach-report/))

FAQs

What was the total number of healthcare data breaches in 2025?

710 large breaches (affecting 500+ individuals) were recorded for 2025 as compiled from OCR data; late postings may still nudge totals upward due to verification backlogs after the fall 2025 shutdown. ([hipaajournal.com](https://www.hipaajournal.com/2025-healthcare-data-breach-report/))

How much did the average cost of a healthcare data breach change in 2025?

Healthcare’s average fell to $7.42M in 2025, a $2.35M decrease from 2024’s $9.77M—still the highest across industries despite the improvement. ([newsroom.ibm.com](https://newsroom.ibm.com/2025-07-30-ibm-report-13-of-organizations-reported-breaches-of-ai-models-or-applications%2C-97-of-which-reported-lacking-proper-ai-access-controls?utm_source=openai))

Which healthcare data breach affected the most individuals in 2025?

Including business associates, Conduent Business Services led 2025 with about 62.2 million people’s PHI exposed. Among covered entities, Aflac reported PHI exposure for roughly 13.9 million individuals in the U.S. ([hipaajournal.com](https://www.hipaajournal.com/largest-healthcare-data-breaches-of-2025/?utm_source=openai))

How did the federal government shutdown impact healthcare data breach reporting?

From October 1 to November 12, 2025, OCR paused adding reports to its breach portal, creating a backlog that suppressed monthly counts into year‑end and pushed some filings into early 2026. ([hipaajournal.com](https://www.hipaajournal.com/december-2025-healthcare-data-breach-report/))