In 2025, U.S. healthcare organizations reported 772 large breaches to the Office for Civil Rights (OCR), a new annual record. All told, roughly 138.5 million records were exposed over the year. Broken down to a daily pace, that’s the protected health information (PHI) of about 379,306 people exposed every single day.Âą And the targets ranged from solo practices to sprawling hospital networks, so the takeaway is uncomfortable but simple: no one was too small or too well-defended to be hit. To understand what those numbers mean for your organization, it helps to walk through them in order: the breach counts, the trends behind them, the root causes, the financial fallout, and where OCR enforcement is headed next.
Healthcare Breach Statistics in 2025 by the Numbers
Let’s start with the raw scale because it frames everything that follows. By almost any measure, 2025 set records, and the figures throughout this article are drawn from the Department of Health and Human Services (HHS) OCR breach reports, as analyzed by HIPAA Journal.¹ One note on scope before the numbers land: federal law requires every covered entity to report breaches to OCR, but only incidents affecting 500 or more individuals get published on the OCR breach portal, so every figure here is a confirmed large breach. The headline counts:
1. 772 large breaches were reported in 2025, a new annual record, at a rate of 2.1 per day.Âą
2. Roughly 138.5 million individuals were affected, or about 379,306 people per day.Âą
Records Exposed and Individuals Affected
Those annual totals are staggering on their own, but the long view is what makes the scale hard to hold in your head:
3. 772 large breaches in 2025 exposed the records of about 138.5 million individuals.Âą
4. Between 2009 and 2025, 7,418 large breaches exposed the PHI of more than 1,013,066,481 individuals. That total is more than 2.9 times the entire U.S. population.Âą
It’s easy to let a number that big go abstract, so it’s worth resisting that. Behind every record is a real patient whose medical history, insurance details, or personal identifiers were exposed without their consent. That’s the part the totals tend to hide.
How Breach Volume Has Changed Over Time
A single record year could be a fluke. Multi-year healthcare data breach trends are what tell you whether to worry, and they point clearly upward:
| Number of Large Breaches | Year |
|---|---|
| 719 | 2022 |
| 746 | 2023 |
| 741 | 2024 |
| 772 | 2025 |
| 252 | 2026 (Through April 30, 2026) |
Source: HIPAA Journal, “Healthcare Data Breach Statistics.”Âą
Read that 2026 dip carefully, though: it owes much to reporting delays caused by the late-2025 government shutdown. If you’re making compliance decisions right now, the trajectory matters more than any single quarter. A short-term lull in the paperwork isn’t the same as a drop in risk.
What’s Causing Healthcare Data Breaches?
Counts tell you how much is happening. To do anything about it, you need to know why, and that’s where the pattern gets useful. Two culprits sit behind the overwhelming majority of large healthcare breaches, and they call for very different defenses, so it’s worth taking them one at a time:
- External hacking and IT incidents, ransomware included
- Unauthorized access and internal events, including insider activity and improper disclosures
Hacking and Ransomware Are Dominant Threats
Hacking is the larger of the two by a wide margin. The trend has been building for years:
5. Hacking and other IT incidents accounted for more than 80% of large healthcare breaches in the 2025 OCR portal data.Âą
6. Ransomware attacks rose 278% between 2018 and 2023.Âą
7. The 2025 Conduent Business Services breach compromised the PHI of more than 62 million Americans.Âą
There’s a reason healthcare draws so much of this. Patient data is valuable, and operational disruption doesn’t just cost money. It can directly interrupt care. That combination is exactly what makes ransomware so effective here: when systems lock up, the pressure to pay is clinical.
Unauthorized Access and Internal Risks
The second-leading cause is quieter and, in some ways, trickier to catch. The long-term trend here has been downward, but these incidents ticked back up in 2025:
8. Website tracking technologies quietly sent PHI to third parties without a Business Associate Agreement (BAA) in place, a major driver of the 2025 uptick.Âą
9. Blue Shield of California’s 2025 unauthorized access and disclosure incident affected 4.7 million individuals.Âą
10. Improper disposal is now rare; just one such case was reported in 2025.Âą
What makes the category so slippery is that the exposure often isn’t malicious. For example, a misconfigured tool can leak PHI without anyone intending harm, which is precisely why it slips past defenses built for outside attackers. Shrinking your exposure here comes down to the fundamentals: workforce training, access controls, and clear written policies, which are all core HIPAA requirements.
The Financial Cost of a Healthcare Data Breach
Knowing how breaches happen naturally leads to the next question: what do they cost when they occur? The numbers behind the headline are worth reading closely:
11. For the 14th year running, U.S. healthcare carried the highest average breach cost of any industry: $7.42 million per incident, down from $9.77 million in 2024.²
12. The U.S. all-industry average hit a record $10.22 million, up 9.2% from $9.36 million in 2024.²
13. Healthcare breaches are the slowest to catch and contain, averaging 279 days, roughly nine months.²
Don’t read the year-over-year decline as relief. That 279-day average is roughly nine months during which attackers may still have access, and the remediation meter keeps running. For a smaller practice, a single breach can put the whole business at risk. For a larger one, add reputational damage, leadership accountability, and heavier audit scrutiny on top of the direct hit.
OCR Fines and HIPAA Enforcement in 2025 and 2026
The bill for a breach doesn’t stop at cleanup, either. Federal HIPAA enforcement is very much part of the equation, and it isn’t a distant worry:
14. OCR imposed 21 financial penalties in 2025, up from 16 in 2024.Âą
15. Its risk-analysis enforcement initiative had closed 11 hacking investigations with financial penalties as of January 31, 2026.Âą
16. OCR issued several fines in 2025 aimed specifically at Breach Notification Rule violations.Âą
The pattern worth noting runs through it all: covered entities and business associates of every size are fair game.
Why Enforcement Is Shifting Toward Smaller Penalties
That last point deserves a closer look because the shape of enforcement has changed. OCR has moved away from rare, blockbuster fines toward smaller, more frequent settlements. The average penalty has declined since 2018 as OCR worked through more than 50 HIPAA Right of Access cases following the September 2019 initiative launch. Here’s the part that’s easy to misread: smaller fines don’t mean smaller risk. They mean enforcement has widened its net.
17. Back in 2022, 55% of OCR financial penalties were assessed against small medical practices.Âą
18. Vision Upright MRI settled for $5,000 in 2025.Âą
19. Comprehensive Neurology settled for $25,000 in 2025.Âą
A $5,000 fine sounds modest until you add the remediation, legal time, and lost focus that come with it, and no organization is too small to land on OCR’s radar.
The Biggest Healthcare Breaches on Record
It helps to put faces to the trend. The breaches below are among the largest ever reported to OCR. All involved hacking or IT incidents, unless noted, and together they show how wide the target really is.
ALL-TIME TOP THREE:
| Organization | Year | Individuals Affected | Breach Type |
|---|---|---|---|
| Change Healthcare | 2024 | 192,700,000 | Hacking/IT Incident |
| Anthem, Inc. | 2015 | 78,800,000 | Hacking/IT Incident |
| Conduent Business Services | 2025 | 62,224,658 | Hacking/IT Incident |
Source: HIPAA Journal, “Healthcare Data Breach Statistics.”Âą
SIGNIFICANT 2025 INCIDENTS:
| Organization | Individuals Affected | Breach Type |
|---|---|---|
| Aflac | 13,924,906 | Hacking/IT Incident |
| Episource | 6,725,572 | Hacking/IT Incident |
| Yale New Haven Health System | 5,556,702 | Hacking/IT Incident |
| Blue Shield of California | 4,700,000 | Unauthorized Access/Disclosure |
Source: HIPAA Journal, “Healthcare Data Breach Statistics.”Âą
NOTABLE 2026 INCIDENTS (through April 30):
| Organization | Individuals Affected | Breach Type |
|---|---|---|
| TriZetto Provider Solutions | 3,433,965 | Hacking/IT Incident |
| QualDerm Partners | 3,117,874 | Hacking/IT Incident |
Source: HIPAA Journal, “Healthcare Data Breach Statistics.”Âą
Look down that list and one thing stands out: the names have nothing in common except the sector they operate in. Health plans, providers, and back-office vendors all show up, which points to a vulnerability that runs sector-wide and doesn’t discriminate by size or type. This raises the practical question the rest of this guide answers: if it can happen to any of them, what actually lowers the odds for you?
How to Reduce Your Organization’s Breach Risk
None of this means the risk is unmanageable. It means you get to be deliberate about where you spend effort. With many large breaches tied to hacking and IT incidents, start where the risk actually concentrates:
- Encrypt PHI. Properly encrypted data can remove the HIPAA breach-reporting obligation entirely when a device is lost or stolen.
- Require multi-factor authentication on privileged accounts.
- Run phishing-resistant staff training.
- Complete a documented HIPAA risk assessment, the single highest-leverage step for audit readiness.
- Revisit your BAAs and do real due diligence on third-party partners.
If you do only one thing, make it the risk assessment. A documented HIPAA risk assessment is what OCR looks for first: the agency has flagged the risk analysis provision as the most commonly cited HIPAA Security Rule violation, and it sits at the center of its current enforcement initiative.Âą
Pulling all of that together is the hard part, and it’s where having the right system pays off. The Guard brings your HIPAA compliance requirements together with expert support, so your team isn’t starting from a blank page.
Get a demo to see how Compliancy Group can help your organization reduce breach risk.
References
- HIPAA Journal, “Healthcare Data Breach Statistics,” hipaajournal.com/healthcare-data-breach-statistics.
- HIPAA Journal, “Average Cost of a Healthcare Data Breach Falls to $7.42 Million,” hipaajournal.com/average-cost-of-a-healthcare-data-breach-2025.







