June 2025 Healthcare Data Breaches Affected 7.1M

• Total Breaches: 66 reported incidents
• Individuals Affected: 7,130,535 people
• Most Affected States: California (9 incidents), Texas (6 incidents), Florida (5 incidents)
• Primary Attack Method: Hacking/IT incidents (85% of all breaches)
• Largest Single Breach: Episource, LLC affecting 5,418,866 individuals

Major Incidents

Episource, LLC – The Month’s Largest Breach

The most significant breach occurred at Episource, LLC, a California-based business associate. A hacking incident targeting their network servers affected over 5.4 million individuals, accounting for approximately 76% of all individuals affected by healthcare breaches in June 2025.

McLaren Health Care – Michigan’s Major Incident

McLaren Health Care in Michigan reported a breach affecting 743,131 individuals through a network server compromise, making it the second-largest incident of the month.

Central Kentucky Radiology – Regional Impact

Central Kentucky Radiology experienced a significant breach affecting 166,953 individuals, demonstrating that even regional healthcare providers can be targets for large-scale attacks.

Geographic Distribution

Most Affected States by Number of Incidents:

• California: 9 incidents (affecting 5.47 million individuals)
• Texas: 6 incidents (affecting 28,438 individuals)
• Florida: 5 incidents (affecting 66,850 individuals)
• Ohio: 3 incidents (affecting 13,620 individuals)

The concentration of breaches in California is particularly concerning, with the state accounting for both the highest number of incidents and the largest number of affected individuals.

Attack Vectors and Vulnerabilities

Hacking/IT Incidents Dominate

Approximately 85% of all reported breaches were classified as hacking/IT incidents, indicating that cybercriminals are increasingly sophisticated in their approaches to healthcare systems.

Primary Attack Methods:

• Network server compromises (32 incidents)
• Email system breaches (23 incidents)
• Desktop/laptop computer attacks (3 incidents)
• Electronic medical record system breaches (2 incidents)

Unauthorized Access/Disclosure

The remaining 15% of breaches involved unauthorized access or disclosure of patient information, often through internal processes or human error.

Entity Types Affected

Healthcare Providers: 47 incidents (76% of total)

• Hospitals and health systems
• Specialty medical practices
• Imaging centers
• Cancer care facilities

Business Associates: 12 incidents (19% of total)

• Insurance service providers
• Technology vendors
• Revenue cycle management companies

Health Plans: 2 incidents (3% of total)

• Insurance companies
• Employee benefit plans

Healthcare Clearing Houses: 1 incident (2% of total)

Sector-Specific Vulnerabilities

Cancer Care and Specialty Practices

A notable pattern emerged with multiple cancer care and radiation oncology facilities experiencing breaches on the same day (June 27, 2025). This suggests a coordinated attack or exploitation of a common vulnerability across these specialized healthcare providers.

Business Associate Risks

Business associates were disproportionately affected relative to their numbers, with several major incidents involving companies that provide services to multiple healthcare entities. This amplifies the impact of each breach, as these companies often have access to data from numerous healthcare organizations.

Implications for Healthcare Security

Systemic Vulnerabilities

The June 2025 breach data reveals several concerning trends:

1. Email System Vulnerabilities: Nearly 40% of hacking incidents targeted email systems, indicating widespread vulnerabilities in email security protocols.
2. Network Infrastructure Weaknesses: The prevalence of network server compromises suggests inadequate network segmentation and monitoring.
3. Third-Party Risk: The involvement of business associates in nearly 20% of incidents highlights the need for stronger vendor risk management.

Regulatory Response

The scale and frequency of these breaches likely prompted enhanced scrutiny from the Department of Health and Human Services Office for Civil Rights (OCR) and may lead to stricter enforcement actions and regulatory requirements.

Recommendations

For Healthcare Organizations

1. Implement Multi-Factor Authentication: Particularly for email systems and network access
2. Enhance Network Segmentation: Limit the scope of potential breaches
3. Regular Security Assessments: Conduct frequent vulnerability testing
4. Staff Training: Improve cybersecurity awareness and incident response protocols

For Business Associates

1. Strengthen Data Governance: Implement robust data handling procedures
2. Incident Response Planning: Develop and test comprehensive breach response plans
3. Client Communication: Establish clear protocols for notifying healthcare clients of incidents

For the Healthcare Industry

1. Information Sharing: Develop mechanisms for sharing threat intelligence
2. Collaborative Defense: Create industry-wide cybersecurity initiatives
3. Investment in Security: Prioritize cybersecurity funding and resources

June 2025 represents a watershed moment for healthcare cybersecurity, with 66 incidents affecting over 7.1 million individuals highlighting the urgent need for comprehensive security improvements across the healthcare ecosystem. The concentration of incidents involving business associates and the coordinated nature of some attacks underscore the interconnected vulnerabilities that exist throughout the healthcare supply chain.

The healthcare industry must treat cybersecurity as a patient safety issue, investing in robust defenses and fostering a culture of security awareness. Only through coordinated efforts across all stakeholders can the healthcare sector hope to protect the sensitive health information of millions of Americans from increasingly sophisticated cyber threats.

The lessons learned from June 2025 should serve as a call to action for healthcare organizations to reassess their cybersecurity postures and implement comprehensive security measures before the next wave of attacks occurs.