May 2025 Healthcare Breach Report

The U.S. healthcare sector suffered yet another intense month of data breaches in May 2025, with 59 incidents reported to the Department of Health & Human Services (HHS) Office for Civil Rights (OCR). These attacks compromised the protected health information (PHI) of over 1.8 million individuals, largely through hacking and network-based intrusions.

But May wasn’t just a bad month for data security—it was also a loud warning shot from regulators. The OCR announced multiple enforcement actions involving ransomware attacks and inadequate risk analysis, making it clear that noncompliance is no longer going unpunished.

May 2025 Breach Summary

  • Total Reported Breaches: 59
  • Individuals Affected: 1,884,653
  • Primary Cause: Hacking/IT Incidents (77%)
  • Most Affected: Business Associates and Medium-to-Large Healthcare Providers

Largest Breaches in May

May 2025 Largest Breaches

Regulatory Spotlight: OCR Cracks Down on Compliance Failures

In tandem with May’s breach activity, the OCR announced two major enforcement settlements:

  • Comstar: Fined for a ransomware attack that compromised over 585,621 records. OCR found that Comstar failed to conduct an accurate risk analysis or implement required security measures.
  • Vision Upright MRI: Agreed to a settlement over failure to conduct a proper security risk assessment—a fundamental HIPAA requirement that left them vulnerable to a breach.

These recent cases show OCR is targeting noncompliance, particularly:

  • Lack of documented risk analysis
  • Weak or missing safeguards for data at rest and in transit
  • Inadequate business associate oversight

How Compliancy Group Prevents These Mistakes Before They Happen

With Compliancy Group’s healthcare compliance software, you don’t just check boxes—you proactively secure your organization.

Risk Analysis That Meets OCR Standards

Our risk analysis walks you through a guided, thorough process. It flags security gaps and offers solutions tailored to HIPAA requirements—so you’re never caught off guard in an audit or investigation.

Security Policies and Procedures

We provide policy templates that include guidance on implementing data encryption, access controls, and contingency plans—all of which are required in OCR ransomware settlements.

Vendor & Business Associate Management

Business associates were behind several large breaches in May. Compliancy Group helps you issue, track, and manage Business Associate Agreements (BAAs), and evaluate vendor risk—protecting you from their failures.

Training and Incident Response Templates

Most ransomware incidents begin with human error. We provide staff training and response planning that helps your team recognize threats and react fast.

Audit-Ready Documentation

Our platform keeps a digital paper trail of everything—risk assessments, policies, training logs, and BAAs—so you’re ready for OCR scrutiny anytime.

“Most practices don’t fail OCR audits because they don’t care—they fail because they weren’t prepared. We make it easy to be both.”  — Compliancy Group

What You Can Learn from May’s Breaches

  • Network Servers Are the #1 Target
    Ensure they are patched, monitored, and protected.
  • Business Associates Are Still a Weak Link
    Vet your vendors and ensure you have active BAAs in place.
  • Risk Analysis Is Not Optional
    It’s required by law—and the #1 failure OCR is enforcing against.

Don’t Wait for a Breach to Start Protecting Your Practice

The cost of inaction isn’t just reputational—it’s regulatory.

Compliancy Group helps you build a culture of compliance, secure your data, and stay audit-ready, no matter what the threat landscape looks like. Schedule a demo to learn more about how our software can help you protect your business today!

Track All Regulations on One Platform

Centralize and streamline healthcare compliance management.

Global CTAs Image