December 2025 Healthcare Data Breach Report – The HIPAA Journal
December 2025 Healthcare Data Breach Report The HIPAA Journal
December 2025 Healthcare Data Breach Report
In the final month of 2025, a further 41 healthcare data breaches affecting 500 or more individuals were reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) by HIPAA-regulated entities. December’s total was the joint second-lowest monthly total of the year and the fourth month in a row where data breaches have been reported in unusually low numbers. Over the past four months, an average of 40.75 large data breaches have been reported per month, compared to an average of 66.5 large data breaches per month for the preceding four months. December 2025’s total is the lowest December total since 2019.
One possible explanation for the unusually low total is the 43-day government shutdown, due to the failure of Congress to pass appropriations legislation. All but non-essential staff at the HHS were furloughed, during which time no breach reports were added to the OCR breach portal. While data breach reports have now been added to the breach portal for that period, it is possible that OCR has yet to fully clear the backlog, and the totals for September to December may increase over the coming weeks.
As it stands, there are currently 697 data breaches listed for 2025, a 6% reduction from the 742 large data breaches reported in 2024. The 697 total will almost certainly increase. When we compiled our December 2024 healthcare data breach report on January 20, 2025, 721 large healthcare data breaches were listed. A further 21 were added to the breach portal for 2024 in the following weeks and months.
Across the 41 healthcare data breaches currently listed for December 2025, the protected health information of only 345,564 individuals was exposed or impermissibly disclosed. The number of affected individuals in each of the past four months has also been atypically low, with an average of 1,336,061 individuals affected each month. For the preceding four months (May to August), the average monthly total was 8,181,449 individuals. The totals for the past four months will certainly increase, as many data breach investigations are ongoing, and it has yet to be determined how many individuals have been affected.
December 2025’s 346,564 affected individuals is the lowest monthly total since December 2017, when 343,260 individuals were affected. Currently, 60,976,942 individuals are known to have been affected by healthcare data breaches in 2025, a 78.9% reduction from 2024, although 2024’s total includes the gargantuan data breach at Change Healthcare, which affected 192,700,000 individuals.
Largest Healthcare Data Breaches Reported in December 2025
Only five data breaches were reported in December that affected 10,000 or more individuals, the largest of which was a hacking incident at the Rochester, NY-based medical supply fulfillment organization, Fieldtex Products. While Fiedtex Products reported a breach affecting 104,071 individuals, in December, a total of four separate breach reports were filed with OCR by Fieldtex Products, affecting a total of 139,009 individuals, plus a further breach report was filed in November, affecting 35,748 individuals. These five incidents are thought to be due to the same hacking incident detected by Fieldtex Products on August 19, 2025.
AllerVie Health, a Texas-based network of allergy and asthma centers, fell victim to a ransomware attack in November 2025, with the hackers found to have had access to its network from October 24, 2025, to November 3, 2025. The Anubis ransomware group claimed responsibility for the attack. Medical Center LLP, doing business as Dublin Medical Center in Georgia, experienced a hacking incident that affected 20,641 individuals, and Variety Care in Oklahoma was affected by a cyberattack on its business associate TriZetto, a provider of administrative services to HIPAA-regulated entities. Variety Care was one of many covered entities affected by the data breach. While the total number of affected individuals has yet to be confirmed, the Trizetto data breach is now known to have affected more than 700,000 individuals.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| Fieldtex Products, Inc. | NY | Business Associate | 104,071 | Hacking incident |
| AllerVie Health | TX | Healthcare Provider | 80,521 | Ransomware attack (Anubis) |
| Medical Center, LLP | GA | Healthcare Provider | 32,090 | Hacking incident |
| Fieldtex Products, Inc. | NY | Business Associate | 20,641 | Hacking incident |
| Variety Care | OK | Healthcare Provider | 17,163 | Hacking incident at business associate (TriZetto Provider Solutions) |
Six data breaches were reported in December 2025, with totals of 500 or 501 affected individuals. These are commonly used ‘placeholder’ estimates when the investigation is still ongoing as the deadline for reporting the data breach to OCR approaches. These totals will almost certainly increase and will be updated when the data breach investigations are concluded.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| Associated Radiologists of the Finger Lakes, P.C. | NY | Business Associate | 501 | Hacking Incident |
| Glendale Obstetrics & Gynecology PCA | AZ | Healthcare Provider | 501 | Hacking Incident |
| Reproductive Medicine Associates of Michigan | MI | Healthcare Provider | 501 | Hacking incident – Data theft confirmed |
| Mitchell County Department of Social Services | NC | Healthcare Provider | 501 | Ransomware attack – Data theft confirmed |
| Greater St. Louis Oral & Maxillofacial Surgery PC | MO | Healthcare Provider | 501 | Compromised email account in a phishing attack |
| Madison Healthcare Services | MN | Healthcare Provider | 500 | Hacking incident – Worldleaks threat group claimed responsibility |
Causes of December 2025 Healthcare Data Breaches
Hacking and other IT incidents accounted for 80.5% of the month’s data breaches, with 33 such incidents reported, affecting 327,095 individuals – 94.4% of the month’s total. The average breach size was 9,912 individuals, and the median breach size was 2,511 individuals. There were 8 unauthorized access/disclosure incidents in December, affecting 19,469 individuals. The average breach size was 2,434 individuals, and the median breach size was 1,469 individuals. No loss, theft, or improper disposal incidents were reported in December.
The most common location of breached protected health information was network servers, followed by six incidents involving compromised email accounts.
Where did the Data Breaches Occur?
Healthcare providers were the worst-affected regulated entities in December, reporting 29 of the month’s 41 data breaches (191,900 individuals). Six data breaches were reported by health plans (12,272 individuals) and six by business associates (142,392 individuals). When a data breach occurs at a business associate, it is ultimately the responsibility of each affected covered entity to ensure that breach notifications are sent and OCR is notified. The covered entities may choose to delegate the notification responsibilities to the business associate, although oftentimes, the affected HIPAA-covered entities report the breach. For instance, covered entities affected by the data breach at Trizetto Provider Solutions reported the breach, even though it occurred at their business associate (or subcontractor of their business associate). To better reflect business associates, the charts below show data breach figures based on where the data breach occurred, rather than the entity reporting the data breach.
Geographic Distribution of Healthcare Data Breaches
California was the worst-affected state in December in terms of data breaches, with nine HIPAA-regulated entities known to have been affected. The high total is due to the data breach at Trizetto Provider Solutions, which was either a business associate of a subcontractor of a business associate of six of the nine affected entities. New York ranked second, but four of its five data breaches were reported by the same entity, Fieldtex Products.
| State | Data Breaches |
| California | 9 |
| New York | 5 |
| Texas | 4 |
| Maryland, Michigan, Minnesota, Missouri, Oklahoma, Oregon & Tennessee | 2 |
| Arizona, Florida, Georgia, Illinois, Louisiana, Maine, Massachusetts, North Carolina & Ohio | 1 |
While California topped the list for data breaches, New York was the worst state in terms of the number of affected individuals, followed by Texas.
| State | Individuals Affected |
| New York | 140,320 |
| Texas | 85,728 |
| Georgia | 32,090 |
| California | 31,013 |
| Oklahoma | 18,275 |
| Missouri | 9,343 |
| Oregon | 6,473 |
| Louisiana | 4,519 |
| Maryland | 4,027 |
| Tennessee | 3,138 |
| Illinois | 2,511 |
| Massachusetts | 1,638 |
| Ohio | 1,629 |
| Michigan | 1,560 |
| Maine | 1,259 |
| Florida | 1,036 |
| Minnesota | 1,003 |
| Arizona | 501 |
| North Carolina | 501 |
HIPAA Enforcement Activity in December 2025
In December, OCR announced one HIPAA enforcement action that involved a financial penalty. Texas-based Concentra, Inc., was investigated after OCR received a complaint from an individual who had not been provided with timely access to his medical and billing records. Concentra agreed to settle the alleged HIPAA Right of Access violation and paid a $112,500 penalty. This was the 54th financial penalty under the HIPAA Right of Access enforcement initiative, which commenced in late 2019 and is ongoing. It has been a busy year of HIPAA enforcement, with OCR resolving 21 HIPAA violation cases with regulated entities in 2025 with a financial penalty. OCR collected $8,330,066 in penalties from those enforcement actions.
State attorneys general also enforce the HIPAA Rules, although 2025 was a quiet year, with only one financial penalty imposed to resolve a data breach investigation. Orthopedics NY LLP (OrthoNY) paid $500,000 to settle alleged cybersecurity failures that led to a breach of the protected health information of more than 656,000 individuals. The New York Attorney General cited violations of HIPAA and state cybersecurity laws.
The post December 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.
HIPAA Notice of Privacy Practices: Updates Required by Feb. 16, 2026 – Brownstein Hyatt Farber Schreck
HIPAA Notice of Privacy Practices: Updates Required by Feb. 16, 2026 Brownstein Hyatt Farber Schreck
HHS adjusts 2026 HIPAA, certain ACA and MSP monetary penalties – Mercer
After a Year Building HIPAA-Compliant Health AI, Hale Sees Validation as Consumer Chatbots Face Privacy Scrutiny – lelezard.com
Health-Record Access Change: New Privacy Rule Lets Companies Keep Your Medical Data for 15 Years — Even If You Opt Out – savingadvice.com
U.S. Data Compromises Hit Record High in 2025 – The HIPAA Journal
U.S. Data Compromises Hit Record High in 2025 The HIPAA Journal
U.S. Data Compromises Hit Record High in 2025
An unwanted new record was set in 2025 for data compromises, which increased by 4% from the record-breaking total in 2024, according to the Identity Theft Resource Center (ITRC). The ITRC is a non-profit organization dedicated to helping victims of data breaches, scams, and identity theft. ITRC also offers education to help consumers protect themselves against identity theft and fraud. ITRC tracks data compromises, which include data breaches, data leaks, and accidental exposures of sensitive consumer data.
The record total of 3,332 data compromises in a year represents a 79% increase in just five years, and the third successive year when more than 3,000 data compromises have been identified. While the historic high is concerning, there is at least some good news, as the number of individuals affected by data compromises has fallen sharply to the lowest annual total since 2014. Across the 3,332 data compromises, 278.8 million individuals were affected, down from 2024’s shockingly high total of 1.36 billion. The relatively low total is due to a lack of mega data breaches, which have been a regular feature over the past few years.
An ITRC poll of 1,000 U.S. consumers revealed 80% received at least one breach notice in the past year, and two-fifths received between three and five different notices. Out of the individuals who received a notice about a data breach, 88% said they experienced one or more negative consequences, such as an account takeover, an increase in spam emails and phishing attempts, or mental health issues.
Worryingly, the frequency with which data breach notices are being received is leading to breach fatigue. Out of the people who did nothing after receiving a notice, 48.3% said they had breach fatigue from so many notices, 46.1% said they had feelings of helplessness because they felt they couldn’t do anything about it, 41.6% said they did nothing because they felt from the language of the notification that the breach was not serious to warrant any action, and 36% said they didn’t trust the notice and thought it was a scam.
Out of the 3,332 data compromises, 2,928 were data breaches, involving 232,726,796 victim notices, 24 were data exposures involving 527,894 victim notices, and there were 366 unknown compromises, involving 1,584,024 victim notices. Four of the data compromises involved previously compromised data. The largest confirmed data compromises of the year (based on victim notices) occurred at PowerSchool (71.9 million), AT&T (44 million), Aflac (22.7 million), Prosper Funding (17.6 million), and Conduent Business Services. The number of individuals affected by the Conduent data breach has yet to be confirmed, but it was a massive data breach, affecting 14.7 million individuals in Texas alone.
Financial services remained the most targeted sector, with 739 confirmed data compromises, and the healthcare sector took second spot, with 534 confirmed compromises, down slightly from 2024’s 537 compromises. Professional services was the third most targeted sector with 478 compromises, followed by manufacturing (299) and education (188).
ITRC draws attention to a five-year trend of threat actors increasingly targeting static identifiers, which facilitate long-term fraud. Social Security numbers were involved in two-thirds of data breach reports in 2025, with one-third involving either bank accounts or driver’s license numbers. Between 2021 and 2025, the number of compromises involving Social Security numbers almost doubled, driver’s license data breaches increased by 139% over the same period, and bank account information breaches increased by 168%.
ITRC warns of the increasing risk from supply chain data breaches, which in the space of a year almost doubled from 660 affected entities in 2024 to 1,251 affected entities in 2025, despite the number of attacks only increasing by one year-over-year. From 2021 to 2025, supply chain breaches doubled and now account for 30% of all breaches involving at least one third party.
For several years, ITRC has highlighted the growing trend of breached entities failing to provide consumers with adequate information about a data breach, preventing them from making an informed decision about the amount of risk they face from their data being exposed. For instance, a healthcare provider states in a breach notice that there has been a data incident involving protected health information, which was potentially subject to unauthorized access, when the reality is that a ransomware group has not only exfiltrated their data, but also posted the data on the dark web, where it can be downloaded free of charge by anyone.
ITRC said that in 2020, almost 100% of data breach notifications provided the root cause of the data breach in their notices, whereas in 2025, only 30% did. In the space of a year, the percentage of notices withholding the attack vector details increased from 65% in 2024 to 70% in 2025. “Businesses should prioritize transparency over liability mitigation,” urged James Lee, ITRC president.
The post U.S. Data Compromises Hit Record High in 2025 appeared first on The HIPAA Journal.