November 2025 Healthcare Data Breach Report

Posted by Steve Alder

Based on breach reports submitted to the U.S. Department of Health and Human Services (HHS), November saw relatively low numbers of healthcare data breaches. On average in 2025, 57 healthcare data breaches affecting 500 or more individuals were reported to the HHS’ Office for Civil Rights (OCR) each month. In fact, for the past six years, data breaches have been reported at a rate of around 60 per month. The OCR breach portal currently lists 32 large healthcare data breaches for November, and a similar number were reported in October (28) – numbers that have not been regularly seen since 2018.

Healthcare data breaches in the past 12 months - November 2025

Compared to previous Novembers, data breaches have decreased substantially, with a 54% reduction from November 2024 and a 56% reduction from November 2023.

November healthcare data breaches 2020-2025

While data breaches appear to have halved in October and November, it coincides with the U.S. government shutdown due to Congress failing to pass appropriations legislation for the 2026 fiscal year. The shutdown lasted from October 1, 2025, to November 12, 2025, and during that time, no data breaches were added to the OCR data breach portal. The significant backlog has taken some time to clear, and there may still be breach reports that have yet to be added to the breach portal from that period.

Individuals affected by healthcare data breaches in the past 12 months - November 2025

Low numbers of data breaches do not always mean low numbers of affected individuals, as was demonstrated in October 2025, when only 28 breaches were reported, but more than 11 million individuals were affected. Breach victims fell substantially in November, which saw the fewest number of individuals affected by large healthcare data breaches so far this year. Based on current figures, 1,415,934 individuals are known to have had their protected health information exposed or impermissibly disclosed in data breaches reported in November. That’s the lowest monthly total since January 2023, and an 87.2% reduction from October. So far in 2025, from January 1, 2025, to November 30, 2025, 686 large healthcare data breaches have been reported affecting 55,695,906 individuals.

Individuals affected by November healthcare data breaches - November 2025

The number of affected individuals in November 2025 was the lowest in the past five years. While the low numbers of data breaches and affected individuals are certainly good news, this trend may be short-lived, as some sizable data breaches have been confirmed by HIPAA-regulated entities in the past two months that have yet to appear on the OCR data breach portal.

The Biggest Healthcare Data Breaches Reported in November 2025

In November, 16 healthcare data breaches were reported to OCR that affected more than 10,000 individuals. The biggest confirmed healthcare data breach of the month affected VITAS Hospice Services in Florida and involved unauthorized access to the protected health information of almost 320,000 patients. An account used by one of its vendors was compromised, and the account was used to access VITAS systems.

The medical supply company Fieldtex Products reported the second-largest data breach, also a hacking incident, affecting 238,615 individuals. A further three breach reports were submitted to OCR by Fieldtex Products in December, adding a further 35,748 individuals to that total. Delta Dental of Virginia reported a hacking incident that was initially thought to have affected 145,918 individuals, although following investigation, was reduced to 126,953 individuals.  This was the largest email data breach of the month and involved unauthorized access to a single email account.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
VITAS Hospice Services, LLC FL Healthcare Provider 319,177 Hacking incident involving a compromised vendor account
Fieldtex Products, Inc. NY Business Associate 238,615 Hacking incident
Delta Dental of Virginia VA Health Plan 126,953 Email account breach
Richmond Behavioral Health Authority VA Healthcare Provider 113,232 Ransomware attack
Persante Health Care NJ Business Associate 111,815 Hacking incident
Denton MHMR Center TX Healthcare Provider 108,967 Hacking incident
NS Support, LLC ID Healthcare Provider 92,845 Hacking incident – data theft confirmed
Anchorage Neighborhood Health Center AK Healthcare Provider 70,555 Hacking incident
Davies, McFarland & Carroll LLC PA Business Associate 54,712 Hacking incident – data theft confirmed
Morton Drug Company WI Healthcare Provider 40,051 Hacking incident
Marshfield Clinic Health System WI Healthcare Provider 35,952 Email accounts compromised
Loving and Living Center, PC dba Awakenings Center NC Healthcare Provider 17,800 Unauthorized access to the electronic medical record system
Healthcare Therapy Services, Inc. IN Healthcare Provider 15,027 Email accounts compromised
Millcreek Pediatrics DE Healthcare Provider 14,095 Hacking incident
Steven J. Pearlman MD PC NY Healthcare Provider 11,764 Hacking incident
Personic Management Company LLC VA Business Associate 10,929 Compromised third-party software platform

Data breaches must be reported to OCR within 60 days of discovery, per the HIPAA Breach Notification Rule. If the total number of affected individuals is not known, an estimate should be provided within those 60 days. HIPAA-regulated entities often submit a breach report using a placeholder figure of 500 or 501 affected individuals when data reviews are ongoing. In November, two data breaches were reported with 500 totals indicative of placeholder figures.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
West Suburban Eye Surgery Center LLC MA Business Associate 500 Unauthorized Access/Disclosure
County of Catawba NC Health Plan 500 Hacking/IT Incident

Causes of November 2025 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports, accounting for 78% of the month’s data breaches (25 incidents) and 99.1% of the month’s affected individuals (1,403,361). On average, 56,134 individuals were affected by each of these incidents (median: 15,027).

Causes of November 2025 healthcare data breaches

Unauthorized access/disclosure incidents accounted for 15.6% of the month’s data breaches (5 incidents) and 0.5% of the month’s affected individuals (7,591). The average breach size was 1,518 individuals (median: 1,518). Loss and theft incidents accounted for 6.3% of the month’s breaches (2 incidents) and 0.4% of the month’s affected individuals. The average breach size was 2,491 individuals (median 2,491).

Ransomware attacks continue to be one of the biggest cyber threats in healthcare, although hacking incidents are rarely reported as such. A recent analysis from GuidePoint Security identified a 58% year-over-year increase in ransomware attacks in 2025, with Qilin, INC Ransom, and SafePay the biggest threats to healthcare organizations. Some threat actors, Pear, for example, have opted for pure data theft and extortion, skipping file encryption in their attacks. Pear has targeted several healthcare organizations in recent months, and a recently emerged ransomware group called Sinobi has claimed many healthcare victims.

Location of breached p[rotected health information - november 2025

While a majority of the hacking incidents (59%) involved compromised network servers, email continues to be targeted and is often used for initial access in more comprehensive attacks on an organization. In November, almost 19% of incidents involved compromised email accounts.

Where did the Data Breaches Occur?

Healthcare providers were the worst-affected HIPAA-covered entities in November, with 22 reported breaches (867,100 affected individuals), with three data breaches at health plans (129,118 affected individuals) and no data breaches at healthcare clearinghouses. In November, 7 business associates of HIPAA-covered entities reported data breaches (419,716 affected individuals); however, a further two breaches occurred at business associates but were reported by the affected covered entities. The charts below are based on where the data breach occurred, rather than the entity that reported the breach.

Covered entities data breaches November 2025

HIPAA-regulated entities data breaches - November 2025

Geographic Distribution of Healthcare Data Breaches

In November, large healthcare data breaches were reported by HIPAA-regulated entities based in 21 U.S. states. Virginia was the worst-affected state with four breaches, followed by New York and Wisconsin with three data breaches.

State Breaches
Virginia 4
New York & Wisconsin 3
Florida, Minnesota, North Carolina & Pennsylvania 2
Alaska, California, Connecticut, Delaware, Idaho, Illinois, Indiana, Maryland, Massachusetts, Michigan, New Jersey, New Mexico, Rhode Island & Texas 1

While entities in Florida only experienced 2 large healthcare data breaches, the state had the highest number of affected individuals.

State Individuals Affected
Florida 322,859
New York 252,617
Virginia 252,027
New Jersey 111,815
Texas 108,967
Idaho 92,845
Wisconsin 77726
Alaska 70,555
Pennsylvania 55,255
North Carolina 18,300
Indiana 15,027
Delaware 14,095
Minnesota 7,331
California 4,285
Rhode Island 4,000
New Mexico 2,165
Michigan 1,984
Maryland 1,300
Connecticut 1,260
Illinois 1,021
Massachusetts 500

HIPAA Enforcement Activity in November 2025

The government shutdown during October and a significant part of November brought many HHS workflows to a grinding halt as staff were furloughed, and there were no announcements about HIPAA enforcement actions. Enforcement activity is continuing, and while there were no new announcements, 2025 ranks as one of the busiest years for HIPAA enforcement. Including one penalty announced in December, OCR closed the year with settlements and civil monetary penalties – the second-highest annual total to date. State Attorneys General also enforce the HIPAA Rules; however, there were no known enforcement actions announced in November to resolve alleged HIPAA violations.

HIPAA penalties 2009-2025

This report is based on data obtained from the HHS’ Office for Civil Rights on January 20, 2026.

The post November 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.

Central Maine Healthcare Data Breach Affects 145,000 Individuals

Posted by Steve Alder

Data breaches have recently been announced by Central Maine Healthcare, Dermatology Associates in Kentucky, and Reproductive Medicine Associates of Michigan. The Central Maine Healthcare data breach has affected 145,000 individuals.

Central Maine Healthcare

Central Maine Healthcare, an integrated nonprofit healthcare system serving around 400,000 residents in central and western Maine, has announced a major data breach involving the electronic protected health information of up to 145,000 patients.

Suspicious activity was identified within its IT systems on June 1, 2025, and immediate action was taken to secure its systems while an investigation sought to determine the nature and scope of the activity. The investigation determined that between March 19, 2025, and June 1, 2025, an unauthorized third party had access to its network and accessed or acquired files containing sensitive patient data.

The file review confirmed that names and Social Security numbers were compromised, in combination with one or more of the following: address, date(s) of service, provider names, treatment information, and health insurance information. Notification letters started to be mailed to the affected individuals in late December 2025, and single-bureau credit monitoring, credit report, and credit score services have been offered.

Dermatology Associates, Kentucky

Dermatology Associates in Louisville, Kentucky, has recently announced an August 2025 security incident that may have resulted in unauthorized access to patient data. Suspicious activity was identified within its computer systems on August 4, 2025, and third-party cybersecurity experts were engaged to investigate the activity.

The investigation confirmed unauthorized access to its network for a period of two months from June 4, 2025, to August 4, 2025. The data review is ongoing, so the types of information involved have yet to be confirmed. Dermatology Associates said the information likely exposed in the incident included names, addresses, dates of birth, driver’s license numbers, telephone numbers, physician names, billing/claims information, patient ID/account numbers, and health insurance information.

Steps have been taken to improve security, and notification letters will be sent by mail when the investigation is concluded. The data breach is currently shown on the HHS’ Office for Civil Rights breach portal with a placeholder figure of at least 501 affected individuals. The total will be updated when the file review is concluded.

Reproductive Medicine Associates of Michigan

Reproductive Medicine Associates of Michigan (RMAM), a fertility clinic in Troy, MI, has started notifying patients about a recent cybersecurity incident that involved the theft of sensitive data from its network. Suspicious network activity was identified on October 22, 2025, and immediate action was taken to secure its IT environment. Third-party cybersecurity specialists were engaged to investigate the activity, who confirmed that data had been exfiltrated.

On December 19, 2025, a substitute data breach notice was added to the RMAM website that states that the file review is ongoing, and notification letters will be mailed to the affected individuals when that process is completed. The notifications will provide information on the exact types of information involved for each individual. At present, the total number of individuals affected has yet to be confirmed.

The post Central Maine Healthcare Data Breach Affects 145,000 Individuals appeared first on The HIPAA Journal.

HIPAA Training for Pharmacy Staff

Posted by Steve Alder

HIPAA training for pharmacy staff is required because pharmacies routinely create, access, and share protected health information through prescriptions, insurance claims, medication therapy management, patient counseling, and coordination with prescribers and other providers, and training is one of the most practical ways to reduce avoidable disclosures, improve incident reporting, and keep workflows compliant. In most healthcare settings, annual HIPAA training is a widely followed best practice, and all workforce members should receive training that matches their role and the way they interact with patient information.

Why HIPAA Training Matters in a Pharmacy Setting

Pharmacies handle PHI in high volume and at high speed. The risk is not only unauthorized access to prescription profiles, but also everyday situations such as conversations at the counter, voicemail messages, delivery logistics, prior authorization paperwork, and sharing information with caregivers. HIPAA training helps staff recognize what information is sensitive, when a disclosure is permitted, and what to do when something feels off.

Who Should Be Trained

HIPAA training should cover the entire pharmacy workforce, including pharmacists, technicians, interns, delivery staff who handle labeled packages, call center or refill teams, managers, and any staff who can view or use patient information. Even team members without routine access to prescription systems can create risk through misdirected documents, insecure communication, or poor device and password habits, so training should not be limited to clinical roles.

When HIPAA Training Should Be Provided

New pharmacy workforce members should be trained within a reasonable period after starting, and before they begin independent work with prescription records or pharmacy systems. Training should also be refreshed when policies, workflows, or technology changes in a way that affects PHI, and when incidents or risk reviews show gaps that need corrective education. Many organizations reinforce these requirements with annual refresher training to keep knowledge current and consistent across shifts and locations.

What a Core HIPAA Course for Pharmacy Staff Should Cover

HIPAA training for pharmacy staff should cover the foundational requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, with enough depth to ensure staff understand both their legal obligations and their practical responsibilities in day to day pharmacy operations. The course content should clearly explain what constitutes protected health information, who is permitted to access it, and how the minimum necessary standard applies when dispensing medications, communicating with prescribers, handling insurance issues, and interacting with patients and caregivers.

Training should also address administrative, physical, and technical safeguards in a way that is meaningful for pharmacy workflows. This includes secure use of pharmacy systems, proper password management, workstation security, logging out of shared terminals, and protecting printed materials such as prescription labels, pickup logs, and insurance documentation. Staff should understand how improper disposal, unsecured screens, or casual conversations at the counter can lead to reportable incidents.

Another essential component is breach awareness and incident response. Pharmacy staff should be trained to recognize potential HIPAA violations, understand what constitutes a reportable breach, and know exactly how and when to report concerns internally without fear of retaliation. The training should reinforce that timely reporting is a compliance requirement and a key part of protecting patients and the organization.

HIPAA training should also include clear instruction on workforce responsibilities, including following policies and procedures, participating in required training, and cooperating with investigations or audits. For pharmacies that work with vendors, delivery services, or other third parties, training should explain the role of business associates and the importance of only sharing information in accordance with approved agreements and established workflows.

HIPAA Training for Emergencies and High Pressure Scenarios

Pharmacy teams often operate under time pressure during urgent care encounters, disaster response, community outbreaks, and medication shortages, and those conditions can increase the likelihood of verbal disclosures, rushed identity checks, or documentation mistakes. Emergency focused HIPAA training helps staff understand how permitted disclosures work when rapid coordination is needed, how to apply minimum necessary even under pressure, and how to communicate safely with caregivers, first responders, and other providers while still protecting patient privacy. It also reinforces that emergencies are not a reason to abandon basic safeguards such as secure device use, careful phone communication, and prompt reporting if something goes wrong.

Criteria for Choosing a HIPAA Training Program for Pharmacy Staff

A pharmacy should look for a HIPAA training program that is maintained by HIPAA subject matter experts and updated as guidance and risks evolve, rather than relying on static content. The training should use clear language and practical scenarios that reflect real pharmacy workflows, not generic examples that leave staff unsure how to apply the rules.

Quality programs also verify learning through short tests or knowledge checks rather than relying only on attestations, and they support completion tracking so managers can confirm who was trained and when. Audit ready documentation matters, so the program should provide reliable reporting, proof of completion, and certificates, along with records of course content and training dates. Flexibility is also important in pharmacy environments, so training that supports role based assignments and modular delivery makes it easier to train pharmacists, technicians, and support staff appropriately without overtraining or skipping critical topics.

Additional HIPAA Training for Student Pharmacists on Placement

Student pharmacists receiving on the job training or clinical placements should complete comprehensive HIPAA training that addresses the specific ways students can violate HIPAA, especially around curiosity access, informal discussions, and use of personal devices. Student focused training should reinforce that access to records is limited to a need to know basis tied to educational or clinical duties, and that students must follow supervisor direction and escalate questions to the appropriate privacy or compliance contact.

Because placements vary by site and system, student pharmacists should also receive orientation level reinforcement at the start of each placement so they understand the local rules for system access, secure communication, documentation, and where incidental disclosures commonly occur in that environment. Training should explicitly address modern risks that are especially relevant to students, including social media behavior and the prohibition on using PHI with commercial AI tools.

The post HIPAA Training for Pharmacy Staff appeared first on The HIPAA Journal.