U.S. Data Compromises Hit Record High in 2025

Posted by Steve Alder

An unwanted new record was set in 2025 for data compromises, which increased by 4% from the record-breaking total in 2024, according to the Identity Theft Resource Center (ITRC). The ITRC is a non-profit organization dedicated to helping victims of data breaches, scams, and identity theft. ITRC also offers education to help consumers protect themselves against identity theft and fraud. ITRC tracks data compromises, which include data breaches, data leaks, and accidental exposures of sensitive consumer data.

The record total of 3,332 data compromises in a year represents a 79% increase in just five years, and the third successive year when more than 3,000 data compromises have been identified. While the historic high is concerning, there is at least some good news, as the number of individuals affected by data compromises has fallen sharply to the lowest annual total since 2014. Across the 3,332 data compromises, 278.8 million individuals were affected, down from 2024’s shockingly high total of 1.36 billion. The relatively low total is due to a lack of mega data breaches, which have been a regular feature over the past few years.

An ITRC poll of 1,000 U.S. consumers revealed 80% received at least one breach notice in the past year, and two-fifths received between three and five different notices. Out of the individuals who received a notice about a data breach, 88% said they experienced one or more negative consequences, such as an account takeover, an increase in spam emails and phishing attempts, or mental health issues.

Worryingly, the frequency with which data breach notices are being received is leading to breach fatigue. Out of the people who did nothing after receiving a notice, 48.3% said they had breach fatigue from so many notices, 46.1% said they had feelings of helplessness because they felt they couldn’t do anything about it, 41.6% said they did nothing because they felt from the language of the notification that the breach was not serious to warrant any action, and 36% said they didn’t trust the notice and thought it was a scam.

Out of the 3,332 data compromises, 2,928 were data breaches, involving 232,726,796 victim notices, 24 were data exposures involving 527,894 victim notices, and there were 366 unknown compromises, involving 1,584,024 victim notices. Four of the data compromises involved previously compromised data. The largest confirmed data compromises of the year (based on victim notices) occurred at PowerSchool (71.9 million), AT&T (44 million), Aflac (22.7 million), Prosper Funding (17.6 million), and Conduent Business Services. The number of individuals affected by the Conduent data breach has yet to be confirmed, but it was a massive data breach, affecting 14.7 million individuals in Texas alone.

Financial services remained the most targeted sector, with 739 confirmed data compromises, and the healthcare sector took second spot, with 534 confirmed compromises, down slightly from 2024’s 537 compromises. Professional services was the third most targeted sector with 478 compromises, followed by manufacturing (299) and education (188).

ITRC draws attention to a five-year trend of threat actors increasingly targeting static identifiers, which facilitate long-term fraud. Social Security numbers were involved in two-thirds of data breach reports in 2025, with one-third involving either bank accounts or driver’s license numbers. Between 2021 and 2025, the number of compromises involving Social Security numbers almost doubled, driver’s license data breaches increased by 139% over the same period, and bank account information breaches increased by 168%.

ITRC warns of the increasing risk from supply chain data breaches, which in the space of a year almost doubled from 660 affected entities in 2024 to 1,251 affected entities in 2025, despite the number of attacks only increasing by one year-over-year. From 2021 to 2025, supply chain breaches doubled and now account for 30% of all breaches involving at least one third party.

For several years, ITRC has highlighted the growing trend of breached entities failing to provide consumers with adequate information about a data breach, preventing them from making an informed decision about the amount of risk they face from their data being exposed. For instance, a healthcare provider states in a breach notice that there has been a data incident involving protected health information, which was potentially subject to unauthorized access, when the reality is that a ransomware group has not only exfiltrated their data, but also posted the data on the dark web, where it can be downloaded free of charge by anyone.

ITRC said that in 2020, almost 100% of data breach notifications provided the root cause of the data breach in their notices, whereas in 2025, only 30% did. In the space of a year, the percentage of notices withholding the attack vector details increased from 65% in 2024 to 70% in 2025. “Businesses should prioritize transparency over liability mitigation,” urged James Lee, ITRC president.

The post U.S. Data Compromises Hit Record High in 2025 appeared first on The HIPAA Journal.

Northwell Health & Northbay Healthcare Settle Litigation Over Website Pixel Use

Posted by Steve Alder

Northwell Health & Northbay Healthcare were sued over the use of tracking tools on their websites, which are alleged to have illegally disclosed sensitive data to unauthorized third parties. Both healthcare providers have agreed to settle the lawsuits.

Northwell Health Data Breach Settlement

Northwell Health has agreed to settle litigation over its use of tracking software on its website. According to the lawsuit, tracking tools such as Meta Pixel and Google Analytics code were added to its website and were configured in a manner that resulted in protected health information being transmitted to third parties, without the consent of website visitors.

The lawsuit – Kaplan v. Northwell Health, Inc. – was filed in the New York State Supreme Court, Kings County, and alleged that information about website users’ past, present, or future health conditions, including the type and date of a medical appointment, was collected and transmitted to third parties. That information could be tied to individuals via identifiers such as the their Facebook ID and IP address. The information disclosed could allow third parties to infer that the individual was seeking treatment for a specific medical condition and was a patient of Northwell Health. The lawsuit alleges that the use of tracking tools on the website without obtaining consent violated the Electronic Communications Privacy Act.

Northwell Health disagrees with the claims and contentions in the lawsuit and sought to have the lawsuit dismissed. Northwell Health believes it would have prevailed on its motion to dismiss; however, before the motion to dismiss was argued, all parties engaged in settlement discussions. After considering the likely cost of continuing with the litigation and the risks associated with doing so, the decision was taken to settle the lawsuit.

There are two subclasses, the first of which consists of individuals who logged into the FollowMyHealth patient portal between January 1, 2020, and December 31, 2023, and any patient who booked an appointment via the website between the same dates. Those individuals may claim a cash payment of $15.00. The second subclass consists of all other Northwell Health patients between January 1, 2020, and July 25, 2024, who are not included in the first subclass. Individuals in both subclasses are entitled to a 12-month subscription to a privacy monitoring service. Claims must be submitted by April 20, 2026. The final fairness hearing has been scheduled for April 21, 2026. Individuals wishing to opt out of the settlement or object, must do so by March 23, 2026.

Northbay Healthcare Data Breach Settlement

Northbay Healthcare, the operator of two hospitals in Fairfield and Vacaville, California, and several care centers in Solano County, settled litigation over its use of website tracking tools, which are alleged to have impermissibly disclosed patient data to Meta Platforms, Google, and others.

The lawsuit – J.A., T.A., and N.C. v. NorthBay Healthcare Corporation – was filed in the Superior Court of Solano County, California, and alleged that the inclusion of the tools on its website, without informing patients and obtaining consent, resulted in an invasion of privacy and other common law and statutory violations. NorthBay Healthcare denies all allegations of wrongdoing and liability, and all material allegations in the class action complaint. After considering the likely costs of protracted litigation and the uncertainty of a trial and related appeals, the decision was taken to settle the litigation.

Under the terms of the settlement, individuals who were California residents between November 29, 2020, and May 14, 2024, and visited a Northbay Healthcare website or used the patient portal between those dates may submit a claim for a cash payment of $15.00. Class members may also claim a 12-month subscription to the CyEx Privacy Shield Pro privacy protection service. The deadline for opting out, objecting, and submitting a claim is March 12, 2026. The final fairness hearing has been scheduled for March 19, 2026.

The post Northwell Health & Northbay Healthcare Settle Litigation Over Website Pixel Use appeared first on The HIPAA Journal.