Bayada Home Health Care, a New Jersey-based home healthcare provider serving 22 U.S. states, has recently announced a data breach involving a third-party vendor, Doctor Alliance. Doctor Alliance provides services that facilitate physician signatures on clients’ Home Health Certifications and Plans of Care, which involve access to patients’ protected health information.

On December 4, 2025, Doctor Alliance notified Bayada Home Health Care about a cybersecurity incident involving access and potential acquisition of client data by an unauthorized third party. According to Doctor Alliance, an unauthorized third party had access to the Doctor Alliance network between October 31 and November 6, 2025, and November 14 and 17, 2025. During that time, Home Health Certification and Plan of Care forms may have been acquired.

Bayada Home Health Care said it is not aware that any of its forms were copied; however, unauthorized data access could not be ruled out. The exposed forms contained a range of sensitive patient information, including names, dates of birth, diagnoses, medical/physical treatment information, provider information, health insurance plan information, prescription information, hospital admissions/discharges, and disability information, and for a subset of individuals, Social Security numbers.

Bayada Home Health Care said it has discontinued using Doctor Alliance as a vendor in response to the data breach. A review has been conducted of its policies and procedures relating to third-party vendors, and steps have been taken to minimize the risk of similar incidents in the future. The data breach has been reported to state attorneys general and the HHS’ Office for Civil Rights. The incident is not currently listed on the OCR data breach portal, so it is unclear how many individuals have been affected.

Marion County Public Health Department, Indiana

Marion County Public Health Department in Indiana has identified an insider incident involving unauthorized access to the protected health information of 792 clients. An employee was discovered to have accessed more than the necessary patient information to complete their job duties, including names, addresses, dates of birth, and lab test results for clients who received tests that were processed by the Marion County Public Health Department lab.

Marion County Public Health Department said it has found no evidence to suggest that any of the accessed information has been misused and stressed that no financial information was accessed by the employee. In response to the incident, further training has been provided to staff members on the HIPAA minimum necessary standard and its internal policies, and technical safeguards have been enhanced to limit access to protected health information to the minimum necessary for job duties.

The post Bayada Home Health Care Affected by Doctor Alliance Data Breach appeared first on The HIPAA Journal.

A district court judge in Montana has ruled that the State Auditor and Insurance Commissioner’s investigation of Blue Cross Blue Shield of Montana (BCBSMT) over a data breach affecting 462,000 individuals may proceed. The data breach involved BCBSMT’s third-party vendor Conduent Business Services. The Safepay ransomware group claimed responsibility for the attack and stole 8.5 TB of data. While the full scale of the data breach is still unclear, at least 25 million Americans were affected nationwide. BCBSMT reported the data breach separately as affecting 462,000 Montanans.

Commissioner Brown launched the investigation into BCBSMT and Conduent over the data breach to help educate the public about data breaches, improve the regulation of insurance companies to prevent further breaches, and determine if there have been any unlawful acts that warrant a financial penalty, namely, whether BCBSMT complied with state law requiring insurers to provide timely notice when a data breach occurred. The data breach was significant, as one-third of state residents had their data compromised, and it took nine months for the notice to be issued.

BCBSMT mounted a legal challenge, claiming the auditor’s office lacked the authority to conduct the investigation. BCBSMT argued that it was exempt from reporting the breach as it was covered by federal law, and that a breach notice was submitted as a courtesy. Last year, the state legislature passed a bill that was signed into law by the state governor, requiring companies with a federal exemption to follow state breach notification rules; however, the law did not take effect until October 1, 2025.

Hackers had access to Conduent’s systems between Oct. 2024 and Jan. 2025, and BCBSM learned from Conduent that it was one of the affected clients a few days after Conduent learned about the attack. BCBSMT learned about the extent of the data breach on July 1, 2025, then conducted its own investigation and notified the state in October 2025. BCBSMT said its analysis of the incident was completed on September 23, 2025, days before the new law took effect. BCBSMT argued that it was being unfairly targeted and that there was no provision in the bill to make the bill retroactive.

The commissioner’s office argued that the delay in issuing notifications was unreasonable from a consumer protection standpoint. The First Judicial District Court in Helena dismissed the BCBSMT lawsuit against the commissioner’s office; however, not due to the substance of the complaint. The judge ruled that the commissioner’s office must first be given the opportunity to investigate, review the evidence, and issue an administrative decision. BCBSMT will then have the opportunity to challenge any administrative decision.

“To permit a declaratory judgment action here would be to use the UDJA to afford [BCBSMT] an opportunity to ‘skip the administrative process’ and obtain an avenue to immediate judicial review of the Commissioner’s actions that Blue Cross does not otherwise possess,” ruled District Court Judge Chris Abbott. Judge Abbott also confirmed that once the administrative process has been completed, BCBSMT will have an opportunity to come back to court to challenge any determinations made by the commissioner’s office.

Commissioner James Brown welcomed the decision, which sends a strong message to regulated companies that they will be held responsible if they violate consumer protection laws. The investigation will now seek to determine if consumer protection laws have been violated. “Montana has very strong laws protecting the privacy of Montana citizens, and I take that obligation and responsibility to protect the rights and personal data of Montanans very responsibly,” said Brown. “I’m pleased that the district court in Helena is allowing us to move forward with our investigation.”

January 28, 2026: Blue Cross Blue Shield of Montana Faces Data Breach Probe

Health Care Service Corporation, doing business as Blue Cross Blue Shield of Montana (BCBSMT), is facing a probe into whether the company complied with Montana’s breach notification law following a significant data breach that impacted approximately 462,000 Montanans.

Like many health insurance providers, BCBSMT contracted with Conduent Business Services, a business associate that provides back-office administrative services to HIPAA-covered entities and government agencies. On January 13, 2025, Conduent identified unauthorized access to its network, and its forensic investigation confirmed that a threat actor had access to its network for three months between October 13, 2024, and January 13, 2025. Data compromised in the incident included names, addresses, dates of birth, Social Security numbers, health plan and medical record identifiers, diagnosis and treatment codes, provider details, and claims information. The Safepay ransomware group claimed responsibility for the attack.

Conduent disclosed the attack in a filing with the U.S. Securities and Exchange Commission (SEC) on April 9, 2025, although at the time the investigation was ongoing to determine the extent of the data breach. It has been more than a year since the attack was detected, and it is still unclear how many individuals have been affected. The Oregon Attorney General was notified that around 10.5 million individuals had been affected nationwide, and subsequently, the Texas Attorney General was informed that 14.7 million Texas residents had been affected.

In January 2025, BCBSMT was notified by Conduent that it was one of the affected clients; however, BCBSMT did not notify the affected individuals until October 2025 – a year after Conduent’s systems were first breached and 9 months after it first learned that it had been affected. State regulators launched a probe to determine if BCBSMT was compliant with state data breach notification law, which requires notifications to be issued without unreasonable delay. State regulators also seek to establish the circumstances surrounding the data breach.

The Montana Office of the Commissioner of Securities and Insurance (CSI) scheduled a public administrative hearing on January 22, 2026, to gather evidence about the breach, establish a timeline of events, and determine how BCBSMT responded to the incident. BCBSMT sought a temporary restraining order from the Lewis and Clark County District Court to prevent the hearing from taking place; however, the court denied the request.

“It is troubling that it appears [BCBS] attempted to avoid regulatory oversight and accountability by seeking to block this hearing through the courts,” said Montana CSI communications director Tyler Newcombe. “Our office is committed to protecting Montanans and ensuring a fair, transparent, and very serious process when sensitive personal and health data may have been placed at risk. Our office will consider all the evidence and then issue a final order in due course.”

A Hearing Examiner will review the record from the hearing and will propose a decision for the Commissioner to consider. The Commissioner will publish further information about the timeline of events to ensure transparency over the lengthy delay in issuing breach notifications.

The post Court Rules State Regulator’s Investigation of Blue Cross Blue Shield of Montana May Proceed appeared first on The HIPAA Journal.

Protected health information has been exposed in data security incidents at Mitchell County Department of Social Services in North Carolina, 360 Dental in Pennsylvania, and GiaCare in Florida.

Mitchell County Department of Social Services

Individuals who received services from Mitchell County Department of Social Services in North Carolina have had their sensitive information stolen in a ransomware attack. The investigation into the October 2025 ransomware attack on Mitchell County was initiated on October 20, 2025, following the encryption of files. The attack caused email and phone outages that lasted for several days. The forensic investigation confirmed that there had been unauthorized network access between October 16, 2025, and October 20, 2025, during which time files were exfiltrated.

The data review and investigation are ongoing to determine the types of information involved and the individuals affected. After that information has been confirmed and up-to-date contact information has been obtained, notification letters will be mailed to the affected individuals. Complimentary credit monitoring and identity theft protection services will be offered to the affected individuals, if appropriate, for instance, if their Social Security numbers were compromised in the incident.

The data breach has been reported to the HHS’ Office for Civil Rights using an interim total of 501 individuals. The total will be updated when County officials have confirmed the total number of affected individuals. County officials have confirmed that steps have been or will be taken in response to the incident to strengthen security. Those measures include upgrading the County email system, deploying additional software to enhance detection and accelerate the County’s response to cyber incidents, updating password policies, and strengthening restrictions for access to computer systems.

360 Dental

360 Dental in Philadelphia, PA, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 11,273 individuals. According to its substitute breach notice, this was a ransomware attack that resulted in file encryption. The incident was detected on November 16, 2025, and the file review confirmed that sensitive patient data had been exposed in the incident.

The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: date of birth, address, telephone number, email, patient account or chart number, dental and clinical records (such as treatment history, clinical notes, x -rays, and diagnostic information), insurance provider and member ID, appointment information, and emergency contacts. A limited number of Social Security numbers were also exposed.

360 Dental has taken steps to improve security following the ransomware attack. The affected computers have been replaced, the affected server has been rebuilt, software has been updated, and additional security tools have been implemented, including firewalls, antivirus software, multifactor authentication, and VPN-only remote access.

GiaCare

GiaCare, a Coral Springs, Florida-based company that provides healthcare staffing and IT services to government entities and healthcare organizations, has recently announced a data security incident, first identified on or around December 23, 2025.

GiaCare learned that a vulnerability existed Gladinet CentreStack, a third-party file sharing platform. GiaCare worked closely with its IT vendor to investigate and confirm the security of its systems and data. The IT vendor confirmed that GiaCare’s systems were secure and had not been accessed; however, the vulnerability had been exploited, and data within the Gladinet CentreStack platform had been accessed and exfiltrated by an unauthorized third-party on December 6, 2025. While the threat actor involved was not named, several cybersecurity firms linked the Gladinet CentreStack attacks to the Cl0p ransomware group – a group known to target zero-day vulnerabilities in file-sharing platforms.

The file review confirmed that names, Social Security numbers, and driver’s license numbers were compromised in the incident. The affected individuals are being notified by mail and have been offered complimentary credit monitoring and identity theft protection services. The number of affected individuals has yet to be publicly disclosed.

The post Mitchell County Dept. Social Services; 360 Dental; GiaCare Announce Data Breaches appeared first on The HIPAA Journal.

MACT Health Board has confirmed that patient data was stolen in a November 2025 cyberattack, for which the INC Ransom ransomware group claimed credit. Data breaches have also been announced by TriCity Family Services in Illinois, HAP (Health Alliance Plan) in Michigan, and Zenflow in California.

MACT Health Board, California

MACT Health Board, a provider of healthcare services to the American Indian and Alaskan Native population in Mariposa, Amador, Alpine, Calaveras & Tuolumne counties in California, has notified individuals affected by a November 2025 security incident. MACT Health board launched an investigation into a potential security breach when it experienced disruption to its IT systems. The investigation confirmed that an unauthorized third party had access to its computer network from November 12, 2025, to November 20, 2025. A review of the exposed files commenced on November 25, 2025, and was completed on January 9, 2026.

Patient information compromised in the incident included names in combination with one or more of the following: diagnoses, test results, medical images, treatment information, doctors’ names, and or Social Security numbers. Notification letters started to be mailed to the affected individuals on January 23, 2026, and individuals whose Social Security numbers were involved have been offered complimentary credit monitoring and identity theft protection services. Additional safeguards and technical security measures have been implemented to prevent similar incidents in the future.  The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

TriCity Family Services, Illinois

TriCity Family Services, a provider of counseling and mental health services to residents in Kane County, Illinois, has started notifying 2,511 patients about a data security incident.  In the spring of 2025, suspicious activity was identified within its computer network. An investigation was launched, and it was confirmed that an unauthorized actor had access to its computer network from November 11, 2024, to May 14, 2025. During that time, sensitive data was exfiltrated from its network.

The file review confirmed that the following information was included in the exfiltrated files: names, dates of birth, presenting health issues, requested treatment, treatment location, and provider names. Its electronic medical record system was not accessed in the attack. TriCity Family Services said it is reviewing its policies, procedures, and processes related to the storage and access of sensitive information and will take steps to improve security to prevent similar incidents in the future.

While the nature of the incident was not disclosed, the INC Ransom ransomware group claimed responsibility for the attack and added TriCity Family Services to its dark web data leak site. INC Ransom claimed to have exfiltrated 22 GB of data in the attack.

HAP (Health Alliance Plan), Michigan

HAP (Health Alliance Plan) in Michigan has notified 1,059 individuals about the exposure of some of their protected health information as a result of a phishing attack. On October 24, 2025, an employee responded to a phishing email and inadvertently disclosed their credentials, allowing the threat actor to access their account. The investigation was unable to determine if any member information was accessed or acquired in the incident, so notification letters were sent to all potentially affected individuals. Protected health information in the account was limited to names, addresses, dates of birth, and HAP ID numbers, and for a limited number of individuals, Social Security numbers. The affected individuals have been offered two years of complimentary identity theft protection services as a precaution.

Zenflow, California

Zenflow, a San Francisco-based medical device company, has recently notified individuals about a security incident. Limited information about the incident has been released to date, such as when the incident occurred, the nature of the security breach, or for how long its computer systems were subject to unauthorized access. The data breach notice submitted to the Massachusetts Attorney General indicates that names and Social Security numbers were involved, and that single-bureau credit monitoring and identity theft protection services have been offered to the affected individuals for 24 months. It is currently unclear how many individuals have been affected.

The post MACT Health Board Patients Affected by November 2025 Ransomware Attack appeared first on The HIPAA Journal.

Munson Healthcare, the largest health system in Northern Michigan, has recently notified patients about unauthorized access to its electronic medical record system. The unauthorized access started as early as January 22, 2025, and was detected by its EHR vendor Cerner on February 20, 2025. Cerner, now Oracle Health, confirmed that a hacker gained access to two legacy Cerner servers and potentially stole a range of personal and health information. Munson Healthcare has confirmed that the stolen data included names, Social Security numbers, and information typically found in electronic medical records, such as medical record numbers, diagnoses, medications, test results, care and treatment information, and doctors’ names. The data on the servers was awaiting migration to the Oracle Cloud at the time of the data breach.

Munson Healthcare said Cerner took action to prevent further unauthorized access, engaged third-party cybersecurity experts to investigate the data breach, and notified law enforcement about the cyberattack. While Oracle Health publicly confirmed the cyberattack in March 2025, it has taken months for the affected healthcare providers to be notified, and many patients have only recently learned that their personal and health information was stolen in the incident. Munson Healthcare attributed the delay in issuing notifications to Cerner, which has previously stated that the delay was at the request of law enforcement so as not to interfere with the investigation.

Oracle Health has not confirmed exactly how many of its healthcare provider clients have been affected, nor the number of affected individuals. Multiple class action lawsuits have been filed in response to the data breach, and as part of the litigation, the company’s attorneys said up to 80 hospitals may have been affected. Munson Healthcare was one of the worst-affected clients, as 1,01,891 current and former patients have been affected. Munson Healthcare has confirmed that the affected individuals have been offered complimentary credit monitoring and identity theft protection services for two years.

Munson Healthcare’s Chief Legal Officer, Rachel Roe, and Michigan Attorney General Dana Nessel issued a consumer alert about the data breach last week. Attorney General Nessel is pushing for stronger consumer data protection laws to be enacted. New legislation was passed by the Senate last summer, but has yet to be passed by the House of Representatives. “These [notification] delays put consumers at higher risk of identity theft, and our state needs stronger laws to better protect Michiganders from bad actors,” said AG Nessel. “I urge anyone who receives a notice that their personal information may have been compromised to consider taking advantage of the free credit monitoring resources being offered.”

The post More than 100K Munson Healthcare Patient Affected by Cerner Cyberattack appeared first on The HIPAA Journal.

Patients of Laurel Health Centers have been notified that their protected health information was exposed in a July 2025 security incident, and Modern Health has identified unauthorized access to member profiles.

Laurel Health Centers

Laurel Health Centers, a Federally Qualified Health Center network in Northern Pennsylvania, has discovered unauthorized access to its email environment. An investigation was launched on July 14, 2025, to determine the cause of unusual email activity. The investigation determined that an unauthorized third party had access to certain email accounts between July 11, 2025, and July 25, 2025. During that time, emails and files may have been viewed or copied.

The affected email accounts were reviewed and found to contain patient information. The types of information vary from individual to individual and may include names in combination with one or more of the following: address, telephone number, email address, date of birth, Social Security numbers, medical record number, date(s) of service, medical provider, Medicare information, insurance information, diagnostic information, treatment and diagnosis data, insurance carrier, procedure codes, disability status, dental and denture information, immunization record, behavioral health information, Pennsylvania Account ID, account number, credit card information, checking account information and claim information.

Laurel Health Centers said it took time to conclusively determine that the threat actor no longer had access to its systems, hence the delay between discovering the unauthorized activity and confirming that the threat actor had been eradicated from its email environment. The review of the email accounts concluded on December 30, 2025, and notification letters were mailed to the affected individuals shortly thereafter. Complimentary credit monitoring services have been offered to the affected individuals. The incident is not currently listed on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Modern Health

Modern Health, a management support organization that provides services to several affiliated entities, including Modern Health Arizona, Modern Health California, Modern Health New Jersey, Elevate Tele-Medicine Telehealth, and Modern Life, has recently notified the Massachusetts Attorney General about an incident involving unauthorized access to member profiles on its behavioral health platform.

In November 2025, Modern Health determined that an unauthorized individual had accessed a limited number of member profiles. Steps were immediately taken to disable those profiles, and an investigation was launched to determine the extent of the unauthorized activity. The affected profiles were reviewed and found to contain sensitive member data, although Social Security numbers and financial information were not exposed. The review of the affected profiles was completed on January 5, 2026, and the affected individuals were notified via email on January 12, 2026. It is currently unclear how many individuals were affected in total. The Massachusetts Attorney General was informed that two state residents were affected.

The post Patients of Philadelphia’s Laurel Health Centers Affected by Data Breach appeared first on The HIPAA Journal.

Columbia Medical Practice has experienced a ransomware attack in which patient data was stolen, and Jupiter Medical Center has notified patients that their personal and health information was stolen in a January 2025 security incident.

Columbia Medical Practice

Columbia Medical Practice in Columbia, Maryland, has recently confirmed that patient data was compromised in a November 2025 ransomware attack. The investigation confirmed that an unnamed threat actor accessed its network on November 5, 2025, and used malware to encrypt files. Prior to file encryption, files were exfiltrated, some of which contained patient information. Columbia Medical Practice said it was able to recover the encrypted files, and it is reviewing the affected files to determine the individuals affected and the exact types of data involved. The Qilin ransomware group claimed responsibility for the attack.

The electronic medical record system was not accessed; however, files on the compromised parts of its network contained names, addresses, phone numbers, birth dates, passport numbers, Social Security numbers, driver’s license numbers, other government identifiers, financial account information (but not information such as security codes that would permit access), health insurance information, patient account numbers, and health information, which may include diagnoses, diagnosis codes, treatment/condition information, prescription information, history information, dates of service, locations of service, assigned physician names and health services payment information. The types of information involved vary from individual to individual.

Columbia Medical Practice said it is evaluating additional technical measures, reviewing its cyber auditing practices, and reviewing and updating its policies and procedures to reduce the risk of similar incidents in the future. Notification letters will be mailed to the affected individuals when the file review is concluded. At present, the incident is not listed on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Jupiter Medical Center

Jupiter Medical Center in Jupiter, Florida, has started notifying patients about unauthorized access to electronic medical records. Notification letters have only recently been sent, although the data breach occurred in January 2025. The breach involved its medical record vendor, Cerner (Now Oracle Health).

Jupiter was one of many healthcare providers affected by the breach. While Oracle Health has not confirmed publicly exactly how many of its clients were affected, in a recent lawsuit, Oracle Health’s attorneys said up to 80 hospitals may have been affected. Jupiter Medical Center said law enforcement requested delaying announcing the data breach and issuing notifications as it would potentially interfere with the law enforcement investigation.

The breach affected a limited number of patients and involved information typically found in medical records, as well as Social Security numbers. The affected individuals have been offered two years of complimentary credit monitoring services.

The post Columbia Medical Practice; Jupiter Medical Center Announce Data Breaches appeared first on The HIPAA Journal.

Based on breach reports submitted to the U.S. Department of Health and Human Services (HHS), November saw relatively low numbers of healthcare data breaches. On average in 2025, 57 healthcare data breaches affecting 500 or more individuals were reported to the HHS’ Office for Civil Rights (OCR) each month. In fact, for the past six years, data breaches have been reported at a rate of around 60 per month. The OCR breach portal currently lists 32 large healthcare data breaches for November, and a similar number were reported in October (28) – numbers that have not been regularly seen since 2018.

Compared to previous Novembers, data breaches have decreased substantially, with a 54% reduction from November 2024 and a 56% reduction from November 2023.

While data breaches appear to have halved in October and November, it coincides with the U.S. government shutdown due to Congress failing to pass appropriations legislation for the 2026 fiscal year. The shutdown lasted from October 1, 2025, to November 12, 2025, and during that time, no data breaches were added to the OCR data breach portal. The significant backlog has taken some time to clear, and there may still be breach reports that have yet to be added to the breach portal from that period.

Low numbers of data breaches do not always mean low numbers of affected individuals, as was demonstrated in October 2025, when only 28 breaches were reported, but more than 11 million individuals were affected. Breach victims fell substantially in November, which saw the fewest number of individuals affected by large healthcare data breaches so far this year. Based on current figures, 1,415,934 individuals are known to have had their protected health information exposed or impermissibly disclosed in data breaches reported in November. That’s the lowest monthly total since January 2023, and an 87.2% reduction from October. So far in 2025, from January 1, 2025, to November 30, 2025, 686 large healthcare data breaches have been reported affecting 55,695,906 individuals.

The number of affected individuals in November 2025 was the lowest in the past five years. While the low numbers of data breaches and affected individuals are certainly good news, this trend may be short-lived, as some sizable data breaches have been confirmed by HIPAA-regulated entities in the past two months that have yet to appear on the OCR data breach portal.

The Biggest Healthcare Data Breaches Reported in November 2025

In November, 16 healthcare data breaches were reported to OCR that affected more than 10,000 individuals. The biggest confirmed healthcare data breach of the month affected VITAS Hospice Services in Florida and involved unauthorized access to the protected health information of almost 320,000 patients. An account used by one of its vendors was compromised, and the account was used to access VITAS systems.

The medical supply company Fieldtex Products reported the second-largest data breach, also a hacking incident, affecting 238,615 individuals. A further three breach reports were submitted to OCR by Fieldtex Products in December, adding a further 35,748 individuals to that total. Delta Dental of Virginia reported a hacking incident that was initially thought to have affected 145,918 individuals, although following investigation, was reduced to 126,953 individuals.  This was the largest email data breach of the month and involved unauthorized access to a single email account.

Data breaches must be reported to OCR within 60 days of discovery, per the HIPAA Breach Notification Rule. If the total number of affected individuals is not known, an estimate should be provided within those 60 days. HIPAA-regulated entities often submit a breach report using a placeholder figure of 500 or 501 affected individuals when data reviews are ongoing. In November, two data breaches were reported with 500 totals indicative of placeholder figures.

Causes of November 2025 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports, accounting for 78% of the month’s data breaches (25 incidents) and 99.1% of the month’s affected individuals (1,403,361). On average, 56,134 individuals were affected by each of these incidents (median: 15,027).

Unauthorized access/disclosure incidents accounted for 15.6% of the month’s data breaches (5 incidents) and 0.5% of the month’s affected individuals (7,591). The average breach size was 1,518 individuals (median: 1,518). Loss and theft incidents accounted for 6.3% of the month’s breaches (2 incidents) and 0.4% of the month’s affected individuals. The average breach size was 2,491 individuals (median 2,491).

Ransomware attacks continue to be one of the biggest cyber threats in healthcare, although hacking incidents are rarely reported as such. A recent analysis from GuidePoint Security identified a 58% year-over-year increase in ransomware attacks in 2025, with Qilin, INC Ransom, and SafePay the biggest threats to healthcare organizations. Some threat actors, Pear, for example, have opted for pure data theft and extortion, skipping file encryption in their attacks. Pear has targeted several healthcare organizations in recent months, and a recently emerged ransomware group called Sinobi has claimed many healthcare victims.

While a majority of the hacking incidents (59%) involved compromised network servers, email continues to be targeted and is often used for initial access in more comprehensive attacks on an organization. In November, almost 19% of incidents involved compromised email accounts.

Where did the Data Breaches Occur?

Healthcare providers were the worst-affected HIPAA-covered entities in November, with 22 reported breaches (867,100 affected individuals), with three data breaches at health plans (129,118 affected individuals) and no data breaches at healthcare clearinghouses. In November, 7 business associates of HIPAA-covered entities reported data breaches (419,716 affected individuals); however, a further two breaches occurred at business associates but were reported by the affected covered entities. The charts below are based on where the data breach occurred, rather than the entity that reported the breach.

Geographic Distribution of Healthcare Data Breaches

In November, large healthcare data breaches were reported by HIPAA-regulated entities based in 21 U.S. states. Virginia was the worst-affected state with four breaches, followed by New York and Wisconsin with three data breaches.

While entities in Florida only experienced 2 large healthcare data breaches, the state had the highest number of affected individuals.

HIPAA Enforcement Activity in November 2025

The government shutdown during October and a significant part of November brought many HHS workflows to a grinding halt as staff were furloughed, and there were no announcements about HIPAA enforcement actions. Enforcement activity is continuing, and while there were no new announcements, 2025 ranks as one of the busiest years for HIPAA enforcement. Including one penalty announced in December, OCR closed the year with settlements and civil monetary penalties – the second-highest annual total to date. State Attorneys General also enforce the HIPAA Rules; however, there were no known enforcement actions announced in November to resolve alleged HIPAA violations.

This report is based on data obtained from the HHS’ Office for Civil Rights on January 20, 2026.

The post November 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.