HIPAA Breach News

Security Researcher Identifies Exposed 150,000-record Home Health Care Database

Cybersecurity researcher Jeremiah Fowler has found an exposed 23.7 GB database containing more than 145,000 files, such as PDFs, PNGs, and other image files. The database has been linked to the California home health and palliative care provider, Archer Health. Fowler analyzed a sample of the files and identified patient names, contact information, Social Security numbers, and patient ID numbers. The files included medical documents such as discharge summaries, which included health information such as conditions, diagnoses, admission and discharge dates, treatment information, care plan information, as well as assessments and home health certifications.

Many of the image files were screenshots of healthcare management software that showed active dashboards, logging, tracking, and scheduling details. Some of the folder names included patients’ first and last names – a bad security practice. As Fowler pointed out, personally identifiable information such as patient names can easily be exposed through error or monitoring logs. Fowler was able to link the database to Archer Health and notified the company about the exposed database, which was secured within hours and is no longer accessible. Archer Health thanked Fowler for bringing the matter to their attention and confirmed that an investigation had been launched, and any security issues that led to the exposure would be addressed.

It was not possible to tell how long the database was exposed, if it was accessed or copied by any unauthorized individuals, or whether the database was maintained by Archer Health or one of its vendors. Since only a sample of files was analyzed, it is unclear how many patients had their data exposed.

Mailing Error Impacts More Than 3,100 Arizonans

The Arizona Health Care Cost Containment System (AHCCCS), Arizona’s Medicaid agency, has notified 3,177 members about an impermissible disclosure of a limited amount of protected health information. On August 29, 2025, a mailing error was identified with a routine mailing regarding members’ health plan enrollment when a member called AHCCCS after receiving a misdirected letter.

The mailing was immediately halted, and an investigation was launched to determine the cause of the error, the individuals affected, and the information involved. The letters did not include any highly sensitive information, such as Social Security numbers, only a member’s name, AHCCCS identification number, and health plan name. In each case, the letters were sent to one incorrect recipient. HCCCS said it has conducted a review of its mailing processes and procedures and has taken steps to prevent similar mis-mailings in the future.

The post Security Researcher Identifies Exposed 150,000-record Home Health Care Database appeared first on The HIPAA Journal.

Cyberattack on Coos County Family Health Services Exposed Patient Data

Data breaches have recently been announced by Coos County Family Health Services in New Hampshire, Roush Fenway Keselowski Racing in North Carolina, and the University of North Carolina at Chapel Hill/UNC School of Medicine.

Coos County Family Health Services

Coos County Family Health Services, a primary care provider based in Berlin, New Hampshire, has recently announced a privacy incident that was identified on July 9, 2025, when suspicious activity was observed in its servers and phone systems. An investigation was launched, which confirmed that an unauthorized third party had access to its servers and phone systems on July 9, 2025, and may have copied data from those systems.

While ransomware was not mentioned in the notification letters, this appears to have been a ransomware attack. A ransomware group called RunSomeWarez claimed responsibility for the attack and added Coos County Family Health Services to its dark web data leak site. The group claims to have exfiltrated data. A ransom does not appear to have been paid.

Coos County Family Health Services reviewed the affected files and confirmed that they contained patient information such as names, dates of birth, contact information, Social Security numbers, medical information, and medical identification numbers. While no evidence has been found to suggest any misuse of the exposed data, complimentary credit monitoring and identity theft protection services have been offered to the affected individuals as a precaution.  Security policies and procedures have also been reviewed and enhanced to prevent similar incidents in the future.

Roush Fenway Keselowski Racing

Roush Fenway Keselowski Racing has recently announced that it was the victim of a cyberattack that resulted in unauthorized access to systems containing the protected health information of employee health plan members. Suspicious activity was identified within its computer environment on May 14, 2025, and third-party digital forensics experts were engaged to investigate the activity. The investigation confirmed that files were either accessed or copied from its network.

The files were reviewed, and on August 4, 2025, Roush Fenway Keselowski Racing confirmed that health plan member information was exposed, including names, addresses, dates of birth, Social Security numbers, driver’s license/state identification card numbers, health insurance subscriber numbers, passport numbers, health information, financial account information, health insurance information, health insurance claim information, and medical information. Up to 2,160 individuals were affected and have been offered complimentary identity monitoring services.

The University of North Carolina at Chapel Hill – School of Medicine

The University of North Carolina at Chapel Hill and the University of North Carolina Hospitals have announced a breach of an email account of a UNC School of Medicine employee. The investigation revealed the email account was accessed by an unauthorized third party following a response to a phishing email. The attacker used social engineering techniques to trick the employee into clicking a malicious link and disclosing their account credentials. The email appeared to have been sent by a trusted source.

The breach was detected on July 24, 2025, and was remediated within 15 hours of the unauthorized access; however, during that time, the attacker potentially viewed or acquired the electronic protected health information of patients.  The potentially compromised information included names, dates of birth, diagnosis and treatment information, Social Security numbers, driver’s license numbers, financial information, health insurance information, and/or information about a research study that the individuals were involved in or eligible to participate in.

Notification letters were mailed to the affected individuals on September 19, 2025, and complimentary credit monitoring has been offered to individuals whose Social Security numbers, driver’s license numbers, financial information, and/or health insurance information were involved. The data breach was reported to the HHS Office for Civil Rights by the University of North Carolina at Chapel Hill – School of Medicine as affecting 799 individuals, and UNC Hospitals as affecting 6,377 individuals.

The post Cyberattack on Coos County Family Health Services Exposed Patient Data appeared first on The HIPAA Journal.

OneBlood Will Pay Up to $1M to Settle Class Action Data Breach Lawsuit

OneBlood, a non-profit organization that provides blood to approximately 350 hospitals in the southeastern United States, has agreed to pay up to $1,000,000 to resolve a class action lawsuit over its July 2024 ransomware attack and data breach. Between July 14, 2024, and July 29, 2024, a threat actor had access to OneBlood’s computer systems and exfiltrated sensitive data before using ransomware to encrypt files.  The investigation confirmed that protected health information had been exposed, and a total of 167,400 individuals had their names and Social Security numbers exposed or stolen.

Three of the affected individuals, Deanna Newberry, Matthew Shuttleworth, and Andy Shuttleworth, took legal action seeking damages for themselves and similarly situated individuals. In the lawsuit, Deanna Newberry, et al. v OneBlood, Inc., the plaintiffs claimed that OneBlood failed to implement reasonable and appropriate security measures to secure their personal information, and that the ransomware attack and data breach could have been prevented if appropriate security measures had been implemented.

OneBlood disagrees with the claims and contentions in the lawsuit and denies any wrongdoing, while the plaintiffs believe that their claims have merit. A settlement was agreed upon by all parties to resolve all claims in the lawsuit, with both sides agreeing that a settlement was in the best interests of all parties to avoid the costs and risks of a trial and related appeals. The settlement has received preliminary approval from Florida Circuit Court Judge Keathan B. Frink and provides benefits for the plaintiffs and class members.

Class members may choose one of two cash payments:  a claim may be submitted for reimbursement of up to $2,500 per class member for documented, unreimbursed out-of-pocket losses related to the data breach, or they may instead claim an alternative cash payment of $60.00. OneBlood will pay a maximum of $1,000,000 to cover attorneys’ fees and expenses, service awards for class members, settlement administration costs, and cash payments. If that total is reached, the cash payments will be subject to a pro rata decrease. OneBlood has also committed to making improvements to security and will provide class counsel with a confidential list of the security measures implemented since the data breach to improve security for the benefit of the settlement class and other future donors.

Class members must submit a claim for a cash payment by December 4, 2025. Should any class member wish to opt out of the settlement or file an objection, they must do so by November 9, 2025. The final fairness hearing has been scheduled for December 9, 2025. Further information can be found on the settlement website: https://oneblooddatasettlement.com/

January 15, 2025: OneBlood Notifies Individuals Affected by July 2024 Ransomware Attack

On July 31, 2024, the Florida nonprofit blood donation organization OneBlood announced it had fallen victim to a ransomware attack. The attack took its IT systems out of operation, and while blood was still able to be collected, tested, and distributed, manual processes had to be used, which significantly reduced its capacity. The reduced capacity forced the hospitals OneBlood serves to implement their critical blood shortage protocols. OneBlood serves around 350 hospitals in the Southeastern United States.

OneBlood has recently confirmed that the ransomware group exfiltrated files and folders in the attack that contained the personal information of blood donors, including their names and Social Security numbers. The breach notification letters explain that the ransomware attack was detected on or around July 28, 2024, and the investigation confirmed that the ransomware group had access to its IT network from July 14 to July 29, 2024.

It has taken four and a half months to investigate the incident and review the files and folders on the compromised parts of its network to determine the individuals affected and the types of information involved. That process was completed on December 9, 2024, and notification letters started to be mailed on or around January 9, 2025, five and a half months after the data was stolen. The affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months. In addition to signing up for those services, the affected individuals should carefully check their accounts for signs of fraudulent charges going back to the date of the initial compromise – July 14, 2024.

It is currently unclear how many individuals had their data stolen in the attack. OneBlood has notified the South Carolina State Attorney General that 1,530 blood donors in the state are affected.

August 1, 2024: Ransomware Attack on U.S. Blood Donation Nonprofit Affecting Blood Supplies

OneBlood, a Florida-based nonprofit blood donation organization, has experienced a ransomware attack that is affecting its ability to provide blood to U.S. hospitals. OneBlood operates in Alabama, Florida, Georgia, and North and South Carolina, and provides blood to around 350 hospitals in those states. OneBlood announced on July 31, 2024, that it had fallen victim to a ransomware attack that affected its software system. OneBlood said it is still operational and is continuing to collect, test, and distribute blood, but is having to use manual processes and procedures that take considerably longer, which means it is currently operating at a significantly reduced capacity.

Due to the limited operational capacity, OneBlood has informed all 350 hospitals that it serves to implement their critical blood shortage protocols and to remain in that status until the ransomware attack has been remediated. One of the affected health systems is AdventHealth in Florida, which has confirmed that it has implemented its blood conservation protocols. To help prevent critical blood shortages, the national blood community is rallying to assist OneBlood and the hospitals and patients it serves by sending blood and platelets.

OneBlood said all blood types are required, but there is an urgent need for O-positive and O-negative blood and platelet donations, and donors across the country are being urged to make appointments for donations as soon as possible.  National resources are being coordinated by the AABB Disaster Task Force to direct additional blood products to OneBlood.

OneBlood has engaged cybersecurity specialists to assist with the investigation and determine the scope of the attack. At this early stage of the investigation, it is not possible to tell to what extent, if any, donor information has been obtained by the attackers. Further information will be released as the investigation progresses, and if donor information is involved, notifications will be issued to the affected individuals.

A source contacted Bleeping Computer and said the attack occurred over the weekend and involved the encryption of data on its VMware hypervisor infrastructure and OneBlood has confirmed that it is working around the clock to restore its software systems. While the threat actor responsible for the attack has yet to be confirmed, the RansomHub group is suspected of being behind the attack. RansomHub has no qualms about conducting attacks on healthcare organizations and has recently attacked the Rite Aid pharmacy chain, the Florida Department of Health, American Clinical Solutions (ACS) in Florida, the Baim Institute for Clinical Research in Boston, and the UK-based independent living aid manufacturer NRS Healthcare. While RansomHub was not behind the ransomware attack on Change Healthcare, it did attempt extortion after obtaining a copy of the data stolen in the attack.

There have been other recent ransomware attacks on healthcare organizations that have caused blood supply shortages.  On June 3, 2024, the Qilin ransomware group conducted a ransomware attack on Synnovis, a UK pathology services provider to the National Health Service (NHS). The attack caused major disruption to blood transfusions in London, and without access to automated processes, its ability to operate was greatly reduced, and the attack led to blood shortages that are continuing.

The hospitals that Synnovis serves were asked to restrict the use of O Type blood to essential cases and to use substitutions when it was safe to do so. Synnovis has now confirmed that it restored its systems this week; however, its blood transfusion services are expected to face continued disruption over the summer, with a full recovery not expected until early autumn. Another attack affected the U.S. operations of the Swiss pharma firm OctaPharma Plasma, which operates more than 190 donation centers in 35 states. The ransomware attack is thought to have been conducted by the BlackSuit ransomware group and forced OctaPharma Plasma to shut down its donation centers for several weeks.

The post OneBlood Will Pay Up to $1M to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Albany Gastroenterology Consultants: November 2024 Data Breach Affects Almost 58,000 Patients

Albany Gastroenterology Consultants and Inlet Care (Communicare) are notifying patients affected by cyberattacks in November 2024 that involved unauthorized access to systems containing patient data.

Albany Gastroenterology Consultants

Albany Gastroenterology Consultants in New York State has notified the Maine Attorney General about a data breach involving the personal and protected health information of up to 57,751 individuals. Unusual network activity was identified on November 19, 2024, which disrupted access to one of its computer systems. Steps were taken to isolate the system, and an investigation was launched to determine the nature of the activity and whether any patient data had been compromised. The investigation confirmed unauthorized access to its network and that certain personal information was accessed and acquired by the threat actor on November 10, 2024.

While notification letters were mailed to some of the affected individuals on September 23, 2025; however, the data breach was first disclosed by Albany Gastroenterology Associates in January 2025. The first batch of notification letters was mailed on January 28, 2025, and stated that the review of the affected files concluded on January 21, 2025. According to the latest batch of notification letters, the file review was completed on September 17, 2025, indicating further individuals were found to have been affected. The letters state that names and Social Security numbers were involved. While data theft was confirmed, at the time of issuing notifications, Albany Gastroenterology Consultants was unaware of any misuse of the affected data. Steps have since been taken to enhance its security posture to reduce the risk of similar incidents in the future. Complimentary credit monitoring and identity theft protection services have been made available.

Inlet Care (Communicare)

Inlet Care, doing business as Communicare, a provider of behavioral health, developmental disabilities, and substance abuse services in Kentucky, has discovered unauthorized access to its computer network. Unusual activity was identified within its network on November 23, 2024. Steps were immediately taken to secure its systems, and an investigation was launched to determine the nature and scope of the activity. The investigation confirmed that an unauthorized third party had access to its network for a short period on November 23, and while the window of opportunity was short, files containing sensitive information of current and former employees, dependents, and other individuals were exfiltrated from the network.

The review of the affected files has recently been completed, and Communicate has confirmed that they contained names in combination with one or more of the following: Social Security number, date of birth, driver’s license number, state-issued identification number, passport number, military identification number, financial account information, medical information, and health insurance information. Security policies and procedures have been reviewed, and additional cybersecurity measures are being implemented to strengthen security. Notification letters are now being mailed to the affected individuals. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Albany Gastroenterology Consultants: November 2024 Data Breach Affects Almost 58,000 Patients appeared first on The HIPAA Journal.

Business Associate ApolloMD Confirms Breach Affecting Multiple Physician Practices

ApolloMD Business Services, LLC (ApolloMD), an Atlanta, GA-based provider of integrated, multispecialty physician, APC, and practice management services, has recently disclosed a security incident affecting several of its physician practice clients.

Unusual activity was identified within the ApolloMD network environment on May 22, 2025. An investigation was launched to determine the nature and scope of the activity, and steps were taken to secure its network. Assisted by a third-party cybersecurity firm, ApolloMD learned that an unauthorized third party had access to its network from May 22, 2025, to May 23, 2025. During that time, files containing the electronic protected health information (ePHI) of ApolloMD’s affiliated physicians and practices may have been accessed or acquired.

The file review determined that the information potentially stolen in the incident included names, addresses, dates of birth, diagnoses, provider names, dates of service, treatment information, and health insurance information. A subset of individuals also had their Social Security numbers exposed. ApolloMD notified the affected physicians and practices between July 21, 2025, and September 11, 2025, and notification letters started to be mailed to the affected individuals on September 17, 2025. ApolloMD has confirmed that complimentary credit monitoring and identity theft protection services are being offered to individuals whose Social Security numbers were exposed.

ApolloMD did not disclose details about the nature of the attack; however, the Qilin ransomware group claimed responsibility and added ApolloMD to its dark web data leak site in June 2025. Qilin claimed to have exfiltrated a large amount of sensitive data and said it would release the data on June 16, 2025, if the ransom was not paid. At the time of writing, the Qilin data leak site is not accessible, and other sites operated by the group are protected by a login. Qilin has been the most active ransomware group in four of the five months up to August 2025, according to cybersecurity firm Cyble, having claimed more than twice the number of victims as the second most active group. It should be stated that ransomware groups have been known to fabricate claims on their data leak sites.

The total number of affected individuals has not been made public by ApolloMD at this stage, and the data breach is not currently shown on the HHS’ Office for Civil Rights website.

ApolloMD is issuing notification letters on behalf of the following covered entity clients.

  • Passaic Hospitalist Services, LLC
  • Passaic River Physicians, LLC
  • Pensacola Hospitalist Physicians, LLC
  • Broad River Physicians Group, LLC
  • Olive Branch Emergency Physicians, LLC
  • Aurora Emergency Physicians, LLC
  • The Bortolazzo Group, LLC
  • Methodist University Emergency Physicians, PLLC
  • Trinity Emergency Physicians, LLC
  • Lorain Emergency Physicians, LLC
  • Pennsylvania Hospitalist Group, LLC

The post Business Associate ApolloMD Confirms Breach Affecting Multiple Physician Practices appeared first on The HIPAA Journal.

Michigan Critical Access Hospital Suffers Two Hacking Incidents Affecting Almost 78,000 Individuals

Sturgis Hospital, a rural critical access hospital in the Northern Black Hills in Michigan, has recently reported two security incidents to the HHS’ Office for Civil Rights, both of which have potentially affected up to 77,771 individuals. The first incident was identified in December 2024 when unauthorized activity was observed in part of its computer network. Third-party cybersecurity experts were engaged to investigate the incident and determine the nature and scope of the unauthorized activity. Unauthorized access was confirmed, the incident was remediated, and the exposed files were reviewed to determine the individuals affected and the types of data involved.

The investigation and file review had not concluded when further unauthorized network activity was detected in June 2025. A separate investigation was launched into the second incident, with assistance provided by third-party experts. Based on the two investigations, Sturgis Hospital concluded that there was potentially unauthorized access to patient and employee information and files containing sensitive patient and employee data may have been exfiltrated from its network.

The file review confirmed that the exposed information included names, contact information, government identification numbers such as Social Security numbers, financial account information, health insurance information, and clinical information, such as treatment information, prescriptions, and other medical information. Sturgis Hospital said it worked with third-party cybersecurity experts to secure its systems and implement additional cybersecurity measures to prevent similar incidents in the future. The affected individuals have been offered complimentary subscriptions to credit monitoring and identity theft protection services. Law enforcement was notified about both incidents, and while law enforcement did not request delaying notifications, it has taken some time to investigate the incidents. Notification letters are now being mailed to the affected individuals.

Only a few weeks ago, Aspire Rural Health System, another rural healthcare provider in Michigan, announced a cyberattack and data breach that affected up to 140,000 individuals, and Endless Mountains Health Systems in Montrose, Pennsylvania, experienced a suspected ransomware attack in March 2025. Many rural healthcare providers are struggling to remain viable, and in some cases are providing care well below the cost of providing their healthcare services. With limited funds available for cybersecurity and difficulties attracting skilled cybersecurity staff, they can be vulnerable to cyberattacks. The HHS has recently confirmed that $50 billion is being made available in grants to transform rural healthcare over the next five years, one of the goals of which is to help rural healthcare providers invest in technology and improve cybersecurity.

The post Michigan Critical Access Hospital Suffers Two Hacking Incidents Affecting Almost 78,000 Individuals appeared first on The HIPAA Journal.

August 2025 Healthcare Data Breach Report

There has been a 13.7% month-over-month increase in large healthcare data breaches, with 58 breaches affecting 500 or more individuals reported to the HHS’ Office for Civil Rights in August, slightly lower than the 2025 average of 63.5 large healthcare data breaches per month.

Individuals affected by healthcare data breaches in the past 12 months

August healthcare data breaches (2020-2025)

Since 2009, the number of reported healthcare data breaches has generally increased each year, although there was a slight reduction in data breaches last year (746 in 2023 vs. 739 in 2024), and that trend appears to be continuing this year. HIPAA-regulated entities have reported 508 large healthcare data breaches in the year to August 31, 2025, compared to 515 large healthcare data breaches over the corresponding period in 2024.

Individuals affected by healthcare data breaches in the past 12 months

Individuals affected by healthcare data breaches in August -2020-2025

For the second consecutive month, the number of individuals affected by healthcare data breaches has fallen. Across the 58 data breaches, the protected health information of 3,789,869 individuals was exposed or impermissibly accessed/disclosed. On average, 5,084,784 individuals have been affected by healthcare data breaches each month this year (median 3,583,200 individuals).

The number of affected individuals is down 84.7% for the year to date compared to 2024, although in July last year, Change Healthcare reported its gargantuan data breach, which we now know affected 192.7 million individuals.  Even discounting that data breach as an outlier, there has been a considerable fall in the number of individuals affected by healthcare data breaches this year, down 43.93% from 2024 and 60.9% from the same period in 2023. Further information on healthcare data breaches can be found on our healthcare data breach statistics page.

The Biggest Healthcare Data Breaches in August 2025

There were only 13 data breaches affecting 10,000 or more individuals in August, the largest of which was a ransomware attack on the kidney dialysis company DaVita, which affected 2,689,826 individuals, which is 71% of the total affected individuals in August. The Interlock ransomware group claimed responsibility for the attack. Vital Imaging Medical Diagnostic Centers (VIMDC) in Florida experienced the second-largest data breach, with up to 260,000 individuals affected. While data theft was not confirmed, VIMDC said data theft was likely. Three of the four largest healthcare data breaches in August were all ransomware attacks. Aspire Rural Health System and Highlands Oncology Group also fell victim to ransomware attacks.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
DaVita Inc. CO Healthcare Provider 2,689,826 Ransomware attack – Data theft confirmed (Interlock)
Vital Imaging Medical Diagnostic Centers, LLC FL Healthcare Provider 260,000 Hacking incident – Data theft suspected
Aspire Rural Health System MI Healthcare Provider 138,386 Ransomware attack – Data theft confirmed (BianLian)
Highlands Oncology Group PA AR Healthcare Provider 111,766 Ransomware attack (Medusa)
University of Iowa Community Home Care IA Healthcare Provider 109,029 Hacking incident – Data theft confirmed
University of Iowa Health Care IA Healthcare Provider 101,875 Hacking incident – Data theft confirmed
CPAP Medical Supplies and Services Inc. FL Healthcare Provider 90,133 Hacking incident
Langdon & Company, LLP Certified Public Accountants NC Business Associate 46,061 Hacking incident – Data theft confirmed
Pediatric Otolaryngology Head & Neck Surgery Associates, P.A. FL Healthcare Provider 43,446 Hacking incident
MDLand International Corporation NY Business Associate 22,586 Ransomware attack
Beech Acres Parenting Center OH Healthcare Provider 19,315 Hacking incident
Pacific Imaging Management, LLC CA Healthcare Provider 13,158 Compromised email accounts
West Texas Oral Facial Surgery TX Healthcare Provider 11,151 Hacking incident

The 13 data breaches affecting 10,000 or more individuals could well grow over the coming weeks, as 11 data breaches were reported in August that had suspected placeholder figures of 500 or 501 affected individuals. These figures are commonly used when the number of affected individuals has not been determined by the reporting deadline of the HIPAA Breach Notification Rule.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach
Meridian Valley Laboratories, Inc. WA Healthcare Provider 501 Hacking/IT Incident
Department of Social Services for Vance County, North Carolina NC Business Associate 501 Hacking/IT Incident
CareTracker, Inc. NY Business Associate 501 Hacking/IT Incident
Mower County Health and Human Services MN Healthcare Provider 501 Hacking/IT Incident
PROVAIL WA Healthcare Provider 501 Hacking/IT Incident
Woodlawn Hospital IN Healthcare Provider 500 Hacking/IT Incident
McEwen & Associates TX Business Associate 500 Hacking/IT Incident
McEwen & Associates TX Business Associate 500 Hacking/IT Incident
McEwen & Associates TX Business Associate 500 Hacking/IT Incident
Aflac Incorporated (“Aflac”) GA Health Plan 500 Hacking/IT Incident
Friesen Group CA Healthcare Provider 500 Hacking/IT Incident

Causes of August 2025 Healthcare Data Breaches

Hacking and other IT incidents dominated the August breach reports, accounting for 87.9% of the month’s data breaches (51 data breaches). Across those breaches, the protected health information of 3,635,101 individuals was exposed or impermissibly accessed or disclosed – 95.9% of the individuals affected by data breaches in August. The average breach size was 71,276 records, and the median breach size was 3,569 records.

Causes of August 2025 healthcare data breaches

There were 7 unauthorized access/disclosure incidents affecting a total of 154,768 individuals. The average breach size was 22,110 records, and the median breach size was 3,215 records. No loss or theft incidents have been reported for five months, and there have been no improper disposal incidents for three months. The most common location of breached protected health information was network servers, followed by email accounts.

Location of breached protected health information in august 2025

Affected HIPAA-Regulated Entities

In August, 44 data breaches were reported by healthcare providers, affecting 3,698,013 individuals, 12 data breaches were reported by business associates, affecting 88,141 individuals, and 2 data breaches were reported by health plans, affecting 3,715 individuals. When a data breach occurs at a business associate, it is ultimately the responsibility of the affected covered entities to report the breach, although that responsibility is often delegated to the business associate. Since some covered entities choose to report business associate breaches themselves, the above figures do not accurately show where the data breach occurred. The charts below are based on the entity that experienced the data breach rather than the entity that reported the incident.

Data breaches at HIPAA-regulated entities in August 2025

Individuals affected by data breaches at HIPAA-regulated entities in August 2025

Geographical Distribution of August 2025 Healthcare Data Breaches

California was the worst-affected state with 7 large data breaches reported by HIPAA-regulated entities based in the state, closely followed by Florida and Texas with 6 data breaches. In August, HIPAA-regulated entities in 23 states reported large data breaches.

State Breaches
California 7
New York & Texas 6
Florida 5
Indiana, North Carolina & Washington 3
Arkansas, Connecticut, Georgia, Iowa, Massachusetts, Michigan, Minnesota, Utah & Wisconsin 2
Arizona, Colorado, Illinois, Mississippi, Montana, Nebraska & Ohio 1

While California had the most breaches, the state ranked 8th in terms of the number of affected individuals. New York ranked 7th, and Texas ranked 9th. Only one data breach was reported by a Colorado-based entity, but it was the largest data breach of the month, ensuring the state ranked top in terms of affected individuals.

State Records
Colorado 2,689,826
Florida 405,348
Iowa 210,904
Michigan 139,401
Arkansas 114,257
North Carolina 50,584
New York 44,882
California 33,873
Texas 20,848
Ohio 19,315
Connecticut 8,428
Montana 8,255
Wisconsin 8,006
Indiana 6,097
Massachusetts 5,896
Washington 4,866
Utah 4,195
Georgia 4,069
Arizona 2,916
Minnesota 2,767
Nebraska 2,544
Mississippi 1,541
Illinois 1,051

HIPAA Enforcement Activity in August 2025

It has been a busy year of HIPAA enforcement with 19 investigations resulting in settlements or civil monetary penalties to resolve noncompliance with the HIPAA Rules, including one new enforcement action announced in August. BST & Co. CPAs, LLP, is a public accounting, business advisory, and management consulting firm based in New York. OCR launched an investigation of the company following a report of a December 2019 ransomware attack by the Maze ransomware group involving unauthorized access to the protected health information of up to 170,000 patients of its covered entity client Community Care Physicians P.C., a New York medical group. The ransomware attack started with a phishing email. OCR was not provided with any evidence to show that a risk analysis had ever been conducted. The alleged HIPAA violation was settled with BST & Co. CPAs agreeing to pay a $175,000 financial penalty and adopt a corrective action plan. You can find out more about OCR’s HIPAA enforcement actions on our HIPAA violation cases page.

State attorneys general can also investigate HIPAA breaches and impose financial penalties for noncompliance, although there were no announcements by state attorneys general in August. State attorneys general HIPAA enforcement actions can be found on this link.

The post August 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.

August 2025 Healthcare Data Breach Report

There has been a 13.7% month-over-month increase in large healthcare data breaches, with 58 breaches affecting 500 or more individuals reported to the HHS’ Office for Civil Rights in August, slightly lower than the 2025 average of 63.5 large healthcare data breaches per month.

Individuals affected by healthcare data breaches in the past 12 months

August healthcare data breaches (2020-2025)

Since 2009, the number of reported healthcare data breaches has generally increased each year, although there was a slight reduction in data breaches last year (746 in 2023 vs. 739 in 2024), and that trend appears to be continuing this year. HIPAA-regulated entities have reported 508 large healthcare data breaches in the year to August 31, 2025, compared to 515 large healthcare data breaches over the corresponding period in 2024.

Individuals affected by healthcare data breaches in the past 12 months

Individuals affected by healthcare data breaches in August -2020-2025

For the second consecutive month, the number of individuals affected by healthcare data breaches has fallen. Across the 58 data breaches, the protected health information of 3,789,869 individuals was exposed or impermissibly accessed/disclosed. On average, 5,084,784 individuals have been affected by healthcare data breaches each month this year (median 3,583,200 individuals).

The number of affected individuals is down 84.7% for the year to date compared to 2024, although in July last year, Change Healthcare reported its gargantuan data breach, which we now know affected 192.7 million individuals.  Even discounting that data breach as an outlier, there has been a considerable fall in the number of individuals affected by healthcare data breaches this year, down 43.93% from 2024 and 60.9% from the same period in 2023. Further information on healthcare data breaches can be found on our healthcare data breach statistics page.

The Biggest Healthcare Data Breaches in August 2025

There were only 13 data breaches affecting 10,000 or more individuals in August, the largest of which was a ransomware attack on the kidney dialysis company DaVita, which affected 2,689,826 individuals, which is 71% of the total affected individuals in August. The Interlock ransomware group claimed responsibility for the attack. Vital Imaging Medical Diagnostic Centers (VIMDC) in Florida experienced the second-largest data breach, with up to 260,000 individuals affected. While data theft was not confirmed, VIMDC said data theft was likely. Three of the four largest healthcare data breaches in August were all ransomware attacks. Aspire Rural Health System and Highlands Oncology Group also fell victim to ransomware attacks.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
DaVita Inc. CO Healthcare Provider 2,689,826 Ransomware attack – Data theft confirmed (Interlock)
Vital Imaging Medical Diagnostic Centers, LLC FL Healthcare Provider 260,000 Hacking incident – Data theft suspected
Aspire Rural Health System MI Healthcare Provider 138,386 Ransomware attack – Data theft confirmed (BianLian)
Highlands Oncology Group PA AR Healthcare Provider 111,766 Ransomware attack (Medusa)
University of Iowa Community Home Care IA Healthcare Provider 109,029 Hacking incident – Data theft confirmed
University of Iowa Health Care IA Healthcare Provider 101,875 Hacking incident – Data theft confirmed
CPAP Medical Supplies and Services Inc. FL Healthcare Provider 90,133 Hacking incident
Langdon & Company, LLP Certified Public Accountants NC Business Associate 46,061 Hacking incident – Data theft confirmed
Pediatric Otolaryngology Head & Neck Surgery Associates, P.A. FL Healthcare Provider 43,446 Hacking incident
MDLand International Corporation NY Business Associate 22,586 Ransomware attack
Beech Acres Parenting Center OH Healthcare Provider 19,315 Hacking incident
Pacific Imaging Management, LLC CA Healthcare Provider 13,158 Compromised email accounts
West Texas Oral Facial Surgery TX Healthcare Provider 11,151 Hacking incident

The 13 data breaches affecting 10,000 or more individuals could well grow over the coming weeks, as 11 data breaches were reported in August that had suspected placeholder figures of 500 or 501 affected individuals. These figures are commonly used when the number of affected individuals has not been determined by the reporting deadline of the HIPAA Breach Notification Rule.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach
Meridian Valley Laboratories, Inc. WA Healthcare Provider 501 Hacking/IT Incident
Department of Social Services for Vance County, North Carolina NC Business Associate 501 Hacking/IT Incident
CareTracker, Inc. NY Business Associate 501 Hacking/IT Incident
Mower County Health and Human Services MN Healthcare Provider 501 Hacking/IT Incident
PROVAIL WA Healthcare Provider 501 Hacking/IT Incident
Woodlawn Hospital IN Healthcare Provider 500 Hacking/IT Incident
McEwen & Associates TX Business Associate 500 Hacking/IT Incident
McEwen & Associates TX Business Associate 500 Hacking/IT Incident
McEwen & Associates TX Business Associate 500 Hacking/IT Incident
Aflac Incorporated (“Aflac”) GA Health Plan 500 Hacking/IT Incident
Friesen Group CA Healthcare Provider 500 Hacking/IT Incident

Causes of August 2025 Healthcare Data Breaches

Hacking and other IT incidents dominated the August breach reports, accounting for 87.9% of the month’s data breaches (51 data breaches). Across those breaches, the protected health information of 3,635,101 individuals was exposed or impermissibly accessed or disclosed – 95.9% of the individuals affected by data breaches in August. The average breach size was 71,276 records, and the median breach size was 3,569 records.

Causes of August 2025 healthcare data breaches

There were 7 unauthorized access/disclosure incidents affecting a total of 154,768 individuals. The average breach size was 22,110 records, and the median breach size was 3,215 records. No loss or theft incidents have been reported for five months, and there have been no improper disposal incidents for three months. The most common location of breached protected health information was network servers, followed by email accounts.

Location of breached protected health information in august 2025

Affected HIPAA-Regulated Entities

In August, 44 data breaches were reported by healthcare providers, affecting 3,698,013 individuals, 12 data breaches were reported by business associates, affecting 88,141 individuals, and 2 data breaches were reported by health plans, affecting 3,715 individuals. When a data breach occurs at a business associate, it is ultimately the responsibility of the affected covered entities to report the breach, although that responsibility is often delegated to the business associate. Since some covered entities choose to report business associate breaches themselves, the above figures do not accurately show where the data breach occurred. The charts below are based on the entity that experienced the data breach rather than the entity that reported the incident.

Data breaches at HIPAA-regulated entities in August 2025

Individuals affected by data breaches at HIPAA-regulated entities in August 2025

Geographical Distribution of August 2025 Healthcare Data Breaches

California was the worst-affected state with 7 large data breaches reported by HIPAA-regulated entities based in the state, closely followed by Florida and Texas with 6 data breaches. In August, HIPAA-regulated entities in 23 states reported large data breaches.

State Breaches
California 7
New York & Texas 6
Florida 5
Indiana, North Carolina & Washington 3
Arkansas, Connecticut, Georgia, Iowa, Massachusetts, Michigan, Minnesota, Utah & Wisconsin 2
Arizona, Colorado, Illinois, Mississippi, Montana, Nebraska & Ohio 1

While California had the most breaches, the state ranked 8th in terms of the number of affected individuals. New York ranked 7th, and Texas ranked 9th. Only one data breach was reported by a Colorado-based entity, but it was the largest data breach of the month, ensuring the state ranked top in terms of affected individuals.

State Records
Colorado 2,689,826
Florida 405,348
Iowa 210,904
Michigan 139,401
Arkansas 114,257
North Carolina 50,584
New York 44,882
California 33,873
Texas 20,848
Ohio 19,315
Connecticut 8,428
Montana 8,255
Wisconsin 8,006
Indiana 6,097
Massachusetts 5,896
Washington 4,866
Utah 4,195
Georgia 4,069
Arizona 2,916
Minnesota 2,767
Nebraska 2,544
Mississippi 1,541
Illinois 1,051

HIPAA Enforcement Activity in August 2025

It has been a busy year of HIPAA enforcement with 19 investigations resulting in settlements or civil monetary penalties to resolve noncompliance with the HIPAA Rules, including one new enforcement action announced in August. BST & Co. CPAs, LLP, is a public accounting, business advisory, and management consulting firm based in New York. OCR launched an investigation of the company following a report of a December 2019 ransomware attack by the Maze ransomware group involving unauthorized access to the protected health information of up to 170,000 patients of its covered entity client Community Care Physicians P.C., a New York medical group. The ransomware attack started with a phishing email. OCR was not provided with any evidence to show that a risk analysis had ever been conducted. The alleged HIPAA violation was settled with BST & Co. CPAs agreeing to pay a $175,000 financial penalty and adopt a corrective action plan. You can find out more about OCR’s HIPAA enforcement actions on our HIPAA violation cases page.

State attorneys general can also investigate HIPAA breaches and impose financial penalties for noncompliance, although there were no announcements by state attorneys general in August. State attorneys general HIPAA enforcement actions can be found on this link.

The post August 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.

New Jersey Medical Groups Warn Patients About Data Breach

Two New Jersey medical groups have notified patients that their data may have been compromised in a recent security incident. Family & Community Services in Ohio is investigating a cyberattack that exposed patient data.

Passaic Hospitalist Services/ Passaic River Physicians, New Jersey

Legal counsel for two New Jersey medical groups has notified patients of the medical groups Passaic Hospitalist Services and Passaic River Physicians that some of their protected health information has potentially been stolen in a recent data security incident.

Suspicious activity was identified within its computer systems, and an investigation was launched to determine the cause of the activity, which revealed unauthorized access and acquisition of files from certain systems between May 22 and May 23, 2025. A review was conducted of all files on the compromised parts of the network, and it was determined on September 11, 2025, that protected health information was involved, including names, dates of birth, addresses, diagnosis information, provider names, dates of service, treatment information, and/or health insurance information.

Notification letters are now being mailed to the affected individuals. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Family & Community Services, Ohio

Family & Community Services Inc., a social services organization in Ravenna, Ohio, has recently written to its clients to inform them about the potential theft of some of their personal data. On May 22, 2025, Family & Community Services identified activity within its computer systems indicative of unauthorized access. Third-party cybersecurity experts were engaged to investigate the activity and confirmed unauthorized access to its computer systems.

The investigation and data review are ongoing, and Family & Community Services has not yet determined the number of individuals affected or the exact types of data involved. Notification letters will be mailed to the affected individuals when the file review is completed. The letters will detail the types of data involved. In the meantime, clients have been advised to remain vigilant against incidents of identity theft and fraud. Family & Community Services said it restored operations in a safe and secure manner, and steps have been taken to enhance security. Those measures include hardening remote entry points, which indicates the likely initial access vector in the incident.  Steps have also been taken to strengthen access controls.

The post New Jersey Medical Groups Warn Patients About Data Breach appeared first on The HIPAA Journal.