While the figures in our September 2025 data breach report look encouraging, there is a major caveat. Due to the government shutdown, the HHS’ Office for Civil Rights (OCR) has largely stopped adding data breaches to its data breach portal. The figures for September are therefore likely to increase considerably when the furlough comes to an end, staff return to work, and the backlog of data breach reports is addressed. While we do not generally update our monthly breach reports after publication, we will revise the figures and re-publish this report when the government shutdown comes to an end.
September 2025 Healthcare Data Breach Report
As of October 22, 2025, OCR has added 26 data breaches affecting 500 or more individuals to its data breach portal – the lowest monthly total since December 2018. While data breaches are down 56% from August’s 64 data breaches, there are likely to be several more breaches added to that total. That said, there has been a downward trend in healthcare data breaches since April, and the year-to-date total from January 1 to September 30 is 469 data breaches, compared to 554 data breaches in the corresponding period in 2024. Even accounting for missing breach reports due to the government shutdown, data breaches are down considerably from last year.

Across the 26 September data breaches on the OCR data breach portal, the protected health information of at least 1,294,769 individuals was exposed or impermissibly disclosed, marking the third consecutive month with a fall in the number of affected individuals, and currently down 65.9% from August. That number could increase considerably, but currently, for the year-to-date, 42,216,193 individuals have had their protected health information exposed or impermissibly disclosed. While this year’s total is higher than in the whole of 2019 and 2020, the number of affected individuals is down 85% compared to last year and 75% compared to 2023.

The Biggest Healthcare Data Breaches Announced in September
Currently, 42% of the month’s breaches (11 incidents) involved the exposure or impermissible disclosure of the protected health information of 10,000 or more individuals. All but one of the 11 data breaches were hacking incidents involving unauthorized access to protected health information stored on network servers, with one incident involving a compromised email account. Goshen Medical Center was the worst-affected covered entity, with more than 456,000 patients affected by its hacking incident. One provider that stands out is Sturgis Hospital, which was investigating a cyberattack that occurred in December 2024, when another intrusion was experienced in June 2025.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| Goshen Medical Center | NC | Healthcare Provider | 456,385 | Network server hacking incident |
| Medical Associates of Brevard, LLC | FL | Healthcare Provider | 246,711 | Network server hacking incident |
| Doctors Imaging Group | FL | Healthcare Provider | 171,862 | Network server hacking incident – Data theft confirmed |
| Retina Group of Florida | FL | Healthcare Provider | 152,691 | Network server hacking incident |
| Sturgis Hospital | MI | Health Plan | 77,771 | Network server hacking incident |
| Sturgis Hospital | MI | Healthcare Provider | 77,771 | Network server hacking incident |
| PGA Development, Inc. | PA | Healthcare Provider | 23,899 | Network server hacking/IT Incident |
| Teamsters Union 25 Health Services & Insurance Plan | MA | Health Plan | 19,231 | Network server hacking incident |
| Health & Palliative Services of the Treasure Coast, Inc d/b/a Treasure Coast Hospice (“Treasure Health ”) | FL | Healthcare Provider | 13,234 | Email account breach |
| People Encouraging People | MD | Healthcare Provider | 13,083 | Ransomware attack – Data theft confirmed |
The HIPAA Breach Notification Rule requires HIPAA-covered entities to report data breaches to OCR and issue notifications within 60 days of the discovery of a data breach; however, if the total number of affected individuals is not known at that point, an estimate should be provided to OCR. Many regulated entities submit a breach report using a placeholder figure of 500 or 501 affected individuals, then provide an updated total when the file review is concluded. Four data breaches were reported in September using 500 or 501 totals indicative of a placeholder. These data breaches could affect considerably more individuals than the initial breach report suggests.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Type of Breach |
| Cookeville Regional Medical Center | TN | Healthcare Provider | 500 | Hacking/IT Incident |
| Hampton Regional Medical Center | SC | Healthcare Provider | 501 | Hacking/IT Incident |
| Coos County Family Health Services | NH | Healthcare Provider | 501 | Hacking/IT Incident |
| La Perouse, LLC | NV | Business Associate | 501 | Hacking/IT Incident |
Causes of September 2025 Healthcare Data Breaches
Out of the 23 large healthcare data breaches added to the OCR breach portal in September, 23 (88.5%) were reported as hacking/IT incidents, involving unauthorized access to the protected health information of 1,279,139 individuals, which is 98.8% of the total individuals affected by data breaches in September. The average number of individuals affected by these incidents was 55,615 (median: 6,243 individuals).

The exact nature of the hacking incidents, such as whether ransomware was used to encrypt files, if a ransom demand was received, or even if data was stolen, is often not disclosed. This trend has been growing for several years and is not confined to the healthcare industry. The Identity Theft Resource Center (ITRC) has reported that this trend is evident across many industry sectors.
The remaining three data breaches were unauthorized/disclosure incidents, affecting 15,630 individuals. On average, 5,210 individuals were affected (median: 1,700 individuals). Based on the available data, no loss, theft, or improper disposal incidents were reported to OCR in September. There have been no loss/theft incidents reported since March 2025, and the last reported improper disposal incident was in May 2025.

Where Did the Data Breaches Occur?


Geographical Distribution of Healthcare Data Breaches in September
Florida and North Carolina were the worst-affected states, with four data breaches affecting 500 or more individuals reported by entities based in those states, and both states top the list in terms of the number of affected individuals, with 584,498 and 465,721 individuals affected, respectively.
| State | Breaches |
| Florida & North Carolina | 4 |
| Michigan, Pennsylvania & Tennessee | 2 |
| Louisiana, Massachusetts, Maryland, Minnesota, Missouri, New Hampshire, Nevada, Oregon, South Carolina, Texas, Virginia, and Washington | 1 |
The table below shows the number of individuals affected by healthcare data breaches based on the state where the regulated entity is based, not necessarily where the affected individuals reside.
| State | Individuals Affected |
| Florida | 584,498 |
| North Carolina | 465,721 |
| Michigan | 155,542 |
| Pennsylvania | 26,150 |
| Massachusetts | 19,231 |
| Maryland | 13,083 |
| Missouri | 11,538 |
| Louisiana | 6,243 |
| Minnesota | 3,572 |
| Tennessee | 2,957 |
| Oregon | 1,700 |
| Texas | 1,236 |
| Washington | 1,099 |
| Virginia | 696 |
| New Hampshire | 501 |
| Nevada | 501 |
| South Carolina | 501 |
HIPAA Enforcement Activity in September 2025
It has been a busy year of HIPAA enforcement for OCR, with 20 enforcement actions involving settlements or civil monetary penalties announced this year, including one enforcement action in September. OCR agreed to settle alleged violations of the HIPAA Privacy Rule and Breach Notification Rule with Cadia Healthcare facilities, which agreed to pay $182,000 to resolve the alleged violations.
Cadia Healthcare is a group of five rehabilitation, skilled nursing, and long-term care providers in Delaware. An employee had posted success stories about its patients to its social media channel; however, it had not obtained valid HIPAA authorizations for that purpose, and therefore, the use of PHI in the stories was an impermissible disclosure of PHI. After being notified by OCR, Cadia found that 150 patients had PHI posted online without valid authorizations, deleted the posts, and shut down the success story program; however, notification letters about the HIPAA breach were not issued. The corrective action plan requires policies and procedures to be revised, training to be provided to staff members, and notification letters to be issued.
The post September 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.











