November 2025 Healthcare Data Breach Report – The HIPAA Journal
November 2025 Healthcare Data Breach Report The HIPAA Journal
November 2025 Healthcare Data Breach Report
Based on breach reports submitted to the U.S. Department of Health and Human Services (HHS), November saw relatively low numbers of healthcare data breaches. On average in 2025, 57 healthcare data breaches affecting 500 or more individuals were reported to the HHS’ Office for Civil Rights (OCR) each month. In fact, for the past six years, data breaches have been reported at a rate of around 60 per month. The OCR breach portal currently lists 32 large healthcare data breaches for November, and a similar number were reported in October (28) – numbers that have not been regularly seen since 2018.
Compared to previous Novembers, data breaches have decreased substantially, with a 54% reduction from November 2024 and a 56% reduction from November 2023.
While data breaches appear to have halved in October and November, it coincides with the U.S. government shutdown due to Congress failing to pass appropriations legislation for the 2026 fiscal year. The shutdown lasted from October 1, 2025, to November 12, 2025, and during that time, no data breaches were added to the OCR data breach portal. The significant backlog has taken some time to clear, and there may still be breach reports that have yet to be added to the breach portal from that period.
Low numbers of data breaches do not always mean low numbers of affected individuals, as was demonstrated in October 2025, when only 28 breaches were reported, but more than 11 million individuals were affected. Breach victims fell substantially in November, which saw the fewest number of individuals affected by large healthcare data breaches so far this year. Based on current figures, 1,415,934 individuals are known to have had their protected health information exposed or impermissibly disclosed in data breaches reported in November. That’s the lowest monthly total since January 2023, and an 87.2% reduction from October. So far in 2025, from January 1, 2025, to November 30, 2025, 686 large healthcare data breaches have been reported affecting 55,695,906 individuals.
The number of affected individuals in November 2025 was the lowest in the past five years. While the low numbers of data breaches and affected individuals are certainly good news, this trend may be short-lived, as some sizable data breaches have been confirmed by HIPAA-regulated entities in the past two months that have yet to appear on the OCR data breach portal.
The Biggest Healthcare Data Breaches Reported in November 2025
In November, 16 healthcare data breaches were reported to OCR that affected more than 10,000 individuals. The biggest confirmed healthcare data breach of the month affected VITAS Hospice Services in Florida and involved unauthorized access to the protected health information of almost 320,000 patients. An account used by one of its vendors was compromised, and the account was used to access VITAS systems.
The medical supply company Fieldtex Products reported the second-largest data breach, also a hacking incident, affecting 238,615 individuals. A further three breach reports were submitted to OCR by Fieldtex Products in December, adding a further 35,748 individuals to that total. Delta Dental of Virginia reported a hacking incident that was initially thought to have affected 145,918 individuals, although following investigation, was reduced to 126,953 individuals. This was the largest email data breach of the month and involved unauthorized access to a single email account.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| VITAS Hospice Services, LLC | FL | Healthcare Provider | 319,177 | Hacking incident involving a compromised vendor account |
| Fieldtex Products, Inc. | NY | Business Associate | 238,615 | Hacking incident |
| Delta Dental of Virginia | VA | Health Plan | 126,953 | Email account breach |
| Richmond Behavioral Health Authority | VA | Healthcare Provider | 113,232 | Ransomware attack |
| Persante Health Care | NJ | Business Associate | 111,815 | Hacking incident |
| Denton MHMR Center | TX | Healthcare Provider | 108,967 | Hacking incident |
| NS Support, LLC | ID | Healthcare Provider | 92,845 | Hacking incident – data theft confirmed |
| Anchorage Neighborhood Health Center | AK | Healthcare Provider | 70,555 | Hacking incident |
| Davies, McFarland & Carroll LLC | PA | Business Associate | 54,712 | Hacking incident – data theft confirmed |
| Morton Drug Company | WI | Healthcare Provider | 40,051 | Hacking incident |
| Marshfield Clinic Health System | WI | Healthcare Provider | 35,952 | Email accounts compromised |
| Loving and Living Center, PC dba Awakenings Center | NC | Healthcare Provider | 17,800 | Unauthorized access to the electronic medical record system |
| Healthcare Therapy Services, Inc. | IN | Healthcare Provider | 15,027 | Email accounts compromised |
| Millcreek Pediatrics | DE | Healthcare Provider | 14,095 | Hacking incident |
| Steven J. Pearlman MD PC | NY | Healthcare Provider | 11,764 | Hacking incident |
| Personic Management Company LLC | VA | Business Associate | 10,929 | Compromised third-party software platform |
Data breaches must be reported to OCR within 60 days of discovery, per the HIPAA Breach Notification Rule. If the total number of affected individuals is not known, an estimate should be provided within those 60 days. HIPAA-regulated entities often submit a breach report using a placeholder figure of 500 or 501 affected individuals when data reviews are ongoing. In November, two data breaches were reported with 500 totals indicative of placeholder figures.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| West Suburban Eye Surgery Center LLC | MA | Business Associate | 500 | Unauthorized Access/Disclosure |
| County of Catawba | NC | Health Plan | 500 | Hacking/IT Incident |
Causes of November 2025 Healthcare Data Breaches
Hacking and other IT incidents continue to dominate the breach reports, accounting for 78% of the month’s data breaches (25 incidents) and 99.1% of the month’s affected individuals (1,403,361). On average, 56,134 individuals were affected by each of these incidents (median: 15,027).
Unauthorized access/disclosure incidents accounted for 15.6% of the month’s data breaches (5 incidents) and 0.5% of the month’s affected individuals (7,591). The average breach size was 1,518 individuals (median: 1,518). Loss and theft incidents accounted for 6.3% of the month’s breaches (2 incidents) and 0.4% of the month’s affected individuals. The average breach size was 2,491 individuals (median 2,491).
Ransomware attacks continue to be one of the biggest cyber threats in healthcare, although hacking incidents are rarely reported as such. A recent analysis from GuidePoint Security identified a 58% year-over-year increase in ransomware attacks in 2025, with Qilin, INC Ransom, and SafePay the biggest threats to healthcare organizations. Some threat actors, Pear, for example, have opted for pure data theft and extortion, skipping file encryption in their attacks. Pear has targeted several healthcare organizations in recent months, and a recently emerged ransomware group called Sinobi has claimed many healthcare victims.
While a majority of the hacking incidents (59%) involved compromised network servers, email continues to be targeted and is often used for initial access in more comprehensive attacks on an organization. In November, almost 19% of incidents involved compromised email accounts.
Where did the Data Breaches Occur?
Healthcare providers were the worst-affected HIPAA-covered entities in November, with 22 reported breaches (867,100 affected individuals), with three data breaches at health plans (129,118 affected individuals) and no data breaches at healthcare clearinghouses. In November, 7 business associates of HIPAA-covered entities reported data breaches (419,716 affected individuals); however, a further two breaches occurred at business associates but were reported by the affected covered entities. The charts below are based on where the data breach occurred, rather than the entity that reported the breach.
Geographic Distribution of Healthcare Data Breaches
In November, large healthcare data breaches were reported by HIPAA-regulated entities based in 21 U.S. states. Virginia was the worst-affected state with four breaches, followed by New York and Wisconsin with three data breaches.
| State | Breaches |
| Virginia | 4 |
| New York & Wisconsin | 3 |
| Florida, Minnesota, North Carolina & Pennsylvania | 2 |
| Alaska, California, Connecticut, Delaware, Idaho, Illinois, Indiana, Maryland, Massachusetts, Michigan, New Jersey, New Mexico, Rhode Island & Texas | 1 |
While entities in Florida only experienced 2 large healthcare data breaches, the state had the highest number of affected individuals.
| State | Individuals Affected |
| Florida | 322,859 |
| New York | 252,617 |
| Virginia | 252,027 |
| New Jersey | 111,815 |
| Texas | 108,967 |
| Idaho | 92,845 |
| Wisconsin | 77726 |
| Alaska | 70,555 |
| Pennsylvania | 55,255 |
| North Carolina | 18,300 |
| Indiana | 15,027 |
| Delaware | 14,095 |
| Minnesota | 7,331 |
| California | 4,285 |
| Rhode Island | 4,000 |
| New Mexico | 2,165 |
| Michigan | 1,984 |
| Maryland | 1,300 |
| Connecticut | 1,260 |
| Illinois | 1,021 |
| Massachusetts | 500 |
HIPAA Enforcement Activity in November 2025
The government shutdown during October and a significant part of November brought many HHS workflows to a grinding halt as staff were furloughed, and there were no announcements about HIPAA enforcement actions. Enforcement activity is continuing, and while there were no new announcements, 2025 ranks as one of the busiest years for HIPAA enforcement. Including one penalty announced in December, OCR closed the year with settlements and civil monetary penalties – the second-highest annual total to date. State Attorneys General also enforce the HIPAA Rules; however, there were no known enforcement actions announced in November to resolve alleged HIPAA violations.
This report is based on data obtained from the HHS’ Office for Civil Rights on January 20, 2026.
The post November 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.
MethodHub Software Limited Achieves HIPAA Certification for Healthcare Data Security – scanx.trade
MethodHub Software Limited Achieves HIPAA Certification for Healthcare Data Security – scanx.trade
Central Maine Healthcare Data Breach Affects 145,000 Individuals
Data breaches have recently been announced by Central Maine Healthcare, Dermatology Associates in Kentucky, and Reproductive Medicine Associates of Michigan. The Central Maine Healthcare data breach has affected 145,000 individuals.
Central Maine Healthcare
Central Maine Healthcare, an integrated nonprofit healthcare system serving around 400,000 residents in central and western Maine, has announced a major data breach involving the electronic protected health information of up to 145,000 patients.
Suspicious activity was identified within its IT systems on June 1, 2025, and immediate action was taken to secure its systems while an investigation sought to determine the nature and scope of the activity. The investigation determined that between March 19, 2025, and June 1, 2025, an unauthorized third party had access to its network and accessed or acquired files containing sensitive patient data.
The file review confirmed that names and Social Security numbers were compromised, in combination with one or more of the following: address, date(s) of service, provider names, treatment information, and health insurance information. Notification letters started to be mailed to the affected individuals in late December 2025, and single-bureau credit monitoring, credit report, and credit score services have been offered.
Dermatology Associates, Kentucky
Dermatology Associates in Louisville, Kentucky, has recently announced an August 2025 security incident that may have resulted in unauthorized access to patient data. Suspicious activity was identified within its computer systems on August 4, 2025, and third-party cybersecurity experts were engaged to investigate the activity.
The investigation confirmed unauthorized access to its network for a period of two months from June 4, 2025, to August 4, 2025. The data review is ongoing, so the types of information involved have yet to be confirmed. Dermatology Associates said the information likely exposed in the incident included names, addresses, dates of birth, driver’s license numbers, telephone numbers, physician names, billing/claims information, patient ID/account numbers, and health insurance information.
Steps have been taken to improve security, and notification letters will be sent by mail when the investigation is concluded. The data breach is currently shown on the HHS’ Office for Civil Rights breach portal with a placeholder figure of at least 501 affected individuals. The total will be updated when the file review is concluded.
Reproductive Medicine Associates of Michigan
Reproductive Medicine Associates of Michigan (RMAM), a fertility clinic in Troy, MI, has started notifying patients about a recent cybersecurity incident that involved the theft of sensitive data from its network. Suspicious network activity was identified on October 22, 2025, and immediate action was taken to secure its IT environment. Third-party cybersecurity specialists were engaged to investigate the activity, who confirmed that data had been exfiltrated.
On December 19, 2025, a substitute data breach notice was added to the RMAM website that states that the file review is ongoing, and notification letters will be mailed to the affected individuals when that process is completed. The notifications will provide information on the exact types of information involved for each individual. At present, the total number of individuals affected has yet to be confirmed.
The post Central Maine Healthcare Data Breach Affects 145,000 Individuals appeared first on The HIPAA Journal.
HIPAA Training for Pharmacy Staff – The HIPAA Journal
HIPAA Training for Pharmacy Staff The HIPAA Journal
HIPAA Training for Pharmacy Staff
HIPAA training for pharmacy staff is required because pharmacies routinely create, access, and share protected health information through prescriptions, insurance claims, medication therapy management, patient counseling, and coordination with prescribers and other providers, and training is one of the most practical ways to reduce avoidable disclosures, improve incident reporting, and keep workflows compliant. In most healthcare settings, annual HIPAA training is a widely followed best practice, and all workforce members should receive training that matches their role and the way they interact with patient information.
Why HIPAA Training Matters in a Pharmacy Setting
Pharmacies handle PHI in high volume and at high speed. The risk is not only unauthorized access to prescription profiles, but also everyday situations such as conversations at the counter, voicemail messages, delivery logistics, prior authorization paperwork, and sharing information with caregivers. HIPAA training helps staff recognize what information is sensitive, when a disclosure is permitted, and what to do when something feels off.
Who Should Be Trained
HIPAA training should cover the entire pharmacy workforce, including pharmacists, technicians, interns, delivery staff who handle labeled packages, call center or refill teams, managers, and any staff who can view or use patient information. Even team members without routine access to prescription systems can create risk through misdirected documents, insecure communication, or poor device and password habits, so training should not be limited to clinical roles.
When HIPAA Training Should Be Provided
New pharmacy workforce members should be trained within a reasonable period after starting, and before they begin independent work with prescription records or pharmacy systems. Training should also be refreshed when policies, workflows, or technology changes in a way that affects PHI, and when incidents or risk reviews show gaps that need corrective education. Many organizations reinforce these requirements with annual refresher training to keep knowledge current and consistent across shifts and locations.
What a Core HIPAA Course for Pharmacy Staff Should Cover
HIPAA training for pharmacy staff should cover the foundational requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, with enough depth to ensure staff understand both their legal obligations and their practical responsibilities in day to day pharmacy operations. The course content should clearly explain what constitutes protected health information, who is permitted to access it, and how the minimum necessary standard applies when dispensing medications, communicating with prescribers, handling insurance issues, and interacting with patients and caregivers.
Training should also address administrative, physical, and technical safeguards in a way that is meaningful for pharmacy workflows. This includes secure use of pharmacy systems, proper password management, workstation security, logging out of shared terminals, and protecting printed materials such as prescription labels, pickup logs, and insurance documentation. Staff should understand how improper disposal, unsecured screens, or casual conversations at the counter can lead to reportable incidents.
Another essential component is breach awareness and incident response. Pharmacy staff should be trained to recognize potential HIPAA violations, understand what constitutes a reportable breach, and know exactly how and when to report concerns internally without fear of retaliation. The training should reinforce that timely reporting is a compliance requirement and a key part of protecting patients and the organization.
HIPAA training should also include clear instruction on workforce responsibilities, including following policies and procedures, participating in required training, and cooperating with investigations or audits. For pharmacies that work with vendors, delivery services, or other third parties, training should explain the role of business associates and the importance of only sharing information in accordance with approved agreements and established workflows.
HIPAA Training for Emergencies and High Pressure Scenarios
Pharmacy teams often operate under time pressure during urgent care encounters, disaster response, community outbreaks, and medication shortages, and those conditions can increase the likelihood of verbal disclosures, rushed identity checks, or documentation mistakes. Emergency focused HIPAA training helps staff understand how permitted disclosures work when rapid coordination is needed, how to apply minimum necessary even under pressure, and how to communicate safely with caregivers, first responders, and other providers while still protecting patient privacy. It also reinforces that emergencies are not a reason to abandon basic safeguards such as secure device use, careful phone communication, and prompt reporting if something goes wrong.
Criteria for Choosing a HIPAA Training Program for Pharmacy Staff
A pharmacy should look for a HIPAA training program that is maintained by HIPAA subject matter experts and updated as guidance and risks evolve, rather than relying on static content. The training should use clear language and practical scenarios that reflect real pharmacy workflows, not generic examples that leave staff unsure how to apply the rules.
Quality programs also verify learning through short tests or knowledge checks rather than relying only on attestations, and they support completion tracking so managers can confirm who was trained and when. Audit ready documentation matters, so the program should provide reliable reporting, proof of completion, and certificates, along with records of course content and training dates. Flexibility is also important in pharmacy environments, so training that supports role based assignments and modular delivery makes it easier to train pharmacists, technicians, and support staff appropriately without overtraining or skipping critical topics.
Additional HIPAA Training for Student Pharmacists on Placement
Student pharmacists receiving on the job training or clinical placements should complete comprehensive HIPAA training that addresses the specific ways students can violate HIPAA, especially around curiosity access, informal discussions, and use of personal devices. Student focused training should reinforce that access to records is limited to a need to know basis tied to educational or clinical duties, and that students must follow supervisor direction and escalate questions to the appropriate privacy or compliance contact.
Because placements vary by site and system, student pharmacists should also receive orientation level reinforcement at the start of each placement so they understand the local rules for system access, secure communication, documentation, and where incidental disclosures commonly occur in that environment. Training should explicitly address modern risks that are especially relevant to students, including social media behavior and the prohibition on using PHI with commercial AI tools.
The post HIPAA Training for Pharmacy Staff appeared first on The HIPAA Journal.
Providers Evaluate Security as Updated HIPAA Compliance Looms – HealthTech Magazine
Providers Evaluate Security as Updated HIPAA Compliance Looms HealthTech Magazine