HSCC Issues Guidance on Cyber Governance Frameworks for Secure AI implementation
The Health Sector Coordinating Council (HSCC) AI cybersecurity governance task force has published new guidance for healthcare CISOs and other leaders to help them establish cybersecurity governance frameworks for secure AI implementation.
Adoption of AI-based technologies in healthcare is progressing at a pace, with AI tools increasingly embedded into critical healthcare functions; however, these tools introduce new and often poorly understood cyber risks into already complex ecosystems. AI-specific cyber risks, such as data poisoning, model drift, and bias, can threaten successful implementation and HIPAA compliance, and the tools can create vulnerabilities that can be exploited by threat actors in attacks that impact patient privacy, safety, and care.
Healthcare organizations should implement a strong governance structure that integrates cybersecurity principles into the full AI product lifecycle, from assessment, design, development, deployment, and decommissioning of AI systems. The guidance can be used to implement a cybersecurity governance framework for identifying and mitigating AI-specific cyber risks associated with all AI technologies, from traditional machine learning systems to generative AI and agentic AI systems capable of autonomous action.
The AI Cyber Governance Framework Implementation Guide guidance establishes core AI cybersecurity governance objectives for enterprises, ecosystems, and third-party adoption scenarios, and includes AI cyber-specific industry best practices and protocols for secure data handling, model protection, continuous monitoring, and threat detection, including model evasion, model inversion, data leakage, and data poisoning. The guidance provides practical tools for organizing roles and responsibilities, inventory management, contractual language for vendor relationships, and includes a five-level AI autonomy framework and an AI-specific incident response playbook.
The 87-page guidance document is focused on establishing a governance framework for addressing AI-specific cybersecurity risks, and while the guidance covers clinical safety, ethics, and patient engagement when they intersect with cybersecurity risk, a broader AI governance program should be maintained for addressing the full spectrum of AI-related risks beyond cybersecurity, and should therefore be used in combination with existing organizational governance activities.
The playbook is part of a series of AI-specific documents for the healthcare industry, with previous publications including a guide for addressing supply chain risk. Further publications are expected in the coming months to address other healthcare-specific AI considerations.
The post HSCC Issues Guidance on Cyber Governance Frameworks for Secure AI implementation appeared first on The HIPAA Journal.
Sports Bar Server Retorts After Clueless Customer Accuses Her of ‘HIPAA Violation’ – TwistedSifter
Ransomware Recovery Takes 45 Days on Average as New HIPAA Guidance Reshapes Video Recording Rules fo – AD HOC NEWS
HHS Restructuring and New Enforcement Signal Increased Focus on Privacy, Security, and Health Plans – Ogletree
HHS Restructuring and New Enforcement Signal Increased Focus on Privacy, Security, and Health Plans – Ogletree
Health care recovery plans get zero-trust blueprint – TechInformed
Health care recovery plans get zero-trust blueprint TechInformed
Largest Healthcare Data Breaches of 2025
2025 was another bad year for healthcare data breaches. As of June, 2026, 2025, 772 healthcare data breaches affecting 500 or more individuals are listed on the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) breach portal, involving the exposure or theft of the protected health information of 139,721,832 individuals. That total is likely to increase further as there are several data breach investigations that have yet to conclude.
Based on the current totals, 2025 was the worst ever year for large healthcare data breaches, beating the previous record of 746 data breaches set in 2023 by 3.49%. In terms of affected individuals, 2025 was the third-worst year, behind the 289.8 million affected individuals in 2024 and the 183 million affected individuals in 2023. You can view the latest figures and how they compare to previous years on our Healthcare Data Breach Statistics page.
Large healthcare data breaches increased by 4.18% year over year, although there was a 51.79% year-over-year decrease in affected individuals. Such a large decrease in affected individuals was expected, as in 2024, there was a gargantuan data breach at Change Healthcare, which affected an estimated 192,700,000 individuals. That single data breach accounted for 66.49% of the 289,819,703 affected individuals in 2024.
The Largest Healthcare Data Breaches of 2025
The table below shows the largest healthcare data breaches of 2025 known at the time of publication. At the time of publication, 16 healthcare data breaches were reported to OCR in 2025 that each affected more than one million individuals, and a further 7 data breaches affected between 500,000 and 999,999 individuals.
| HIPAA-Regulated Entity | State | Entity Type | Individuals Affected |
| Conduent Business Services LLC | NJ | Business Associate | 62,224,658 |
| Aflac | GA | Health Plan | 13,924,906 |
| Episource, LLC | CA | Business Associate | 6,725,572 |
| Yale New Haven Health System | CT | Healthcare Provider | 5,556,702 |
| Blue Shield of California | CA | Business Associate | 4,700,000 |
| PIH Health | CA | Healthcare Provider | 2,947,264 |
| DaVita Inc. | CO | Healthcare Provider | 2,689,826 |
| Veradigm LLC | MIL | Business Associate | 2,672,036 |
| Anne Arundel Dermatology | MD | Healthcare Provider | 1,905,000 |
| Kettering Adventist Healthcare | OH | Healthcare Provider | 1,695,382 |
| Radiology Associates of Richmond, Inc. | VA | Healthcare Provider | 1,419,091 |
| DermCare Management | FL | Business Associate | 1,361,735 |
| SimonMed Imaging | AZ | Healthcare Provider | 1,275,669 |
| Absolute Dental Group, LLC | NV | Business Associate | 1,223,635 |
| Southeast Series of Lockton Companies, LLC (Lockton) | GA | Business Associate | 1,124,727 |
| Community Health Center, Inc. | CT | Healthcare Provider | 1,060,936 |
| Frederick Health | MD | Healthcare Provider | 934,326 |
| Community Health Center, Inc. | MI | Healthcare Provider | 743,131 |
| Medusind Inc. | FL | Business Associate | 701,475 |
| Blue & Co., LLC | IN | Business Associate | 591,713 |
| Kelly & Associates Insurance Group, Inc. | MD | Business Associate | 553,332 |
| Decisely Insurance Services, LLC | GA | Business Associate | 537,603 |
| United Seating and Mobility, LLC, d/b/a Numotion | TN | Healthcare Provider | 529,004 |
Conduent Business Services – 62.2 million individuals
The largest healthcare data breach of 2025 by some distance was reported by the HIPAA business associate, Conduent Business Services. Conduent is a business associate of HIPAA-covered entities and government agencies that provides a range of back-office services. Conduent reported a data breach to OCR in October 2025 as involving unauthorized access to the protected health information of 42,616 individuals, including names, dates of birth, Social Security numbers, treatment information, and claims information.
Since then, the Oregon Attorney General was informed that the data breach involved unauthorized access to the sensitive data of more than 10.5 million state residents, and the Texas Attorney General was later informed that 14,791,500 individuals in Texas were affected. That total was later increased to 15,494,592 individuals. Other state attorneys general have also received notifications confirming that some of their state residents have been affected, but have not published how many individuals were affected in their states. An updated total was provided to OCR in mid 2026, indicating that the protected health information of 62,224,658 individuals was compromised in the incident, making it the third-largest healthcare data breach of all time.
The incident was described as a security incident that caused an outage, resulting in temporary disruption to its services – terminology often used to describe a ransomware attack. The Safepay ransomware group claimed responsibility for the attack and added Conduent to its data leak site, although the listing has now been removed, suggesting the ransom was paid.
Aflac – 13.9 million individuals
In a June 12, 2025, filing with the U.S. Securities and Exchange Commission (SEC), the insurance giant Aflac disclosed a cyberattack by a threat actor that “may be affiliated with a known cyber-criminal organization.” While not confirmed by Aflac, that group is widely believed to be the Scattered Spider threat group, which at the time was targeting the insurance industry. The data breach was reported to OCR on August 8, 2025, using a placeholder figure of 500 affected individuals, as the investigation was ongoing at the time. The hackers gained access to names, addresses, dates of birth, government-issued ID numbers such as passports and state ID card numbers, driver’s license numbers, Social Security numbers, medical information, and health insurance information.
As the year drew to a close, Aflac confirmed that there had been unauthorized access to the sensitive data of 22.65 million individuals globally. The OCR breach portal has since been updated to confirm that the protected health information of at least 13,924,906 individuals was compromised in the incident.
Episource, LLC – 6.73 million individuals
The UnitedHealth (Optum) subsidiary Episource, a provider of medical coding, risk adjustment services, and software solutions for healthcare providers and health plans, experienced a ransomware attack in February 2025 that involved the exfiltration of files containing sensitive patient data. Data compromised in the attack included names, contact information, medical information, and health insurance information. The ransomware group gained access to EpiSource’s AWS environment,
The investigation confirmed that the ransomware group had access to its network from January 27, 2025, to February 6, 2025, and potentially obtained the protected health information of 5,418,866 individuals. Multiple healthcare provider clients were affected by the attack, including Sharp HealthCare and Sharp Community Medical Group. That total has since been increased to 6,725,572 individuals.
Yale New Haven Health System – 5.6 million individuals
Yale New Haven Health System, the largest health system in the state of Connecticut, reported the data breach to OCR in April 2025, after its investigation determined that hackers breached its network on March 8, 2025, and obtained the sensitive data of 5,556,702 individuals.
The electronic medical record system was not accessed, and the hackers were unable to access financial information; however, they did obtain names, contact information, demographic information, medical record numbers, and Social Security numbers. Yale New Haven Health faced multiple class action lawsuits over the data breach, which were settled rapidly. Yale New Haven Health agreed to an $18 million settlement to resolve a consolidated class action lawsuit that amalgamated 18 separate complaints, just 7 months after the data breach occurred.
Blue Shield of California – 4.70 million individuals
The health insurance provider Blue Shield of California was one of many healthcare entities to experience data breaches involving tracking software on their websites. In this case, Blue Shield of California had added Google Analytics code to certain websites, which was configured in a way that resulted in member data being shared with Google Ads for almost 3 years. In certain cases, the protected health information shared with Google may have been used to serve members with personalized Google Ads related to their interactions on Blue Shield of California websites. For instance, if the “Find a Doctor” service was used, then search criteria and results may have been disclosed.
While the scale of the breach – up to 4.7 million individuals – makes it one of the worst of the year, notification letters were issued to all members who accessed the websites over 3 years; however, it is unclear how many of those individuals had protected health information disclosed to third parties. Further, there was limited potential for harm, and no indications that any bad actor was able to access plan members’ data.
PIH Health – 2.95 million individuals
The California healthcare provider PIH Health experienced a ransomware attack in December 2024, in which the ransomware group claimed to have exfiltrated 2 Terabytes of data. The threat actor had access to the PIH Health network from November 14, 2024, to December 23, 2024. It took more than a year for PIH Health to review the affected data and determine that patient data had been exposed. That determination was not made until December 2025, and it took until February 2026 for individuals to start being notified.
The ransomware group stole files containing names, addresses, medical information, health insurance information, Social Security numbers, taxpayer identification numbers, driver’s license numbers, financial account information, and credit/debit card numbers. PIH Health informed the HHS Office for Civil Rights that the protected health information of 2,947,264 individuals was compromised in the incident.
DaVita – 2.69 million individuals
The Denver, CO-based kidney dialysis service provider DaVita experienced a ransomware attack in April 2025. DaVita operates more than 2,600 kidney dialysis centers across the United States, and while the attack caused temporary operational disruption, critical care provided to patients across the United States was unaffected.
The ransomware group was able to access a laboratory database containing the protected health information of 2,689,826 individuals, including demographic information, clinical information, and tax information. The Interlock ransomware group claimed responsibility for the attack and had access to DaVita systems from March 24, 2025, to April 12, 2025.
Veradigm LLC – 2.67 million individuals
Veradigm, a Chicago, Illinois-based provider of practice management and electronic health record solutions to healthcare providers (formerly Allscripts), experienced a data security incident in July 2025 that involved unauthorized access to protected health information. One of its storage locations had been compromised as a result of an incident at one of its customers. Credentials were stolen that allowed access to the storage environment.
Data compromised in the incident included names, contact information, dates of birth, health records information, health insurance information, payment details, and limited identifiers, such as Social Security numbers and driver’s license numbers. It took some time to review the affected data, with 2,672,036 individuals now known to have had their data exposed or stolen in the incident. Veradigm settled the class action lawsuit that followed for $10.5 million.
Anne Arundel Dermatology – 1.91 million individuals
Anne Arundel Dermatology, a dermatology practice with more than 30 locations in 7 U.S. states, experienced a hacking incident that saw unauthorized individuals access its network from February 14, 2025, to May 13, 2025. The systems compromised in the attack contained the protected health information of up to 1,905,000 individuals, including names, addresses, dates of birth, and health insurance information.
Since it was not possible to determine which records were viewed or copied, notification letters were mailed to all potentially affected individuals. Anne Arundel Dermatology was one of several dermatology practices to be targeted by hackers in 2025.
Kettering Adventist Healthcare – 1.7 million individuals
The Ohio health system, Kettering Adventist Healthcare (Kettering Health), experienced a ransomware attack on May 20, 2025, although its network was first breached on April 9, 2025. The Interlock ransomware group claimed responsibility for the attack, alleging that 941 GB of data was stolen in the attack. Kettering Health refused to pay the ransom, and Interlock proceeded to leak the stolen data.
It took several months to review the affected data and determine the individuals affected. Around April 2026, OCR was provided with a revised total, showing that the protected health information of 1,695,382 individuals was stolen in the attack. The stolen data included names, Social Security numbers, financial account numbers, driver’s license numbers, medical and/or treatment information, health insurance information, billing and/or claim information, passport numbers, and/or usernames and associated passwords. Kettering Health faced dozens of class action lawsuits over the data breach. The litigation is ongoing.
Radiology Associates of Richmond – 1.42 million individuals
Radiology Associates of Richmond, a provider of medical imaging services at seven hospitals in Virginia and multiple outpatient facilities within the state, experienced a cyberattack in April 2024, although the data breach was not reported to OCR until July 2025.
The hackers had access to its network from April 2, 2024, to April 6, 2024, and exfiltrated files containing the protected health information of 1,419,091 patients, including names, dates of birth, email addresses, Social Security numbers, account numbers, routing numbers, medical information, and health insurance information.
DermCare Management – 1.4 million individuals
DermCare Management, a Florida-based provider of practice management services to dermatology practices in Florida, Texas, California, and Virginia, identified a hacking incident in February 2025, with the investigation confirming that an unauthorized third party had access to its computer systems between February 14, 2025, and February 26, 2025.
It took until March 2026 to review the affected data, when it was confirmed that the data breach affected patients of more than 70 dermatology clinics. It has since been confirmed that the protected health information of 1,361,735 individuals was compromised in the incident, including names, Social Security numbers, driver’s license numbers, credit and debit card information, financial account information, and medical information.
SimonMed Imaging- 1.3 million individuals
SimonMed Imaging, one of the largest medical imaging providers in the country, operates more than 170 medical imaging facilities in 10 U.S. states. The Scottsdale, AZ-based radiology practice learned from one of its vendors in January 2025 that there had been a security incident. The investigation confirmed that an unauthorized actor had direct access to its systems between January 21, 2025, and February 5, 2025. The Medusa ransomware group claimed responsibility for the attack and said it stole 212 GB of data, and demanded a $1 million ransom to prevent the data from being leaked or sold.
While the attack was announced in April 2025, it took several months to review the affected data. names, addresses, birth dates, dates of service, provider names, medical record numbers, patient numbers, medical condition information, diagnosis/ treatment information, medications, health insurance information, and driver’s license numbers. The protected health information of 1,275,669 individuals was stolen in the attack.
Absolute Dental Group – 1.2 million individuals
Absolute Dental Group, a Nevada dental practice with over 50 locations in Las Vegas, Carson City, Reno, Sparks, and Minden, identified a cybersecurity incident in February 2025. In July 2025, the company confirmed that data stolen in the attack included names, contact information, date of birth, Social Security number, driver’s license or state-issued ID information, passport or other government ID information, and health information.
The incident was initially reported to OCR using a placeholder estimate of 501 individuals, with that total updated in late summer to show that the protected health information of 1,223,365 individuals was exposed and potentially stolen in the incident.
Southeast Series of Lockton Companies – 1.1 million individuals
Southeast Series of Lockton Companies (Lockton), an insurance brokerage company that provides employee benefits services, reported a data breach to OCR on February 28, 2025, that involved unauthorized access to its computer network on November 20, 2025. While initially reported as involving unauthorized access to the protected health information of 1,706 individuals, the total was later revised to 1,124,727 individuals.
Hackers had access to a single account and computer for a few hours, but during that time, they may have viewed or acquired names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, and financial information.
Community Health Center – 1.1 million individuals
Community Health Center, a nonprofit healthcare provider in Middletown, Connecticut, identified unauthorized access to its computer network on January 2, 2025. The investigation confirmed that a hacker first accessed its network without authorization on October 14, 2024, and retained access until the intrusion was detected on January 2, 2025.
The attack did not involve file encryption; however, the hackers had access to sensitive patient data such as names, addresses, phone numbers, email addresses, dates of birth, diagnoses, test results, treatment information, health insurance information, and Social Security numbers. The investigation confirmed that up to 1,060,936 individuals were potentially affected.
Frederick Health – 934K individuals
Frederick Health Medical Group, a Maryland-based healthcare group, announced on January 27, 2025, that it had fallen victim to a ransomware attack. The group behind the attack was not disclosed and remains unknown.
The investigation confirmed that the protected health information of up to 934,326 individuals was potentially compromised, including names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, medical record numbers, health insurance information, and/or clinical information related to patients’ care.
McLaren Health Care – 743K individuals
McLaren Health Care in Michigan experienced a ransomware attack in August 2024 that involved unauthorized access to systems used by McLaren Health Care and its Karmanos cancer centers between July 17, 2024, and August 3, 2024. The file review was extensive and time-consuming, revealing on May 5, 2025, that sensitive data had been compromised in the incident.
The data breach affected 743,131 individuals and involved unauthorized access to names, Social Security numbers, driver’s license numbers, medical information, and health insurance information. While not reported as a ransomware attack, the Inc Ransom ransomware group claimed responsibility. While McLaren Health Care was added to the Inc Ransom data leak site, the listing has been removed, suggesting the ransom was paid. This was McLaren Health Care’s second ransomware attack in the space of a year.
Medusind – 701K individuals
Medusind, a Florida-based revenue cycle management vendor and practice management software provider, reported a cyberattack and data breach to OCR in early January that was first identified on December 23, 2023. Initially, the data breach was determined to have affected 360,934 individuals; however, the total was increased on two further occasions, with a final tally of 701,475 individuals.
The hackers had access to names, demographic information, health insurance and billing information, debit/credit card numbers or bank account information, Social Security numbers, and other government-issued ID numbers. Medusind faced multiple class action lawsuits over the data breach and settled the consolidated lawsuit for $5 million.
Blue & Co. – 591K individuals
Blue & Co, an accounting and advisory firm with offices in Indiana, Ohio, Kentucky, and Michigan, reported a data breach to OCR in 2025, although the incident was first detected on December 9, 2024, when an unauthorized actor claimed to have removed data from its network. That person had gained access to a network server via a phishing attack.
While the unauthorized access only occurred for around 30 minutes, the forensic investigation confirmed that the protected health information of 591,713 individuals had been exposed and was potentially copied. That information included names, Social Security numbers, driver’s license numbers, passport numbers, financial account information, health information, and health insurance information.
Kelly & Associates Insurance Group – 553K individuals
Kelly & Associates, doing business as Kelly Benefits, discovered a cyberattack in December 2024 and determined that hackers had access to its network from December 12, 2024, to December 17, 2024. During that time, they exfiltrated files containing names, dates of birth, Social Security numbers, health insurance information, financial account information, and medical information.
The data breach was not reported to OCR until April 2025, and notification letters were issued on a rolling basis. In late June 2025, the final victim tally was confirmed as 553,332 individuals. The delay in issuing notifications was due to the amount of data involved and the complexity of the file review.
Decisely Insurance Services, LLC – 537K individuals
Decisely Insurance Services, a Roswell, GA-based benefits brokerage and HR services firm, reported a data breach to OCR in 2025 that affected 65,405 individuals. Hackers had gained access to its cloud storage platform on December 17, 2024. Data compromised in the incident included names, dates of birth, phone numbers, passport numbers, digital signatures, and Social Security numbers, and the affected individuals were notified in June 2025.
However, the breach was far more extensive than the initial investigation suggested. Decisely Insurance Services later determined that the protected health information of 537,603 individuals had been compromised in the incident
United Seating and Mobility (Numotion) – 529K individuals
United Seating & Mobility, doing business as Numotion, a wheelchair and mobility equipment provider, identified unauthorized access to employee email accounts in November 2024. The investigation confirmed that the accounts were compromised between September 2, 2024, and November 18, 2024, as a result of responses to phishing emails.
The data breach was first reported to OCR in March 2025, as involving unauthorized access to the protected health information of 494,326 individuals, but the total was later revised to 529,004 individuals. The hackers were able to access names, dates of birth, product information, payment and financial account information, health insurance information, and medical information.
The post Largest Healthcare Data Breaches of 2025 appeared first on The HIPAA Journal.