Based on breach reports submitted to the U.S. Department of Health and Human Services (HHS), November saw relatively low numbers of healthcare data breaches. On average in 2025, 57 healthcare data breaches affecting 500 or more individuals were reported to the HHS’ Office for Civil Rights (OCR) each month. In fact, for the past six years, data breaches have been reported at a rate of around 60 per month. The OCR breach portal currently lists 32 large healthcare data breaches for November, and a similar number were reported in October (28) – numbers that have not been regularly seen since 2018.

Compared to previous Novembers, data breaches have decreased substantially, with a 54% reduction from November 2024 and a 56% reduction from November 2023.

While data breaches appear to have halved in October and November, it coincides with the U.S. government shutdown due to Congress failing to pass appropriations legislation for the 2026 fiscal year. The shutdown lasted from October 1, 2025, to November 12, 2025, and during that time, no data breaches were added to the OCR data breach portal. The significant backlog has taken some time to clear, and there may still be breach reports that have yet to be added to the breach portal from that period.

Low numbers of data breaches do not always mean low numbers of affected individuals, as was demonstrated in October 2025, when only 28 breaches were reported, but more than 11 million individuals were affected. Breach victims fell substantially in November, which saw the fewest number of individuals affected by large healthcare data breaches so far this year. Based on current figures, 1,415,934 individuals are known to have had their protected health information exposed or impermissibly disclosed in data breaches reported in November. That’s the lowest monthly total since January 2023, and an 87.2% reduction from October. So far in 2025, from January 1, 2025, to November 30, 2025, 686 large healthcare data breaches have been reported affecting 55,695,906 individuals.

The number of affected individuals in November 2025 was the lowest in the past five years. While the low numbers of data breaches and affected individuals are certainly good news, this trend may be short-lived, as some sizable data breaches have been confirmed by HIPAA-regulated entities in the past two months that have yet to appear on the OCR data breach portal.

The Biggest Healthcare Data Breaches Reported in November 2025

In November, 16 healthcare data breaches were reported to OCR that affected more than 10,000 individuals. The biggest confirmed healthcare data breach of the month affected VITAS Hospice Services in Florida and involved unauthorized access to the protected health information of almost 320,000 patients. An account used by one of its vendors was compromised, and the account was used to access VITAS systems.

The medical supply company Fieldtex Products reported the second-largest data breach, also a hacking incident, affecting 238,615 individuals. A further three breach reports were submitted to OCR by Fieldtex Products in December, adding a further 35,748 individuals to that total. Delta Dental of Virginia reported a hacking incident that was initially thought to have affected 145,918 individuals, although following investigation, was reduced to 126,953 individuals.  This was the largest email data breach of the month and involved unauthorized access to a single email account.

Data breaches must be reported to OCR within 60 days of discovery, per the HIPAA Breach Notification Rule. If the total number of affected individuals is not known, an estimate should be provided within those 60 days. HIPAA-regulated entities often submit a breach report using a placeholder figure of 500 or 501 affected individuals when data reviews are ongoing. In November, two data breaches were reported with 500 totals indicative of placeholder figures.

Causes of November 2025 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports, accounting for 78% of the month’s data breaches (25 incidents) and 99.1% of the month’s affected individuals (1,403,361). On average, 56,134 individuals were affected by each of these incidents (median: 15,027).

Unauthorized access/disclosure incidents accounted for 15.6% of the month’s data breaches (5 incidents) and 0.5% of the month’s affected individuals (7,591). The average breach size was 1,518 individuals (median: 1,518). Loss and theft incidents accounted for 6.3% of the month’s breaches (2 incidents) and 0.4% of the month’s affected individuals. The average breach size was 2,491 individuals (median 2,491).

Ransomware attacks continue to be one of the biggest cyber threats in healthcare, although hacking incidents are rarely reported as such. A recent analysis from GuidePoint Security identified a 58% year-over-year increase in ransomware attacks in 2025, with Qilin, INC Ransom, and SafePay the biggest threats to healthcare organizations. Some threat actors, Pear, for example, have opted for pure data theft and extortion, skipping file encryption in their attacks. Pear has targeted several healthcare organizations in recent months, and a recently emerged ransomware group called Sinobi has claimed many healthcare victims.

While a majority of the hacking incidents (59%) involved compromised network servers, email continues to be targeted and is often used for initial access in more comprehensive attacks on an organization. In November, almost 19% of incidents involved compromised email accounts.

Where did the Data Breaches Occur?

Healthcare providers were the worst-affected HIPAA-covered entities in November, with 22 reported breaches (867,100 affected individuals), with three data breaches at health plans (129,118 affected individuals) and no data breaches at healthcare clearinghouses. In November, 7 business associates of HIPAA-covered entities reported data breaches (419,716 affected individuals); however, a further two breaches occurred at business associates but were reported by the affected covered entities. The charts below are based on where the data breach occurred, rather than the entity that reported the breach.

Geographic Distribution of Healthcare Data Breaches

In November, large healthcare data breaches were reported by HIPAA-regulated entities based in 21 U.S. states. Virginia was the worst-affected state with four breaches, followed by New York and Wisconsin with three data breaches.

While entities in Florida only experienced 2 large healthcare data breaches, the state had the highest number of affected individuals.

HIPAA Enforcement Activity in November 2025

The government shutdown during October and a significant part of November brought many HHS workflows to a grinding halt as staff were furloughed, and there were no announcements about HIPAA enforcement actions. Enforcement activity is continuing, and while there were no new announcements, 2025 ranks as one of the busiest years for HIPAA enforcement. Including one penalty announced in December, OCR closed the year with settlements and civil monetary penalties – the second-highest annual total to date. State Attorneys General also enforce the HIPAA Rules; however, there were no known enforcement actions announced in November to resolve alleged HIPAA violations.

This report is based on data obtained from the HHS’ Office for Civil Rights on January 20, 2026.

The post November 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.

Data breaches have recently been announced by Central Maine Healthcare, Dermatology Associates in Kentucky, and Reproductive Medicine Associates of Michigan. The Central Maine Healthcare data breach has affected 145,000 individuals.

Central Maine Healthcare

Central Maine Healthcare, an integrated nonprofit healthcare system serving around 400,000 residents in central and western Maine, has announced a major data breach involving the electronic protected health information of up to 145,000 patients.

Suspicious activity was identified within its IT systems on June 1, 2025, and immediate action was taken to secure its systems while an investigation sought to determine the nature and scope of the activity. The investigation determined that between March 19, 2025, and June 1, 2025, an unauthorized third party had access to its network and accessed or acquired files containing sensitive patient data.

The file review confirmed that names and Social Security numbers were compromised, in combination with one or more of the following: address, date(s) of service, provider names, treatment information, and health insurance information. Notification letters started to be mailed to the affected individuals in late December 2025, and single-bureau credit monitoring, credit report, and credit score services have been offered.

Dermatology Associates, Kentucky

Dermatology Associates in Louisville, Kentucky, has recently announced an August 2025 security incident that may have resulted in unauthorized access to patient data. Suspicious activity was identified within its computer systems on August 4, 2025, and third-party cybersecurity experts were engaged to investigate the activity.

The investigation confirmed unauthorized access to its network for a period of two months from June 4, 2025, to August 4, 2025. The data review is ongoing, so the types of information involved have yet to be confirmed. Dermatology Associates said the information likely exposed in the incident included names, addresses, dates of birth, driver’s license numbers, telephone numbers, physician names, billing/claims information, patient ID/account numbers, and health insurance information.

Steps have been taken to improve security, and notification letters will be sent by mail when the investigation is concluded. The data breach is currently shown on the HHS’ Office for Civil Rights breach portal with a placeholder figure of at least 501 affected individuals. The total will be updated when the file review is concluded.

Reproductive Medicine Associates of Michigan

Reproductive Medicine Associates of Michigan (RMAM), a fertility clinic in Troy, MI, has started notifying patients about a recent cybersecurity incident that involved the theft of sensitive data from its network. Suspicious network activity was identified on October 22, 2025, and immediate action was taken to secure its IT environment. Third-party cybersecurity specialists were engaged to investigate the activity, who confirmed that data had been exfiltrated.

On December 19, 2025, a substitute data breach notice was added to the RMAM website that states that the file review is ongoing, and notification letters will be mailed to the affected individuals when that process is completed. The notifications will provide information on the exact types of information involved for each individual. At present, the total number of individuals affected has yet to be confirmed.

The post Central Maine Healthcare Data Breach Affects 145,000 Individuals appeared first on The HIPAA Journal.