More than 20 million people were affected by the 10 largest healthcare data breaches reported to the federal government in 2025, TechTarget reported Dec. 22, citing information from the HHS Office for Civil Rights’ public data breach portal.
More than 35 million people were impacted by large healthcare data breaches reported to the HHS Office for Civil Rights in 2025, the portal shows. That total is expected to rise, according to the publication, as the office continues posting 2025 breach reports after updates stalled for weeks during a 43-day government shutdown that began in October.
Here are 10 of the largest healthcare data breaches reported in 2025:
- Yale New Haven (Conn.) Health: 5,556,702 people affected after the health system detected unusual activity within its IT systems March 8.
- Episource: 5,418,866 people affected after a ransomware attack.
- Blue Shield of California: 4.7 million people affected by a breach tied to Google Analytics.
- DaVita: 2,689,826 people affected after a ransomware attack encrypted elements of the company’s network.
- Anne Arundel Dermatology: 1,905,000 people affected after an unauthorized party accessed files containing health information.
- Radiology Associates of Richmond (Va.): 1,419,091 people affected after an unauthorized party accessed the organization’s network in 2024.
- Southeast Series of Lockton Companies: 1,124,727 people affected after an unauthorized party accessed a single account and obtained certain files.
- Community Health Center (Middletown, Conn.): 1,060,936 people affected after a “skilled criminal hacker” accessed the organization’s systems and took data.
- Frederick Health (Frederick, Md.): 934,326 people affected after a ransomware attack disrupted IT systems.
- McLaren Health Care (Grand Blanc, Mich.): 743,131 people affected after a cyberattack disrupted IT and phone systems.