There has been a 13.7% month-over-month increase in large healthcare data breaches, with 58 breaches affecting 500 or more individuals reported to the HHS’ Office for Civil Rights in August, slightly lower than the 2025 average of 63.5 large healthcare data breaches per month.
Since 2009, the number of reported healthcare data breaches has generally increased each year, although there was a slight reduction in data breaches last year (746 in 2023 vs. 739 in 2024), and that trend appears to be continuing this year. HIPAA-regulated entities have reported 508 large healthcare data breaches in the year to August 31, 2025, compared to 515 large healthcare data breaches over the corresponding period in 2024.
For the second consecutive month, the number of individuals affected by healthcare data breaches has fallen. Across the 58 data breaches, the protected health information of 3,789,869 individuals was exposed or impermissibly accessed/disclosed. On average, 5,084,784 individuals have been affected by healthcare data breaches each month this year (median 3,583,200 individuals).
The number of affected individuals is down 84.7% for the year to date compared to 2024, although in July last year, Change Healthcare reported its gargantuan data breach, which we now know affected 192.7 million individuals. Even discounting that data breach as an outlier, there has been a considerable fall in the number of individuals affected by healthcare data breaches this year, down 43.93% from 2024 and 60.9% from the same period in 2023. Further information on healthcare data breaches can be found on our healthcare data breach statistics page.
The Biggest Healthcare Data Breaches in August 2025
There were only 13 data breaches affecting 10,000 or more individuals in August, the largest of which was a ransomware attack on the kidney dialysis company DaVita, which affected 2,689,826 individuals, which is 71% of the total affected individuals in August. The Interlock ransomware group claimed responsibility for the attack. Vital Imaging Medical Diagnostic Centers (VIMDC) in Florida experienced the second-largest data breach, with up to 260,000 individuals affected. While data theft was not confirmed, VIMDC said data theft was likely. Three of the four largest healthcare data breaches in August were all ransomware attacks. Aspire Rural Health System and Highlands Oncology Group also fell victim to ransomware attacks.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| DaVita Inc. | CO | Healthcare Provider | 2,689,826 | Ransomware attack – Data theft confirmed (Interlock) |
| Vital Imaging Medical Diagnostic Centers, LLC | FL | Healthcare Provider | 260,000 | Hacking incident – Data theft suspected |
| Aspire Rural Health System | MI | Healthcare Provider | 138,386 | Ransomware attack – Data theft confirmed (BianLian) |
| Highlands Oncology Group PA | AR | Healthcare Provider | 111,766 | Ransomware attack (Medusa) |
| University of Iowa Community Home Care | IA | Healthcare Provider | 109,029 | Hacking incident – Data theft confirmed |
| University of Iowa Health Care | IA | Healthcare Provider | 101,875 | Hacking incident – Data theft confirmed |
| CPAP Medical Supplies and Services Inc. | FL | Healthcare Provider | 90,133 | Hacking incident |
| Langdon & Company, LLP Certified Public Accountants | NC | Business Associate | 46,061 | Hacking incident – Data theft confirmed |
| Pediatric Otolaryngology Head & Neck Surgery Associates, P.A. | FL | Healthcare Provider | 43,446 | Hacking incident |
| MDLand International Corporation | NY | Business Associate | 22,586 | Ransomware attack |
| Beech Acres Parenting Center | OH | Healthcare Provider | 19,315 | Hacking incident |
| Pacific Imaging Management, LLC | CA | Healthcare Provider | 13,158 | Compromised email accounts |
| West Texas Oral Facial Surgery | TX | Healthcare Provider | 11,151 | Hacking incident |
The 13 data breaches affecting 10,000 or more individuals could well grow over the coming weeks, as 11 data breaches were reported in August that had suspected placeholder figures of 500 or 501 affected individuals. These figures are commonly used when the number of affected individuals has not been determined by the reporting deadline of the HIPAA Breach Notification Rule.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Type of Breach |
| Meridian Valley Laboratories, Inc. | WA | Healthcare Provider | 501 | Hacking/IT Incident |
| Department of Social Services for Vance County, North Carolina | NC | Business Associate | 501 | Hacking/IT Incident |
| CareTracker, Inc. | NY | Business Associate | 501 | Hacking/IT Incident |
| Mower County Health and Human Services | MN | Healthcare Provider | 501 | Hacking/IT Incident |
| PROVAIL | WA | Healthcare Provider | 501 | Hacking/IT Incident |
| Woodlawn Hospital | IN | Healthcare Provider | 500 | Hacking/IT Incident |
| McEwen & Associates | TX | Business Associate | 500 | Hacking/IT Incident |
| McEwen & Associates | TX | Business Associate | 500 | Hacking/IT Incident |
| McEwen & Associates | TX | Business Associate | 500 | Hacking/IT Incident |
| Aflac Incorporated (“Aflac”) | GA | Health Plan | 500 | Hacking/IT Incident |
| Friesen Group | CA | Healthcare Provider | 500 | Hacking/IT Incident |
Causes of August 2025 Healthcare Data Breaches
Hacking and other IT incidents dominated the August breach reports, accounting for 87.9% of the month’s data breaches (51 data breaches). Across those breaches, the protected health information of 3,635,101 individuals was exposed or impermissibly accessed or disclosed – 95.9% of the individuals affected by data breaches in August. The average breach size was 71,276 records, and the median breach size was 3,569 records.
There were 7 unauthorized access/disclosure incidents affecting a total of 154,768 individuals. The average breach size was 22,110 records, and the median breach size was 3,215 records. No loss or theft incidents have been reported for five months, and there have been no improper disposal incidents for three months. The most common location of breached protected health information was network servers, followed by email accounts.
Affected HIPAA-Regulated Entities
In August, 44 data breaches were reported by healthcare providers, affecting 3,698,013 individuals, 12 data breaches were reported by business associates, affecting 88,141 individuals, and 2 data breaches were reported by health plans, affecting 3,715 individuals. When a data breach occurs at a business associate, it is ultimately the responsibility of the affected covered entities to report the breach, although that responsibility is often delegated to the business associate. Since some covered entities choose to report business associate breaches themselves, the above figures do not accurately show where the data breach occurred. The charts below are based on the entity that experienced the data breach rather than the entity that reported the incident.
Geographical Distribution of August 2025 Healthcare Data Breaches
California was the worst-affected state with 7 large data breaches reported by HIPAA-regulated entities based in the state, closely followed by Florida and Texas with 6 data breaches. In August, HIPAA-regulated entities in 23 states reported large data breaches.
| State | Breaches |
| California | 7 |
| New York & Texas | 6 |
| Florida | 5 |
| Indiana, North Carolina & Washington | 3 |
| Arkansas, Connecticut, Georgia, Iowa, Massachusetts, Michigan, Minnesota, Utah & Wisconsin | 2 |
| Arizona, Colorado, Illinois, Mississippi, Montana, Nebraska & Ohio | 1 |
While California had the most breaches, the state ranked 8th in terms of the number of affected individuals. New York ranked 7th, and Texas ranked 9th. Only one data breach was reported by a Colorado-based entity, but it was the largest data breach of the month, ensuring the state ranked top in terms of affected individuals.
| State | Records |
| Colorado | 2,689,826 |
| Florida | 405,348 |
| Iowa | 210,904 |
| Michigan | 139,401 |
| Arkansas | 114,257 |
| North Carolina | 50,584 |
| New York | 44,882 |
| California | 33,873 |
| Texas | 20,848 |
| Ohio | 19,315 |
| Connecticut | 8,428 |
| Montana | 8,255 |
| Wisconsin | 8,006 |
| Indiana | 6,097 |
| Massachusetts | 5,896 |
| Washington | 4,866 |
| Utah | 4,195 |
| Georgia | 4,069 |
| Arizona | 2,916 |
| Minnesota | 2,767 |
| Nebraska | 2,544 |
| Mississippi | 1,541 |
| Illinois | 1,051 |
HIPAA Enforcement Activity in August 2025
It has been a busy year of HIPAA enforcement with 19 investigations resulting in settlements or civil monetary penalties to resolve noncompliance with the HIPAA Rules, including one new enforcement action announced in August. BST & Co. CPAs, LLP, is a public accounting, business advisory, and management consulting firm based in New York. OCR launched an investigation of the company following a report of a December 2019 ransomware attack by the Maze ransomware group involving unauthorized access to the protected health information of up to 170,000 patients of its covered entity client Community Care Physicians P.C., a New York medical group. The ransomware attack started with a phishing email. OCR was not provided with any evidence to show that a risk analysis had ever been conducted. The alleged HIPAA violation was settled with BST & Co. CPAs agreeing to pay a $175,000 financial penalty and adopt a corrective action plan. You can find out more about OCR’s HIPAA enforcement actions on our HIPAA violation cases page.
State attorneys general can also investigate HIPAA breaches and impose financial penalties for noncompliance, although there were no announcements by state attorneys general in August. State attorneys general HIPAA enforcement actions can be found on this link.
The post August 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.
