These are the biggest health data breaches in the first half of 2025
Some breaches affected millions of Americans. Hospital systems and other companies with health records experienced cyberattacks and other types of breaches.
Hospitals and other organizations with private health information continue to draw the attention of cyberattackers and ransomware groups.
Millions of Americans have been affected by cyberattacks and other data breaches at hospitals and other organizations with private health data.
In the first six months of the year, 343 data breaches have been reported to the U.S. Department of Health & Human Services. Organizations are required to notify the department of any breaches of health data affecting more than 500 people to the federal government.
Thankfully, there hasn’t been a cyberattack this year that has matched the disruption caused by the ransomware attack on Change Healthcare, the most damaging cyberattack ever reported in the healthcare industry. More than 190 million Americans were affected by that attack, along with the vast majority of hospitals and other providers.
Still, hospitals and other healthcare organizations have suffered attacks that have affected millions of Americans. The 10 biggest breaches of this year have impacted more than 21 million Americans, according to a Chief Healthcare Executive® review of breaches reported to the federal government. Two breaches affected more than 5 million people.
Cybersecurity experts stress the importance of health systems doing everything they can to improve the security of their organizations. Analysts say hospital and healthcare executives and boards must place the highest priority on cybersecurity, to protect their patients and their organizations.
Andrew Carr, a ransom negotiator for Booz Allen, told Chief Healthcare Executive in a recent interview that organizations must have detailed plans to prepare for attacks.
“Resilience and preparation is going to be the absolute best thing that an organization, especially healthcare, can do,” Carr said.
Here’s a rundown of the 10 biggest breaches of health data in the first six months of the year. Several breaches have been identified as ransomware attacks, but some data was exposed in other breaches. The list includes hospital systems, insurers, and other organizations with access to health data.
1. Yale New Haven Health System
The health system suffered a breach this spring that affected more than 5.5 million people, according to the health department data base.
Yale New Haven said it first discovered unusual activity in its information technology systems on March 8. The organization said “an unauthorized third party” gained copies of certain data. The information varied, but included names, dates of birth, Social Security numbers, addresses and phone numbers.
The system said the breach didn’t affect the ability to provide patient care. Yale New Haven notified patients about the breach in April.
“We take our responsibility to safeguard patient information incredibly seriously, and we regret any concern this incident may have caused,” the system said in April. “We are continuously updating and enhancing our systems to protect the data we maintain and to help prevent events such as this from occurring in the future.”
2. Episource
The healthcare IT services company experienced a data breach that affected more than 5.4 million individuals, the health department says.
Episource said “a cybercriminal was able to see and take copies of some data in our computer systems.” The company said the attacker gained access to its systems between Jan. 27 and Feb. 6. Some of the information accessed included personal data and health insurance information.
“We deeply regret this incident and sincerely apologize for any inconvenience or concern it may cause,” the company said in a notice to those affected.
The company said it worked with law enforcement and is strengthening its cybersecurity defenses.
3. Blue Shield of California
The insurer suffered a data breach that affected 4.7 million people, according to the health department.
Blue Shield of California said it detected “an incorrect data merge where some Blue Shield members were able to potentially view another member’s data in the Member Health Record feature on the Blue Shield member portal.”
The data was potentially visible from June 27, 2024 through April 4, 2025, when the issue was detected and addressed.
The information exposed may have included health conditions, medications, and lab results, but the insurer says there was no other access to personal information.
Blue Shield of California said there is no evidence that “the unauthorized user used, collected, transferred, or downloaded this information.”
4. Lockton
The insurance firm suffered a breach that affected more than 1.1 million individuals, the health department says.
In a letter to those affected, Lockton said an unauthorized party gained access to a single computer and obtained some files, which included some personal information, the company told Maine’s Office of the Attorney General.
The suspicious activity was first identified in November and the company notified those affected in February. Those affected have been offered two years of credit monitoring services. Lockton also said it was working to improve the security of its systems.
5. Community Health Center, Inc.
The provider in Connecticut experienced a breach that affected more than 1 million individuals, according to the health department.
Connecticut Attorney General William Tong said about 575,000 patients had all of their personal health data compromised, while others had limited information exposed, NBC Connecticut reported.
Community Health Center offers medical and dental services at locations across Connecticut. The breach was reported to the health department in January.
6. Frederick Health
The Maryland provider experienced a ransomware attack that affected more than 934,000 people, the health department says.
As a result of the cyberattack, Frederick Health temporarily diverted ambulances to other facilities, the Herald-Mail reported.
Frederick Health said the ransomware event occurred in late January. Some of the information exposed could have contained patient names, addresses, Social Security numbers, drivers’ license numbers, health insurance information and possibly clinical information.
“We take this incident very seriously and deeply regret any inconvenience or concern this incident may have caused,” the system said in a message to the public.
Frederick Health said it has taken steps to boost its security.
7. McLaren Health Care
The Michigan-based health system experienced a cyberattack that affected more than 740,000 people, according to the health department.
Patients of McLaren and the Karmanos Cancer Institute were affected, the system said.
McLaren said exposed information could have included names, Social Security numbers, medical information, health insurance information, prescription information, and dates of birth. The health system said it had no evidence information was misused.
Attackers gained access between July 17, 2024 and Aug. 3, 2024. McLaren said its investigation of the incident lasted until May 2025. McLaren said it’s offering credit monitoring and identity theft protection.
“We take the security of our patients’ information very seriously,” the system said.
McLaren also suffered a ransomware attack in 2023, illustrating that health systems can be repeated targets of cyberattackers.
8. Medusind Inc.
A medical billing company based in Florida, Medusind experienced a breach affecting more than 700,000 people, the health department says.
In a letter to those affected, Medusind said an investigation revealed that “a cybercriminal may have obtained a copy of certain files.”
Some of the information contained medical information, health insurance information, payment information, Social Security numbers, dates of birth and other personal data.
The breach first occurred in December 2023, according to the Maine office of the Attorney General. The U.S. Health Department said it received notification in January 2025.
The company has offered two years of credit monitoring and identity theft protection.
9. Kelly & Associates Insurance Group, Inc.
The Maryland based insurance firm, known as Kelly Benefits, reported a breach that affected more than 550,000 individuals, according to the health department.
Kelly Benefits said someone broke into its systems between Dec. 12-17, 2024, and copied and stole some files.
The company said it has seen no evidence that private data has been misused. But some of the exposed data included medical information, financial account information, Social Security numbers, tax ID numbers and dates of birth, the company said.
Kelly Benefits said it has worked with law enforcement and reviewed its security policies and procedures.“Kelly Benefits takes the confidentiality, privacy, and security of information in its care seriously,” the company said. “Upon discovery, Kelly Benefits immediately took measures to mitigate the effects of the incident and commenced an investigation to confirm the nature and scope of the incident.”
10. Numotion
The company experienced a breach affecting more than 494,000 people, according to the health department.
Based in Tennessee, Numotion provides products and services for those with mobility limitations. The company said someone accessed some employee email accounts on several occasions between Sept. 2, 2024 and Nov. 18, 2024.
“Numotion has no reason to believe that anyone was trying to access personal information in the accounts, and there is no indication that any information has been used for fraud or identity theft,” the company said.
Still, the company said information that was potentially exposed could have included financial accounts, medical information, health insurance, and in “a minority” of individuals, Social Security numbers and driver’s license numbers.
