For June 2025, healthcare data breaches increased by 16.67% month-over-month, and the number of individuals who had their protected health information (PHI) exposed or impermissibly disclosed increased by 302.71% month-over-month.
In June, the HHS’ Office for Civil Rights (OCR) received notifications from HIPAA-covered entities regarding 70 data breaches involving 500 and up individuals, which is over the average of 59 monthly data breaches in the past 12 months. The high number is mostly because of a phishing attack at a business associate that impacted about 25 cancer care and oncology clinics.
The number of individuals impacted by healthcare data breaches increased by 302% compared to May 2025. The 70 data breaches reported involved exposed or impermissible disclosure of the PHI of 7,609,868 individuals.
The median and average data breach size in the last 12 months is 4.7 million and 21.65 million healthcare records a month, respectively. The big increase in June was mainly a result of the Episource mega data breach, which impacted 5.4 million people.
Biggest Healthcare Data Breaches in June 2025
Episource reported the biggest data breach in June 2025. This Optum subsidiary provides healthcare providers and health plans with services, such as risk adjustment, medical coding, and software. Episource reported that 5,418,866 individuals had been affected by the data breach. Sharp HealthCare and Sharp Community Medical Group were also affected by the Episource data breach but submitted their own data breach report to OCR with 27,000 individuals affected and added to the total number affected. No ransomware group seems to have stated conducting such attack.
McLaren Health Care based in Michigan submitted a breach report involving a ransomware attack in June and PHI theft that impacted 743,131 people. Although notifications were released in June, McLaren Health Care detected the attack in early August 2024. The hackers initially accessed its network in July 2024. The late notification was because of the difficulty with the data analysis. The Inc Ransom group said it is responsible for the attack; however, nothing was listed on its data leak site, which indicates that McLaren Health Care probably paid the ransom.
Compumedics USA, Inc, a business associate, reported the third biggest data breach in June. This vendor provides diagnostic and research technologies to study sleep issues. It is uncertain if ransomware was involved, although Compumedics confirmed the theft of patient data, affecting 318,150 individuals.
The phishing attack on business associate Integrated Oncology Network affected at least 25 radiology and oncology practices located in 12 US states. According to the breach reports submitted to OCR by the affected healthcare providers, almost 123,000 individuals were impacted. The number of affected individuals may still increase, since it is uncertain if all impacted oncology practices have submitted breach reports. The phishing attack enabled the attacker to access SharePoint accounts, emails, and attachments.
Sentara Health reported an uncommon data breach involving three individuals hired for remote work and given patient data access. In the weeks following the start of work, the managers noticed that they were having virtual meetings with individuals who were not the hired ones. The work responsibilities were assigned to other people, with the hired persons got a share of the salary.
Here is the list of HIPAA-covered entities that submitted breach reports to OCR in June 2025:
1. Episource, LLC – 5,418,866 individuals affected by hacking and data theft
2. McLaren Health Care – 743,131 individuals affected by ransomware attack and data theft
3. Compumedics USA, Inc. – 318,150 individuals affected by hacking and data theft
4. Central Kentucky Radiology – 166,953 individuals affected by ransomware attack and data theft
5. Southern Connecticut Vascular Center, LLC – 154,417 individuals affected by a hacking incident
6. Select Medical Holdings Corporation – 119,525 individuals affected by a hacking incident at Nationwide Recovery Service
7. Horizon Healthcare RCM – 77,410 individuals affected by a ransomware attack and data theft
8. TRG, LLC – 70,434 individuals affected by a hacking incident Nationwide Recovery Service
9. Decisely Insurance Services, LLC – 65,405 individuals affected by a hacking incident and data theft
10. Gardner Orthopedics LLC – 47,000 individuals affected by a ransomware attack and data theft
11. Renkim Corporation – 46,592 individuals affected by a hacking incident and potential data theft
12. Cumberland County Hospital Association – 36,659 individuals affected by a hacking incident
13. Rural Health Services – 36,542 individuals affected by a hacking incident
14. Sharp HealthCare – 24,971 individuals affected by a hacking incident at Episource
15. Esse Health – 23,671 individuals affected by a ransomware attack and data theft
16. Texas Center for Infectious Disease Associates – 19,481 individuals affected by a hacking incident at a former billing services provider
17. Los Angeles County Developmental Services Fdn., Inc. also known as Frank D. Lanterman Regional Ctr. – 19,000 individuals affected by a compromised email account
18. California Cancer Associates for Research and Excellence – High Desert – 17,250 individuals affected by an Email account breach at Integrated Oncology Network
19. Sensata Technologies, Inc. Health and Welfare Benefit Plan – 15,630 individuals affected by a ransomware attack and data theft
20. Lake City Cancer Care, LLC – 15,142 individuals affected by an Email account breach at Integrated Oncology Network
21. Apex Global Solutions, LLC – 14,741 individuals affected by a hacking incident
22. Sentara Health – 13,278 individuals affected by unauthorized access to electronic medical records
23. Radiation Oncology Network of Southern California, LLC – 12,944 individuals affected by an email account breach at Integrated Oncology Network (ION)
24. Rocky Mountain Oncology Care – 10,268 individuals affected by an email account breach at Integrated Oncology Network
25. Iron County Medical Center – 10,239 individuals affected by a phishing attack and email account breach
In June 2025, there were four healthcare data breach reports with a placeholder of 500 or 501 as an estimate of the number of impacted people. According to the HIPAA Breach Notification Rule, for a breach with no actual total number of affected individuals after 60 days of discovering the breach, an estimated number of affected individuals must be submitted to OCR. When the investigation is over, the total should be updated.
Here is the list of Covered Entities:
1. PDCM Insurance – 501 individuals affected by a hacking/IT Incident
2. Cerner Corporation – 501 individuals affected by hacking/IT Incident
3. Diversified Services Enterprises – 501 individuals affected by a hacking/IT Incident
4. Clement Manor – 500 individuals affected by a hacking/IT Incident
Causes of Healthcare Data Breaches in June 2025
In June, 59 data breach reports were due to hacking and other IT incidents, which corresponds to most of breached healthcare reports. The 59 incidents resulted in the exposure or theft of the PHI of 7,580,148 individuals, or 99.61% of June’s breached records. The average and median breach sizes were 128,477 and 4,824 affected individuals, respectively.
Eleven data breaches were due to unauthorized access/disclosure incidents, which affected 29,720 individuals. The average and median breach sizes were 2,702 and 1,099 affected individuals. OCR did not receive data breach reports due to loss, theft, or improper disposal or records.
Breach of PHI stored in email accounts happened in 36 incidents, which affected 169,076 individuals. These breaches emphasize the importance of having regular safety awareness training and simulations of phishing attacks. These safety measures help to lessen vulnerability to phishing attempts, and teach workers to report malicious emails to security officers, reducing the impact of a data breach.
Data Breaches at HIPAA-Regulated Entities
Healthcare providers submitted 54 data breach reports involving 500 and up records with 1,642,856 affected individuals. Business associates reported 13 data breaches with 5,873,366 affected individuals. Health plans reported 2 data breaches with 77,410 affected individuals, and 1 healthcare clearinghouse reported a data breach that affected 16,2369 individuals.
Healthcare Data Breaches by State
In June, HIPAA-covered entities located in 29 states submitted data breach reports to OCR. California reported 14 data breaches that occurred at a business associate, 7 at ION, and 3 at Episource. Florida and Texas reported 6 data breaches each. Georgia, Kentucky, Ohio and Michigan reported 4 data breaches each. Missouri reported 3 data breaches, while Alaska, Louisiana, Indiana and New York reported two each. Arkansas, Connecticut, Colorado, Iowa, Idaho, Maryland, Minnesota, Massachusetts, North Carolina, Oregon, Oklahoma, Pennsylvania, South Carolina, Virginia, Tennessee, Wisconsin and Wyoming reported one data breach each.
The top five worst affected staes in terms of number of affected individuals are as follows:
1. California – 5,518,558 individuals affected
2. Michigan – 795,480 individuals affected
3. North Carolina – 318,150 individuals affected
4. Kentucky – 209,648 individuals affected
5. Connecticut – 154,417 individuals affected
HIPAA Enforcement
The HHS’ Office for Civil Rights or state attorneys general did not announce any HIPAA enforcement actions in June. From January 1, 2025, to June 30, 2025, OCR issued 17 penalties on HIPAA-covered entities amounting to $7,610,566 to settle HIPAA Rules noncompliance.