As of October 22, 2025, OCR listed 26 data breaches involving 500 or more people on its data breach website. This is the lowest number of data breaches per month from December 2018 up to today. Although data breaches decreased by 56% from August, which had 64 data breaches, more breaches will likely be added because of the government shutdown and backlog of data breach reports. The number of healthcare data breaches has shown a downward trend since April. From January 1 to September 30, only 469 data breaches were reported compared to the 554 data breaches reported in the same period in 2024.
The 26 data breaches reported in September resulted in the exposure or impermissible disclosure of the protected health information (PHI) of at least 1,294,769 individuals. For the year-to-date, the PHI of 42,216,193 individuals had been exposed or impermissibly disclosed. The number of affected people decreased by 85% from 2024 and 75% from 2023.
The Largest Healthcare Data Breaches Reported in September
Eleven data breaches involved PHI exposure or impermissible disclosure affecting at least 10,000 individuals. Ten were hacking incidents, particularly unauthorized access to PHI contained in the network servers. One data breach involved a compromised email account. The biggest hacking incident was at Goshen Medical Center, which affected more than 456,000 patients. Sturgis Hospital was still investigating a December 2024 cyberattack when it experienced another attack in June 2025.
1. Goshen Medical Center – 456,385 individuals affected by network server hacking incident
2. Medical Associates of Brevard, LLC – 246,711 individuals affected by network server hacking incident
3. Doctors Imaging Group – 171,862 individuals affected by network server hacking and data theft
4. Retina Group of Florida – 152,691 individuals affected by network server hacking incident
5. Sturgis Hospital – 77,771 individuals affected by network server hacking incident
6. PGA Development, Inc. – 23,899 individuals affected by network server hacking and IT incident
7. Teamsters Union 25 Health Services & Insurance Plan – 19,231 individuals affected by network server hacking incident
8. Health & Palliative Services of the Treasure Coast, Inc – 13,234 individuals affected by email account breach
9. People Encouraging People – 13,083 individuals affected by ransomware attack and data theft
Under the HIPAA Breach Notification Rule, HIPAA-covered entities must report data breaches to OCR and send notification letters within 60 days of discovering a data breach. However, when the total number of impacted individuals is unknown at that point, the entity will report an estimate or a placeholder figure of 500 or 501 affected individuals to OCR. The total can be updated later upon completion of the file review. In September, four data breaches reported a 500 or 501 total. These data breaches likely affected more people than the initial report. The four healthcare providers are as follows:
1. Cookeville Regional Medical Center
2. Hampton Regional Medical Center
3. Coos County Family Health Services
4. La Perouse, LLC
Causes of September 2025 Healthcare Data Breaches
The causes of the data breaches listed in the OCR breach portal in September are 23 (88.5%) hacking/IT incidents, including unauthorized access to the PHI of 1,279,139 people, which is 98.8% of the affected people during the September data breaches. The average and mean number of people impacted by these incidents was 55,615 and 6,243 individuals, respectively.
The particulars of the hacking incidents, for instance, if ransomware was used for file encryption, if the attacker left a ransom demand, or if it involved data theft, are usually not reported. This pattern has been growing for quite some time and is not limited to the healthcare sector. The Identity Theft Resource Center (ITRC) has documented this trend as apparent in many industries.
The last three data breaches involved unauthorized/disclosure cases, impacting 15,630 people with an average and median of 5,210 and 1,700 individuals, respectively. According to the available information, September had no incident reports of loss, theft, or improper disposal.
Geographical Distribution of Healthcare Data Breaches
Florida and North Carolina each had four entities reported data breaches with 500 or more individuals affected. The number of affected individuals were 584,498 for Florida and 465,721 for North Carolina. Michigan, Pennsylvania, and Tennessee each had two data breaches reported. Louisiana, Maryland, Massachusetts, Missouri, Minnesota, Nevada, New Hampshire, South Carolina, Oregon, Virginia, Texas, and Washington each had one data breach reported. The number of individuals affected per state is listed below:
1. Florida – 584,498 individuals affected
2. North Carolina – 465,721 individuals affected
3. Michigan – 155,542 individuals affected
4. Pennsylvania – 26,150 individuals affected
5. Massachusetts – 19,231 individuals affected
6. Maryland – 13,083 individuals affected
7. Missouri – 11,538 individuals affected
8. Louisiana – 6,243 individuals affected
9. Minnesota – 3,572 individuals affected
10. Tennessee – 2,957 individuals affected
11. Oregon – 1,700 individuals affected
12. Texas – 1,236 individuals affected
13. Washington – 1,099 individuals affected
14. Virginia – 696 individuals affected
15. New Hampshire – 501 individuals affected
16. Nevada – 501 individuals affected
17. South Carolina – 501 individuals affected
HIPAA Enforcement Activity
In September, OCR issued one HIPAA enforcement action, increasing the total to 20 enforcement actions with settlements or civil monetary penalties for 2025. OCR decided to negotiate with Cadia Healthcare facilities regarding its alleged violations of the HIPAA Privacy Rule and Breach Notification Rule. The alleged violations will be settled for $182,000.
Cadia Healthcare manages 5 skilled nursing, rehabilitation, and long-term care facilities in Delaware. A staff member published success stories involving Cadia Healthcare patients on its social media account without getting a valid HIPAA authorization. Using PHI in the stories meant impermissibly disclosing PHI. OCR notified Cadia about the incident, and upon investigation, Cadia discovered the posting of 150 patients’ PHI online with no legitimate consent, removed the posts, and stopped the success story program, but failed to issue notification letters concerning the HIPAA breach. The corrective action plan calls for the revision of policies and procedures, giving training to staff members, and sending notification letters.