A total of 41 large healthcare data breaches affecting 500 or more individuals were reported to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) in December 2025, marking one of the lowest monthly totals in recent years.
Monthly Breach Totals and Reporting Context
In December 2025, HIPAA-covered entities only reported 41 healthcare data breaches, which represents a marked decrease compared with other months in 2025. The number of breaches reported in December is the second-lowest monthly total in 2025 and it is the lowest December total since 2019. One reason affecting the reporting totals may be due to the 43-day federal government shutdown. At that time, non-essential OCR staff were furloughed, hence no breach reports were added to the OCR breach portal.
Affected Individuals and Trends
In December 2025, only 345,564 individuals were documented as affected by reported healthcare data breaches. Monthly averages of affected individuals in the latter part of the year were substantially lower than earlier 2025 figures.
Largest Reported Breaches in December 2025
1. Fieldtex Products Inc., a business associate in Rochester, New York, reported the largest breach affecting 104,071 individuals, part of a series of related reports totaling 139,009 individuals from the same incident.
2. AllerVie Health, a Texas healthcare network, was impacted by a ransomware attack linked to the Anubis group.
3. Medical Center LLP, operating as Dublin Medical Center in Georgia, reported that a hacking incident affected 32,090 individuals.
4. Variety Care in Oklahoma was affected by a cyberattack on its business associate, a third-party administrative service provider, impacting 17,163 individuals.
Other December Breach Reports
In addition to the largest incidents, six covered entities reported breaches with provisional counts of 500 or 501 individuals affected pending investigation completion. These HIPAA-covered entities are Associated Radiologists of the Finger Lakes, P.C., Glendale Obstetrics & Gynecology PCA, Reproductive Medicine Associates of Michigan, Mitchell County Department of Social Services, Greater St. Louis Oral & Maxillofacial Surgery PC, and Madison Healthcare Services.
Breach Causes and Common Vectors
Hacking and other IT incidents accounted for the overwhelming majority of December’s breaches. Network server compromises were the most frequent location of breached protected health information, followed by compromised email accounts.
Entity Types and Reporting Responsibility
Healthcare providers reported 29 data breaches in December 2025,health plans reported six and business associates also reported six data breaches. When a breach occurred at a business associate, the HIPAA-regulated covered entity remained responsible for ensuring OCR notification and patient notification requirements were met.
Healthcare Data Breaches by State
California reported 9 breach reports to OCR, New York reported 5 and Texas reported 4. Maryland, Minnesota, Michigan,
Missouri, Oregon, Oklahoma, and Tennessee reported two each. Arizona, Georgia, Florida, Illinois, Louisiana, Massachusetts, Maine, North Carolina & Ohio reported one each.
HIPAA Enforcement Activity
OCR issued one HIPAA enforcement action involving a financial penalty in December 2025. Concentra, Inc. in Texas paid $112,500 HIPAA penalty to settle a HIPAA Right of Access violation. State attorneys general also issued one financial penalty involving Orthopedics NY LLP. OrthoNY paid $500,000 to resolve alleged cybersecurity failures that resulted in the breach of protected health information (PHI) of over 656,000 individuals.