April’s report of healthcare data breaches increased by 17.9% month-over-month, with 66 data breach reports involving 500 and up records submitted to the HHS’ Office for Civil Rights (OCR). This figure is higher than the 12-month average of 57 data breaches.
The number of individuals impacted by healthcare data breaches also rose by 371% month-over-month, affecting 2.7 million individuals in March and 12.9 million individuals in April. The big jump in numbers was mostly because of the data breaches at Blue Shield of California and Yale New Haven Health System, which affected a total of about 10.26 million people. Excluding the Change Healthcare data breach, the average number of individuals affected per month by healthcare data breaches over the last 12 months was only 5,992,343 individuals.
Largest Healthcare Data Breaches in April 2025
1. Yale New Haven Health System – 5,556,702 individuals affected by hacking/IT Incident with data theft
2. Blue Shield of California – 4,700,000 individuals affected by unauthorized access/disclosure incident
3. Ascension Health – 437,329 individuals affected by hacking/IT incident
4. Onsite Mammography – 357,265 individuals affected by hacking/IT incident and unauthorized access to a worker’s email account
5. Union Health System, Inc. – 262,831 individuals affected by hacking/IT incident with PHI theft at business associate Oracle Health/Cerner
6. The City of Long Beach, CA – 258,191 individuals affected by hacking/IT incident with data theft
7. Dameron Hospital – 210,706 individuals affected by hacking/IT incident with data theft
8. Central Texas Pediatric Orthopedics – 140,000 individuals affected by hacking/IT incident by Qilin ransomware group and data theft
9. Alabama Ophthalmology Associates – 131,576 individuals affected by hacking/IT incident
10. Endue Software – 118,028 individuals affected by hacking/IT incident with data theft
11. Bell Ambulance, Inc. – 114,000 individuals affected by hacking/IT incident
12. Alternate Solutions Health Network, LLC – 93,589 individuals affected by hacking/IT incident and unauthorized access to a worker’s email account
13. Whitman County Public Hospital District No. 3 – 63,453 individuals affected by hacking/IT incident
14. Horizon Behavioral Health – 49,822 individuals affected by hacking/IT incident, a ransomware attack with data theft
15. Benefits Partner, LLC dba Salus Group – 40,177 individuals affected by hacking/IT incident and unauthorized access to a worker’s email account (Phishing)
16. Kelly & Associates Insurance Group, Inc. – 32,234 individuals affected by hacking/IT incident impacting multiple clients
17. Rheumatology Associates of Baltimore – 28,968 individuals affected by unauthorized access/disclosure and data breach at Endue Software business associate with data theft
18. Gardner Health Services – 26,000 individuals affected by unauthorized access/disclosure, a hacking incident by Cl0p ransomware group with data theft
19. Orthopaedic Specialists of Connecticut – 22,541 individuals affected by hacking/IT incident
20. Drug and Alcohol Treatment Services, Inc. – 22,215 individuals affected by hacking/IT incident
21. Cabot Medical Care – 21,467 individuals affected by hacking/IT incident
22. Northeast Georgia Health System – 21,000 individuals affected by hacking/IT incident with data theft
23. True Dental Care for Kids and Adults LLC – 17,640 individuals affected by hacking/IT incident by a ransomware group with data theft
24. Hamilton County Government – 14,081 individuals affected by hacking/IT incident at business associate Nationwide Recovery Services and data theft
25. Family Christian Health Center – 12,500 individuals affected by hacking/IT incident by a ransomware group with data theft
26. Gilead Sciences, Inc. – 12,224 individuals affected by unauthorized access/disclosure; mailing vendor Billing Documents Specialists dispatched shipping labels that contain Social Security numbers
27. Blue Cross and Blue Shield of Texas- 12,086 individuals affected by unauthorized access/disclosure through a misconfigured member website, exposing plan member information online
According to reports in April 2025, 27 data breach reports involving 10,000 records and up were submitted to OCR. 11 out of 27 data breaches affected at least 100,000 individuals. All except 5 data breaches involving 10,000+ records were caused by hacking or IT incidents. The other four breaches were caused by unauthorized access or disclosure.
The hacking incident at Yale New Haven Health System was the biggest healthcare data breach of 2025 to date, with over 5.5 million people impacted. This is followed by the 4.7 million-record data breach at Blue Shield of California. Other prominent data breaches announced in April involved Ascension Health, exposing the protected health information (PHI) of over 437,000 patients, Gilead Sciences, the City of Long Beach, and Dameron Hospital in California.
There were 18 big data breaches reported in April involving the compromise of PHI stored in email accounts. One incident resulted in the exposure of PHI of 357,265 individuals saved in one email account. Considering the prevalence of email breaches, it is necessary to have data retention policies that reduce the volume of patient records stored in email accounts.
Under the HIPAA Breach Notification Rule, data breaches impacting 500 and up individuals must be reported to OCR within 60 days of discovery. Thus, some breach reports need to be submitted even before the investigation and file analysis are completed. In such incidents, an estimated number of impacted individuals must be given and corrected upon completion of the investigation. A placeholder figure of 500 or 501 impacted individuals is usually used. In April, the following 6 HIPAA-covered entities reported data breaches with placeholders.
1. Berkeley Research Group, LLC – 500 – hacking/IT Incident
2. Health And Wellness Of Texas – 500 – Unauthorized Access/Disclosure
3. Prestonwood Baptist Church, Inc. – 501 – Hacking/IT Incident
4. Brainard Surgery Center LLC – 501 – Hacking/IT Incident
5. Friendship House, Inc. – 501 – Hacking/IT Incident
6. Loretto Hospital – 501 – Hacking/IT Incident
Causes of Healthcare Data Breaches in April 2025
Hacking and IT incidents continue to top the breach reports. April had 47 hacking-related data breaches, which is 71% of the total number of data breaches this month. These incidents resulted in the exposure or theft of the electronic protected health information (ePHI) of 12,752,390 individuals, 99.03% of April’s impacted persons. The average and median breach sizes were 271,327 records and 6,270 records, respectively.
There were 19 unauthorized access/disclosure incident reports submitted to OCR that affected the PHI of 123,784 people. The average and median breach sizes were 6,515 records and 3,561 records, respectively. There were no incidents of theft, loss, and improper disposal in April.
Location of Breached Healthcare Data
The majority of April’s data breaches involved ePHI kept on network servers. Compromised email accounts are common, hence, it is necessary to use multi-factor authentication on all email accounts.
Data Breaches at HIPAA-Covered Entities
Healthcare providers reported 47 big data breaches that affected 7,571,909 individuals. Health plans reported 7 data breaches that affected 39,542 individuals. Business associates reported 12 data breaches that affected 5,264,723 individuals. Take note that the reporting entity may not be the entity that experienced the data breach. For instance, Oracle Health/Cerner suffered a data breach affecting covered entities, which individually reported the data breach.
Healthcare Data Breaches by State
HIPAA-covered entities in 29 U.S. states submitted data breach reports in April. California reported 11 data breaches with 5,217,690 individuals affected, while Illinois reported 8 breaches. Ohio, Texas, and Tennessee reported 4 data breaches each. Florida reported 3 data breaches, while Arkansas, Connecticut, Georgia, Indiana, Missouri, Maryland, Pennsylvania, Wisconsin, and Virginia reported 2 data breaches. Alabama, Arizona, Louisiana, Kansas, Maine, Michigan, Massachusetts, Minnesota, New York, Nebraska, North Dakota, Oregon, West Virginia, and Washington reported one each.
HIPAA Enforcement in April 2025
April had four HIPAA risk analysis enforcement initiative violation cases resolved with OCR. All four settlements involved risk analysis failures. PIH Health, Inc., failed to conduct a risk analysis, causing unauthorized disclosure of the ePHI of 189,763 individuals. PIH Health also violated the HIPAA Breach Notification rule with its 7-month delay in issuing breach notifications. PIH Health paid a $600,000 financial penalty and implemented a corrective action plan.
Northeast Radiology encountered a hacking incident that impacted 298,532 individuals. OCR’s investigation showed Northeast Radiology failed to conduct a HIPAA-compliant risk analysis. The healthcare provider paid $350,000 to settle the violation and implemented a corrective action plan.
Guam Memorial Hospital Authority suffered a ransomware attack that exposed up to 5,000 patients’ ePHI, and unauthorized access to patient data by two former employees. The hospital did not file a report on the two incidents. Upon investigation, OCR found that the hospital failed to conduct a risk analysis. Settlement of the case entailed paying a $25,000 financial penalty and adopting a corrective action plan.
OCR investigated Comprehensive Neurology in New York City for a 2020 data breach that compromised the PHI of 6,800 people. The investigation revealed that Comprehensive Neurology did not perform a HIPAA-compliant risk analysis. Settlement required the payment of a $25,000 financial penalty and implementation of a corrective action plan.