The number of reported healthcare data breaches in the U.S. decreased by 34.1% month-over-month, and the number of individuals impacted decreased by 44.5%. In July, HIPAA-covered entities submitted 48 reports of data breaches affecting 500 and up individuals. The number of breach reports decreased by 12 compared to the monthly average in the last 12 months.
The number of reported healthcare data breaches in July is the lowest since September 2024, though the total may still increase because of delays in posting the reported data breach on the HHS’ Office for Civil Rights (OCR) breach portal. For example, there were 43 data breaches reported in July 2024, but the total data breaches increased to 49 in the following months.
There were 4,397,900 individuals impacted by exposed or impermissibly disclosed data in the 48 healthcare data breach reports. This number is 1.37 million less than the 12-month average of 5,769,912 individuals.
July 2025 Biggest Healthcare Data Breaches
There were 16 HIPAA-covered entities that reported data breaches caused by hacking incidents, each with 10,000 or more affected people. Two data breaches stick out because of the number of impacted people. The Radiology Associates of Richmond (RAR) and Anne Arundel Dermatology data breaches affected a total of approximately 3.3 million people, which is 75.6% of the affected individuals in July 2025.
It is uncertain if ransomware was involved in these hacking incidents. The threat actors got 4-day access to the RAR network in April 2024, but Anne Arundel detected the attack in the network after three months. Some dermatology practices and medical imaging companies have submitted data breach reports in the following months, which indicates that the threat actors specifically targeted these types of entities.
Three data breach reports involved ransomware attacks, though ransomware might have been involved in other attacks. Many data breach notification letters now leave out the reason for the breach, and rather few say ransomware, although ransomware groups have professed conducting the attack.
1. Anne Arundel Dermatology – 1,905,000 individuals affected by a hacking incident
2 Radiology Associates of Richmond, Inc. – 1,419,091 individuals affected by a hacking incident
3. Zumpano Patricios – 279,275 individuals affected by a hacking incident
4. Cierant Corporation – 232,506 individuals affected by a hacking incident
5. Alera Group, Inc. – 155,567 individuals affected by a hacking incident
6. McKenzie Memorial Hospital – 58,839 individuals affected by a hacking incident
7. Wood River Health – 54,926 individuals affected by an email hacking incident
8. Gastroenterology Consultants of South Texas – 44,579 individuals affected by a ransomware attack conducted by Interlock
9. Infinite Services, Inc. – 31,742 individuals affected by a ransomware attack
10. Self Regional Healthcare – 26,696 individuals affected by a hacking incident at Nationwide Recovery Service, a business associate
11. Dr. Michael Bilikas and Associates d.b.a. 32 Pearls – 23,517 individuals affected by a ransomware attack
12. AVALA Holdings – 22,732 individuals affected by a hacking incident
13. Keys Pathology Associates – 20,000 individuals affected by a hacking incident
14. Northwest Denture Center, Inc. – 19,419 individuals affected by a hacking incident
15. Arbor Associates, Inc. – 17,040 individuals affected by a hacking incident
16. Florida Lung, Asthma & Sleep Specialists (FLASS) – 10,000 individuals affected by a hacking incident
More may be added to the above list since the data breach investigation is not yet over. Under the HIPAA Breach Notification Rule, HIPAA-covered entities must report a data breach within 60 days after discovery. If the data breach investigation is not yet done after 60 days, the breach is reported with a temporary placeholder of 500 or 501 affected individuals. In July, five covered entities submitted data breach reports with a 500 or 501 placeholder.
1. Kettering Adventist Healthcare – 501 affected by network server hacking/IT incident
2. Human Development Services of Westchester – 501 affected by email hacking/IT incident
3. Naper Grove Vision Care – 501 affected by network server hacking/IT incident
4. Doctors’ Memorial Hospital – 500 affected by network server hacking/IT incident
5. Northwest Medical Homes, LLC – 500 affected by network server hacking/IT incident
Causes of Healthcare Data Breaches in July 2025
Hacking is currently the primary reason behind data breaches, as 83.3% of incidents in July involved hacking or other IT-related problems. The average and median number of individuals affected by the data breaches are 109,620 individuals and 5,137 individuals, respectively. 4,384,794 individuals or 99.7% of breached healthcare records, were because of hacking/IT incidents.
Location of Breached Healthcare Data
Besides hacking, 8 data breaches were due to unauthorized access/disclosure incidents, impacting only 13,638 individuals. The average and median breach sizes were 1,638 individuals and 892 individuals, respectively. There were no data breaches due to theft, loss, or improper disposal of data. The breach of protected health information (PHI) mostly occurred in network servers, then in email accounts, and in other locations for 6 incidents.
Breached HIPAA-Covered Entities
Healthcare providers reported 37 data breaches with 3,700,390 impacted individuals; business associates reported 10 data breaches with 696,727 impacted individuals, and one health plan reported a data breach that impacted 783 individuals. As per HIPAA, each covered entity is responsible for complying with HIPAA Breach Notification Rule requirements, including the reporting of data breaches that happen at business associates. Healthcare data breach reports are listed according to the reporting entity, and not the entity that experienced the data breach.
Healthcare Data Breaches by State
HIPAA-covered entities in 22 U.S. states submitted data breach reports in July. Florida entities submitted 9 data breach reports, but three reports were concerning one incident that impacted several skilled nursing facilities. Texas entities submitted 4 data breach reports, while California, Michigan, and Massachusetts entities submitted three data breach reports each. Georgia, Illinois, Ohio, New York, South Carolina, Washington, and Virginia each had 2 data breach reports submitted. Colorado, Connecticut, Maryland, Louisiana, North Carolina, Rhode Island, Pennsylvania, Tennessee, West Virginia, and Wisconsin each had one data breach report submitted.
When it comes to affected individuals, the top 3 states affected are 1. Maryland, with 1,905,000 affected individuals; 2. Virginia, with 1,421,658 affected individuals in two data breaches; 3. Florida, with 328,471 affected individuals in 9 data breaches.
July 2025 HIPAA Enforcement Activity
OCR announced 18 settlements and civil monetary penalties this year until July 31, 2025. It looks like 2025 will be a record-breaking year for HIPAA enforcement action and penalties. From the 18 settlements, OCR has accumulated $7,860,566 to settle alleged HIPAA violations.