May saw 60 reports of healthcare data breaches involving 500 and up individuals submitted to the HHS’ Office for Civil Rights (OCR), a bit lower than the monthly 12-month average of 57 data breaches. This number is also 11.8% less than the reported data breaches in April 2025.
To date, 311 data breaches involving 500 and up individuals have been reported to OCR in 2025. Compared to the first five months of 2024, the reported cases in 2025 are 13.1% less than the 358 data breaches reported in 2024.
The number of breached healthcare records in May is the lowest May total since 2020. The 1,889,653 individuals impacted by May’s healthcare data breaches are also less than the 12-month average of 21,269,259 impacted individuals per month. The first 5 months of 2025 had 23,106,676 individuals impacted by healthcare data breaches. This number is less by 52.4% than the 48,502,775 impacted individuals in the first 5 months last year.
May 2025 Largest Healthcare Data Breaches
In May, 24 data breaches involving 10,000 and up individuals, and 4 data breaches involving over 100,000 individuals were reported. The biggest data breach happened at Serviceaide, a business associate providing AI-powered agents for IT and workflow management services. A database that contains the protected health information (PHI) of 483,126 Catholic Health patients in Buffalo can be accessed on the web without password.
The second-biggest data breach happened at Irish business associate Ocuco during a hacking incident. Ocuco provides optical software solutions for eyecare companies. Ocuco did not announce the data breach, but the Killsec ransomware group stated it is behind the attack.
The SafePay ransomware group said it attacked Marlboro-Chesterfield Pathology and acquired access to the PHI of 235,911 people. Harbin Clinic was badly impacted by the attack on the debt collection company Nationwide Recovery Service. Hackers stole the PHI of 176,149 people, and around 15 Nationwide Recovery Service clients confirmed the impact of the breach and data theft during the cyberattack.
The most unusual data breach in May impacted patients and employees at Northwell Health. An ex-employee at the Northwell Health Sleep Disorders Center hid cameras in the facility’s bathrooms and recorded people inside the facility. Because persons could be recognized from the video recordings, this incident was classified as a PHI breach. All people who visited while the cameras were set up were informed about the potential breach. The ex-employee was detained and may spend 18 months to 4 years in jail if found guilty.
Healthcare Data Breaches Involving 10,000 and up Individuals
1. Serviceaide, Inc. – 483,126 individuals affected by an unsecured database compromised PHI online
2. Ocuco Inc – 240,961 individuals affected by a hacking incident conducted by the Killsec ransomware group
3. Marlboro-Chesterfield Pathology, P.C. NC – 235,911 individuals affected by hacking and data theft conducted by the SafePay ransomware group
4. Harbin Clinic, LLC – 176,149 individuals affected by a hacking incident and data theft at the business associate, Nationwide Recovery Service
5. Covenant Surgical Partners, Inc. – 88,609 individuals affected by a hacking incident
6. Shelby Dermatology d.b.a Dermatologists of Birmingham – 86,414 individuals affected by a hacking incident
7. Weiser Valley Hospital District dba Weiser Memorial Hospital – 59,990 individuals affected by a hacking incident and data theft
8. The Cooper Health System – 57,412 individuals affected by a hacking incident
9. Instituto de Ojos de Puerto Rico – 50,000 individuals affected by a hacking incident
10. UChicago Medicine Medical Group – 38,656 individuals affected by a hacking incident and data theft at business associate Nationwide Recovery Service
11. Gateway Community Services, Inc. – 34,498 individuals affected by a hacking incident and data theft
12. The Neurological Institute of Savannah & Center for Spine, P.C – 32,548 individuals affected by a hacking incident and data theft conducted by the RansomHub ransomware group
13. Shore Medical Center – 31,177 individuals affected by a hacking incident and data theft at Nationwide Recovery Service
14. Hunter Health Clinic – 28,431 individuals affected by unauthorized access to a staff email account
15. Compassion Health Care, Inc. – 23,282 individuals affected by a hacking incident and data theft
16. Tri-City Cardiology Consultants, P.C. – 22,753 individuals affected by a hacking incident
17. Northwestern Community Services Board – 21,856 individuals affected by a hacking incident
18. Community Hospital of Anaconda – 21,243 individuals affected by a hacking incident
19. Sonrisas Dental Health – 15,644 individuals affected by a hacking incident and data theft
20. Oliver Street Dermatology Management LLC – 13,717 individuals affected by a hacking incident
21. North Shore University Hospital Sleep Disorders Center – 13,332 individuals affected by videos with identifying information like facial images recorded by hidden cameras in bathrooms
22. Radiology Chartered – 12,656 individuals affected by a hacking incident and data theft at Nationwide Recovery Service
23. Next Step Healthcare LLC – 12,090 individuals affected by a hacking incident
24. Missouri Department of Conservation – 10,260 individuals affected by a hacking incident
The HIPAA Breach Notification Rule sets the deadline for sending breach notifications within 60 days of discovering a data breach. In case by the reporting due date the total number of impacted individuals is still not yet confirmed, an estimate number of affected individuals must be given. A lot of covered entities listed below use the placeholder of 500 or 501 impacted individuals, then change the number when the investigation ends. In June, 9 covered entities reported a 500 or 501 data breaches. Depending on the turn out, the number of breached records can be considerably bigger.
1. Cahaba Center for Mental Health – 501 Hacking/IT Incident
2. Doctors Hospital at Renaissance, LTD – 501 Hacking/IT Incident
3. Union County Children and Youth Services – 501 Hacking/IT Incident
4. Minnesota Orthodontics and Dentofacial Orthopedics, P.A. – 501 Hacking/IT Incident
5. CardioVascular Health Clinic – 501 – Hacking/IT Incident
6. Absolute Dental Group, LLC – 501 – Hacking/IT Incident
7. DermCare Management FL – 501 – Hacking/IT Incident
8. Anesthesia Associates of Morristown, P.A – 501 – Improper Disposal
9. Anne Arundel County Department of Health – 500 hacking/IT Incident
Causes of Healthcare Data Breaches in May 2025
The majority of the breach reports (76.7%) in May are due to hacking and other IT incidents. The 46 hacking/IT incidents affected 1,368,928 individuals or 72% of all the impacted individuals in May. The average and median breach sizes were 29,759 records and 6,610 records, respectively.
Other causes of the healthcare data breaches are as follows:
- 13 unauthorized access/disclosure incidents impacted 520,224 individuals. The average and median breach sizes were 40,017 records and 1,786 records, respectively.
- One improper disposal incident was reported with a placeholder of 501 individuals.
- No theft or loss incidents were reported.
- PHI breaches mostly occurred in network servers, although 9 incidents involved unauthorized email account access.
HIPAA-Covered Entities Impacted by Healthcare Data Breaches in May 2025
In May, healthcare providers reported 45 data breaches involving 500 and up records. Health plans reported 4 data breaches while business associates reported 11. When it comes to a data breach at a business associate, the business associate, the impacted covered entities, or both may report the incident. Considering this, in reality, healthcare providers encountered 37 data breaches, health plans encountered 3 and business associates encountered 20. Though the number of data breaches at healthcare providers is more than twice the number at business associates, business associate data breaches affected more individuals.
Healthcare Data Breaches by State
HIPAA-covered entities in 33 U.S. states and Puerto Rico reported data breaches involving at least 500 individuals in May. New York, New Jersey, and Pennsylvania had 4 breach reports each. Regarding impacted individuals, California had the most number, with 498,770 individuals impacted by two data breaches. Florida’s 3 breaches impacted 275,960 individuals affected and North Carolina’s 3 breaches impacted 262,716 individuals.
The following list shows the number of breaches reported by state:
- New Jersey, New York, Pennsylvania, and Texas reported 4 data breaches each
- Georgia, Florida, and North Carolina reported 3 each
- Arizona, Alabama, California, Iowa, Illinois, Louisiana, Massachusetts, and Maine reported 2 breaches each
- Colorado, Indiana, Idaho, Kansas, Minnesota, Maryland, Montana, Missouri, Nevada, Nebraska, Oregon, Oklahoma, Rhode Island, Tennessee, Virginia, West Virginia, Washington, Wisconsi,n and Puerto Rico reported 1 breach each
HIPAA Enforcement in May 2025
In May, OCR reported resolving three alleged HIPAA violations through settlements. The penalty amounts ranged from $5,000 to $800,000. Florida-based non-profit health system BayCare Health System paid an $800,000 financial penalty. OCR investigated BayCare Health System after receiving a patient complaint concerning unauthorized access to her physical and electronic PHI. The woman stated that an unknown person contacted her and showed proof of accessing her data. OCR confirmed the unauthorized data access, establishing multiple failures of BayCare in HIPAA compliance.
Billing, collection, and related services provider Comstar, LLC suffered a ransomware attack that resulted in the unauthorized access to 585,621 individuals’ PHI. OCR’s investigation confirmed the failure of Comstar to conduct a HIPAA-compliant risk analysis. Payment of a $75,000 financial penalty settled the HIPAA violation.
Vision Upright MRI in California encountered a hacking incident and data breach that affected the PHI of 21,778 individuals. OCR identified the provider’s failure to conduct a risk analysis and report the data breach to OCR. A payment of $5,000 settled the alleged HIPAA violations.
Calculation of imposed civil monetary penalties is usually clear, but it is not so when settling cases. OCR has earlier explained that several factors are taken into account, including the degree of the HIPAA violations, the number of people impacted, the effect of the data breach on people, whether the entity adopted security practices continually for the prior 12 months, and the capability of the covered entity to pay a penalty. It is not clear which of these variables were considered in computing the low penalty imposed on Vision Upright MRI.