According to breach reports filed with the U.S. Department of Health and Human Services (HHS), November only had 32 healthcare data breaches. The average number of healthcare data breaches involving 500 or more individuals reported to the Office for Civil Rights (OCR) in 2025 is 57 healthcare data breaches per month. Compared to past Novembers, data breaches this year have diminished significantly. It is 54% less than November 2024 and 56% less than November 2023.
Although data breaches in October and November seem to have declined by half, it happened when the U.S. government had its shutdown from October 1, 2025, to November 12, 2025. At that time, the OCR data breach portal was not updated with data breach reports. The substantial backlog took a while to finish, and other breach reports from that period may have yet to be listed on the breach portal.
Even if less numbers of data breaches were reported, it does not mean low numbers of affected persons. In October 2025, 28 breaches affected over 11 million people. Breach victims fell substantially in November, which is the least number of people impacted by big healthcare data breaches in 2025. According to reported data in November, the data breaches resulted in the breach of protected health information (PHI) of 1,415,934 individuals. That’s the lowest number of data breach victims in a month since January 2023, which is 87.2% less than October. From January 1, 2025 to November 30, 2025, there were 686 big healthcare data breaches reported that affected 55,695,906 persons.
November 2025’s total of affected individuals was the lowest in the last five years. However, this may still change as some HIPAA-regulated entities confirmed big data breaches in the last two months that were not yet listed on the OCR data breach portal.
November 2025 Biggest Healthcare Data Breaches
There were 16 healthcare data breaches reported to OCR that involved over 10,000 individuals. VITAS Hospice Services in Florida encountered the biggest confirmed healthcare data breach, which resulted in unauthorized access to more or less 320,000 patients’ PHI. One of its vendors used a compromised account to access VITAS systems.
Fieldtex Products, a medical supply firm, reported a hacking incident that resulted in the second-biggest data breach with 238,615 affected individuals. Fieldtex Products reported three more breaches to OCR in December, adding 35,748 individuals more to the total of affected individuals. The hacking incident reported by Delta Dental of Virginia affected 126,953 individuals. This incident involved unauthorized access to one email account, which led to the biggest email data breach in November.
1. VITAS Hospice Services, LLC in FL – 319,177 individuals affected by a hacking incident involving a breached vendor account
2. Fieldtex Products, Inc. in NY – 238,615 individuals affected by a hacking incident
3. Delta Dental of Virginia – 126,953 individuals affected by an email account breach
4. Richmond Behavioral Health Authority – 113,232 individuals affected by a ransomware attack
5. Persante Health Care – 111,815 individuals affected by a hacking incident
6. Denton MHMR Center – 108,967 individuals affected by a hacking incident
7. NS Support, LLC – 92,845 individuals affected by a hacking incident and data theft
8. Anchorage Neighborhood Health Center – 70,555 individuals affected by a hacking incident
9. Davies, McFarland & Carroll LLC – 54,712 individuals affected by a hacking incident and data theft
10. Morton Drug Company – 40,051 individuals affected by a hacking incident
11. Marshfield Clinic Health System – 35,952 individuals affected by breached email account
12. Loving and Living Center, PC – 17,800 individuals affected by unauthorized access to the EHR system
13. Healthcare Therapy Services, Inc. – 15,027 individuals affected by breached email accounts
14. Millcreek Pediatrics – 14,095 individuals affected by a hacking incident
15. Steven J. Pearlman MD PC – 11,764 individuals affected by a hacking incident
16. Personic Management Company LLC – 10,929 individuals affected by a breached third-party software platform
Data breaches are reported to OCR within 60 dyas or without undue delay according to the HIPAA Breach Notification Rule. When the number of affected individuals is unknown, HIPAA-covered entities file a breach report with a placeholder of 500 or 501 affected individuals, then update the information after the data reviews conclude. The following data breaches were reported with placeholder figures:
1. West Suburban Eye Surgery Center LLC – 500 individuals affected by unauthorized access/disclosure
2. County of Catawba – 500 individuals affected by a hacking/IT Incident
Causes of Healthcare Data Breaches in November 2025
The majority of the breach reports involve hacking and other IT incidents. 25 incidents, accounting for 78% of the November’s data breaches, affected 1,403,361 individuals or 99.1% of November’s affected individuals. The average and median breach sizes were 56,134 and 15,027 individuals, respectively.
There were 5 incidents or 15.6% of November’s data breaches involving unauthorized access/disclosure incidents, which affected 7,591 individuals or 0.5% of the month’s affected individuals. The average and median breach sizes were 1,518 and 1,518 individuals, respectively. The 2 loss and theft incidents accounted for 6.3% of November’s breaches, affecting 0.4% of the month’s total affected individuals. The average and median breach sizes were 2,491 and 2,491 individuals, respectively.
Ransomware attacks are still a big cyber threat in healthcare, though hacking incidents are seldom reported so. GuidePoint Security recently reported 58% more ransomware attacks in 2025, the majority of which were conducted by INC Ransom, Qilin, and SafePay.
While most of the hacking incidents (59%) involved breached network servers, email was still targeted and used for preliminary access in more detailed attacks on a company. About 19% of incidents In November involved breached email accounts.
Where did the Data Breaches Happen?
In November, healthcare providers reported 22 breaches that affected 867,100 individuals. Health plans reported three data breaches that affected 129,118 individuals. There were 7 data breaches reported by business associates of HIPAA-covered entities with 419,716 affected individuals. Two other data breaches happened at the business associates but the affected covered entities reported the incidents.
November 2025 Healthcare Data Breaches by State
HIPAA-regulated entities based in 21 U.S. states reported large healthcare data breaches. Virginia had four data breach reports, while New York and Wisconsin each had three data breach reports. Florida, North Carolina Minnesota, and Pennsylvania had two data breach reports each. Alaska, Connecticut, California, Delaware, Illinois, Idaho, Indiana, Maryland, Michigan, Massachusetts, New Mexico, New Jersey, Rhode Island and Texas each reported one data breach.
November 2025 HIPAA Enforcement Activity
The government shutdown in October halted many HHS workflows as staff members were suspended. No HIPAA enforcement action was though enforcement activity continued. 2025 is a busy year for HIPAA enforcement with the announcement of one penalty in December and having the second highest settlements and civil monetary penalties in a year to date. State Attorneys General, who are authorized to enforce the HIPAA Rules, also did not announce any enforcement action in November to settle alleged HIPAA violations.
The information in this report is according to the data provided by the HHS’ Office for Civil Rights last January 20, 2026.