The October 2025 healthcare data breach report is late because of the government shutdown in October. The HHS’ Office for Civil Rights, did not publish any data breach reports. The shutdown concluded on November 12, 2025 with the HHS having a huge backlog of data breach reports to post on its data breach portal. Whenever OCR receives a data breach report, it confirms the information taking up to about two weeks, then it posts the report on the breach portal. Adding the data breach reports for October continued until December.
According to information provided by OCR on December 31, 2025, there were 28 data breach reports involving 500 or more people in October. It is the lowest monthly total for data breaches in 2025, with 31.7% month-over-month decrease in big healthcare data breaches.
Although the trend of data breaches is going down, October’s total is surprisingly low, which may suggest the report of data breach is still incomplete. The healthcare data breach report totals will likely be updated in late January 2026.
Though breach numbers are lower, the number of impacted persons went up by 540% month-over month. The breaches affected 11,062,868 individuals, which is the second-largest monthly total for 2025. That total will surely go beyond April’s total, since the biggest data breach in October is still being investigated and the number of impacted persons is not yet final.
Biggest Healthcare Data Breach Reports in October 2025
There were 7 healthcare data breach reports involving over 10,000 persons, all due to system server hacking incidents. The biggest data breach in October happened at Conduent Business Services, a business associate providing healthcare providers, health plans, and government institutions with back-office services. Among Conduent’s clients are U.S. health insurance companies Premera Blue Cross and Humana.
Conduent encountered a hacking incident in May 2025, which the SafePay ransomware group claimed to have conducted. SafePay stated on its data leak site that 8.5 terabytes of data were stolen. Conduent reported to the HHS’ Office for Civil Rights that the incident affected 42,616 individuals. After a few months, the notification sent to the Oregon Attorney General indicated that over 10.5 million persons were impacted across the country. The notification to the Texas Attorney General indicated that the Conduent data breach impacted nearly 14.8 million persons in Texas only.
1. Conduent Business Services LLC – 10,515,849* individuals affected by Safepay ransomware attack
2. Tri Century Eye Care PC – 200,000 individuals affected by a hacking incident and data theft
3. Central Jersey Medical Center – 88,000 individuals affected by the Sinobi ransomware attack
4. Sierra Vista Hospital & Clinics – 75,054 individuals affected by a hacking incident
5. Bosch Choice Welfare Benefit Plan – 55,000 individuals affected by a hacking incident
6. Heartland Health Center – 43,728 individuals affected by a hacking incident
7. Revere Health, PC – 10,800 individuals affected by a hacking incident of a payment system provider
According to the HIPAA Breach Notification Rule, data breaches must be reported to OCR no more than 60 days after discovering a data breach. When the total number of impacted individuals is unknown, the covered entity should provide an estimate. HIPAA-covered entities usually file a breach report with a placeholder of 500 or 501 affected individuals if the data review is not yet concluded. Two data breach reports used 501 placeholders.
1. Saint Mary’s Home of Erie – 501 individuals affected by a hacking incident
2. North Atlantic States Carpenters Health Benefits Fund – 501 individuals affected by a hacking incident
Causes of Healthcare Data Breaches
The majority of data breaches are due to hacking and other IT incidents. 75% or 21 data breaches resulted in the exposure or theft of 11,037,882 individuals or 99.8% of all victims. The average and median breach sizes were 525,613 and 6,633 individuals, respectively.
Unauthorized access/disclosure incidents are the second most common reason for data breaches. Seven data breaches affected 24,986 individuals. The average and median breach sizes were 3,569 and 3,177 individuals, respectively.
October did not register incidents of loss, theft, or improper disposal. The most frequent location of breached protected health information (PHI) in October was network servers, followed by email.
Where did the Data Breaches Occur?
Healthcare providers submitted 20 data breach reports in October involving 472,481 victims. Health plans reported 4 data breaches with 60,358 victims. Business associates of HIPAA-covered entities submitted four data breach reports with 10,530,029 victims. Business associate data breaches are frequently under-reported, just like in October, Business associates reported 4 data breaches only even though 9 data breaches happened at business associates.
Healthcare Data Breaches by State
HIPAA-covered entities from 18 U.S. states submitted data breach reports in October. Florida and Texas reported three big healthcare data breaches each. Arizona, Alaska, California, Illinois, Pennsylvania and New Jersey reported two data breaches each. Kentucky, Michigan, Massachusetts, Missouri, Montana, New Mexico, Nebraska, Oklahoma, Ohio, and Utah reported one data breach each.
Although Florida and Texas got the biggest number of data breaches, the affected individuals in the breaches were relatively low. If considering the enormity of the Conduent Business Services data breach, it can be said that New Jersey was the worst-impacted state, though the breach affected individuals all over the United States as seen in the list below.
1. New Jersey – 10,603,849 affected individuals
2. Pennsylvania – 200,501 affected individuals
3. New Mexico – 75,054 affected individuals
4. Michigan – 55,000 affected individuals
5. Nebraska- 43,728 affected individuals
6. Texas – 14,233 affected individuals
7. Utah – 10,800 affected individuals
8. California – 9,700 affected individuals
9. Kentucky – 9,536 affected individuals
10. Illinois – 9,405 affected individuals
11. Florida – 8,503 affected individuals
12. Oklahoma – 6,633 affected individuals
13. Montana – 5,617 affected individuals
14. Arizona – 4,177 affected individuals
15. Alaska – 2,641 affected individuals
16. Missouri – 1,680 affected individuals
17. Ohio – 1,310 affected individuals
18. Massachusetts – 501 affected individuals
October 2025 HIPAA Enforcement Activity
Since the government had the whole month of October shut down, the most critical workflows at the Department of Health and Human Services were stopped. Therefore, OCR did not announce any HIPAA settlements and civil monetary penalties. State attorneys general also did not announce any penalty.