According to breach reports submitted to the HHS’ Office for Civil Rights (OCR), healthcare data breaches is beginning to decrease. 2024 saw an average of 61 big healthcare data breaches per month. In the last two months, the average of reported breaches per month is 51.
In March, HIPAA-covered entities reported to OCR 53 data breaches impacting at least 500 individuals. That’s the smallest number of data breaches since 2022, registering a 46% drop compared to the 98 data breaches in March 2023.
The number of individuals impacted by healthcare data breaches also dropped to its lowest since January 2023. Only 1,754,097 individuals had their protected health information (PHI) compromised because of a healthcare data breach in March 2025, compared to February 2025’s 2,277,555 individuals and January 2025’s 3,121,358 individuals.
In 2024, not including the 190 M-records Change Healthcare data breach, healthcare data breaches affected an average of 7,369,560 people per month. March 2025 had 76.2% less number of affected people compared to the monthly average in 2024. More people were impacted by data breaches every month in 2024 compared to the combined number of people impacted by healthcare data breaches from January to March 2025. Moreover, the total of individuals affected by healthcare data breaches for March 2025 is the lowest since March 2020.
In March 2025, there were 18 healthcare data breach reports submitted to OCR that indicated 10,000 and up people were impacted. This number includes 6 breaches that impacted 100,000 and up people. All data breaches were caused by hacking/IT incidents, though March was rather atypical because of two email-associated data breaches in the top three largest data breaches, which include the Numotion breach, which exposed the PHI of around 500,000 people after a number of employee email accounts were exposed. Considering the high risk of phishing attacks, these breaches bring up queries regarding the reason such massive amounts of patient information were kept in email accounts and were not archived or kept in safer places.
Sadly, because of the increasing trend of not giving breach victims individual and substitute notification letters with enough details, it is hard to recognize any ransomware trends from the breach information. Breach notification letters seldom mention ransomware, even if that data is important to breach victims to enable them to correctly evaluate the risk they face because of a data breach. Ransomware groups usually post stolen information when the ransom is not settled, therefore, these breaches might have more severe implications for breach victims compared to other types of breaches.
There are additionally four breaches listed below where the victim did not post a substitute breach notice on their website, and doesn’t seem to have announced the data breach through media, which is required by the HIPAA Breach Notification Rule.
March 2025: Largest Healthcare Data Breaches
1. United Seating and Mobility, LLC d/b/a Numotion – 494,326 individuals affected by employee email accounts breach
2. Sunflower Medical Group, P.A. – 220,968 individuals affected by hacking incident with data theft
3. CDHA Management, LLC and Spark DSO, LLC, also known as Chord Specialty Dental Partners – 173,430 individuals affected by employee email accounts breach
4. Community Dental Care, Inc. – 134,903 individuals affected by network server hacking with data theft
5. Community Care Alliance – 114,975 individuals affected by the Rhysida ransomware attack with data theft
6. Hillcrest Convalescent Center, Inc. – 106,194 individuals affected by network server hacking with data theft
7. Mercer County Joint Township Community Hospital – 88,541 individuals affected by network server hacking
8. Concord Orthopaedics – 72,815 individuals affected by hacking of patient registration and appointment booking software
9. Western Wayne Family Physicians – 62,000 individuals affected by network server hacking, no public announcement of the breach
10. OCH Regional Medical Center – 51,266 individuals affected by hacking
11. William F Rinehart DMD PA – 25,000 individuals affected by network server hacking without public breach announcement
12. Vision Upright MRI – 23,031 individuals affected by network server hacking without public breach announcement
13. Bay Cove Human Services, Inc. – 21,295 individuals affected by network server hacking
14. Hand & Plastic Surgery Centre, PLC – 19,846 individuals affected by network server hacking incident
15. Howard Health Systems dba Howard Memorial Hospital – 17,703 individuals affected by network server hacking incident
16. Dove Healthcare – 16,255 individuals affected by network server hacking
17. Georgia Urology – 12,398 individuals affected by employee email accounts breach
18. Nice Healthcare Management Company, Inc – 10,000 individuals affected by network server hacking at a business associate; no public announcement of the breach
Although the breach data reveals low numbers of impacted persons, 7 healthcare data breaches reported in March had the placeholder of 500 or 501 individuals affected. This means the breach investigations are beyond the deadline for reporting breaches as required by the HIPAA Breach Notification Rule. When the investigations on network server hacking end for the following entites with 500 or 501 individuals affected, the total numbers should be updated.
1. Family Centers, Inc.
2. North Hudson Community Action Corporation
3. Pineland Community Service Board
4. SimonMed Imaging
5. Fundamental Administrative Services, LLC
6. Welts, White, & Fontaine PC
7. Columbia Eye Clinic
Causes of Healthcare Data Breaches in March 2025
Hacking and other IT incidents were the cause of most healthcare data breaches impacting 500 and up people. The 42 reported hacking incidents account for 79% of March’s reported breaches. The 42 incidents resulted in the exposure, theft or impermissible disclosure of 1,733,464 individuals’ data. The average and median number of affected individuals per incident were 40,058 individuals and 5,415, respectively.
The other breaches reported and their causes are as follows:
- 16.98% of March’s total breaches or 9 incidents, were due to unauthorized access/disclosure, impacting 82,833 individuals. The average and median breach sizes were 9,204 and 1,552 individuals, respectively
- 3.77% of March’s total breaches or 2 incidents, were due to theft impacting 1,324 individuals
- No reported breach involving loss or improper disposal
Data Breaches at HIPAA-Covered Entities
In March, Healthcare providers reported 45 incidents that affected 1,733,464 individuals. Health plans reported 5 data breaches that affected 18,911 individuals. Business associates of HIPAA-covered entities reported 3 data breaches that affected 1,722 individuals.
Distribution of Healthcare Data Breaches by State
HIPAA-covered entities in 33 U.S. states submitted data breach reports that impacted 500 and up individuals. Michigan and Minnesota reported four breaches each. Connecticut & Pennsylvania reported 3 breaches each. Tennessee reported two breaches that impacted 667,756 individuals. California, Georgia, Mississippi, Louisiana, North Carolina, New Hampshire, Ohio, South Carolina, Texas, and Tennessee reported 2 breaches each. Kansas reported one breach that impacted 220,968 individuals. Other states that reported one breach include Arizona, Arkansas, Florida, Colorado, Indiana, Kentucky, Massachusetts, Maryland, Missouri, New Mexico, New Jersey, New York, Oklahoma, Utah, Rhode Island, Virginia, Wisconsin, and Washington.
HIPAA Enforcement in March 2025
In March 2025, OCR published two enforcement actions to settle alleged HIPAA Rule violations. One involved Oregon Health & Science University, which OCR investigated after receiving a patient complaint for not providing his complete data set within the 30-day stipulated in the HIPAA Privacy Rule. The University only provided the records after 16 months of receiving the request. OCR issued a $200,000 civil money penalty to settle the alleged HIPAA Right of Access violation.
The other enforcement action involved an Illinois business associate, Health Fitness Corporation. OCR investigated the entity after receiving the breach report about a credential stuffing incident. OCR’s investigation confirmed that the company failed to conduct a comprehensive, accurate, organization-wide risk analysis as required by the HIPAA Rules. The company paid a $227,816 financial penalty to settle its violation of the HIPAA Security Rule, particularly its noncompliance with the risk analysis implementation specification.
State Attorneys General announced no financial penalties for HIPAA violations in March 2025.