February saw a 36% decline in healthcare data breaches, as the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) received 46 big healthcare data breach reports. Big data breaches refer to incidents that affected the protected health information (PHI) of at least 500 individuals.
For two successive months, the number of persons impacted by healthcare data breaches has dropped, from 3.7 million individuals (December 2024) to 3.1 million (January 2025) to 1.2 million (February 2025). The number of individuals affected by healthcare data breaches in February is the lowest since May 2020, during the peak of the COVID-19 outbreak.
Although decreasing data breaches and diminished breach severity are great, the high number of healthcare data breaches in 2024 and more or less 277 million people impacted by healthcare data breaches in 2024 indicate February’s information is most probably a blip. Many cybersecurity companies have forecasted that healthcare cyberattacks will possibly be reported in big numbers and may go up during the year.
Largest Healthcare Data Breaches
In February, OCR received 16 data breach reports where 10,000 or more people were affected. The data breaches were reported as 11 IT/hacking incidents, 3 unauthorized access/disclosure incidents, and 2 theft. Texas health plan New Era Life Insurance Companies reported the biggest data breach with 335,000 individuals’ PHI impacted due to hacking.
The top three data breaches were caused by ransomware attacks, and another three involved compromised email accounts. Most hacking incidents probably involved ransomware, but ransomware attacks are usually not reported, and ransomware is seldom spoken of in breach notices. It’s been the practice of covered entities to send breach notification letters with minimal details concerning the nature of the data breach to lessen damage to reputation and legal issues.
It is uncommon for theft incidents to be included in the 10,000+ record listing; however, two were included in February. One involved the theft of a worker’s mobile phone. The other theft incident happened at Stram Center for Integrative Medicine. A malicious insider stole at least one patient’s payment card details and misused them. The analysis of access logs showed that the data of over 15,000 patients might have been stolen. The ex-employee was detained because of the theft and misuse of the card and is facing a criminal lawsuit.
1. New Era Life Insurance Companies – 335,506 individuals affected by a hacking incident and data theft
2. Legacy Professionals, LLP – 216,752 individuals affected by a hacking incident and data theft
3. Authority of the City of Bainbridge and Decatur County (“Memorial Hospital & Manor”) – 120,085 individuals affected by a ransomware attack and data theft
4. VectraRx Mail Pharmacy Services, LLC – 109,383 individuals affected by a hacking incident
5. Primary Health-SMMPP, L.C. – 67,567 individuals affected by a hacking incident
6. Charleston Area Medical Center – 67,413 individuals affected by an email account breach caused by a phishing attack
7. Heartland Medical Clinic, Inc. dba Heartland Community Health Center – 43,768 individuals affected by email account compromise
8. Restorix Health, Inc. – 38,553 individuals affected by email account compromise
9. Carolina Arthritis Associates – 36,961 individuals affected by a hacking incident
10. Total Medical Imaging – 27,000 individuals affected by a hacking incident at a business associate
11. Lake Washington Vascular – 21,534 individuals affected by a Qilin threat group’s ransomware attack
12. UNITED BACKCARE PS dba Pacific Rehabilitation Centers – 18,900 individuals affected by a ransomware attack
13. City of McKinney – 17,751 individuals affected by a hacking incident
14. Stram Center for Integrative Medicine – 15,263 individuals affected by theft and misuse of patient data by an insider
15. Roswell Park Comprehensive Cancer Center – 11,435 individuals affected by the theft of phone that contain patients’ PHI
16. U.S. HEALTHWORKS-SMMPP, L.C. – 10,673 individuals affected by a hacking incident
In February, OCR received 6 healthcare data breach reports with the placeholders 500 or 501 individuals affected. These six data breaches possibly affected more people than what is indicated in the breach portal. For instance, the Change Healthcare data breach in February 2024 was at first reported to OCR as impacting at least 500 people, later it was updated to 100 million, then 190 million.
1. Ottawa Family Physicians – 501 individuals affected by a Hacking/IT Incident
2. Blue & Co., LLC – 501 individuals affected by a Hacking/IT Incident
3. ARC Community Services, Inc. – 501 individuals affected by a Hacking/IT Incident
4. Central New York Cardiology – 500 individuals affected by a Hacking/IT Incident
5. Somnia, Inc. – 500 individuals affected by a Hacking/IT Incident
6. CPS Solutions, LLC – 500 individuals affected by a Hacking/IT Incident
Causes of Healthcare Data Breaches in February 2025
Most of February’s data breaches (74%) were because of hacking and other kinds of IT incidents. Throughout these 34 data breaches, the PHI of 1,102,405 persons was compromised or exfiltrated. Hacking/IT incidents affected 89% of the victims. The average and median breach sizes were 32,424 individuals and 4,056 individuals, respectively.
8% of February’s impacted individuals or 98,936 individuals, were impacted because of 8 unauthorized access/disclosure incidents. The average and median breach sizes were 12,367 individuals and the median breach size was 5,893 individuals, respectively. Four theft incidents were reported in February that impacted 36,860 people. The average and median breach sizes were 9,215 individuals and 9,954 individuals, respectively. No incidents of loss or improper disposal were reported in February.
Network servers were the most frequent location of breached PHI, most likely because of numerous hacking incidents. Email is also a typical location of breached healthcare data, with 14 incidents in February. This shows the importance of using a good email security tool, multifactor authentication, and offering regular HIPAA training to employees, with awareness on phishing and social engineering attacks.
Where Did the Data Breaches Occur?
Based on the OCR breach portal data, healthcare providers reported 30 data breaches with 524,163 affected persons. Business associates reported 11 data breaches with 345,127 impacted persons. Health plans reported 5 breaches with 368,911 impacted persons.
Healthcare Data Breaches by State
HIPAA-covered entities from 25 U.S. states reported big healthcare data breaches in February 2025. New York reported 7 data breaches, while Arizona and Texas reported 4 data breaches. When it comes to the number of people impacted, Texas reported the most number with 354,947 people from 4 data breaches. Next is Illinois, with 216,752 impacted people from one data breach. Arizona is third with 190,855 impacted people.
Indiana reported 3 data breaches, while Florida, Georgia, Kansas, Iowa, Missouri, Washington, and Ohio reported 2 data breaches each. California, Kentucky, Hawaii, Illinois, Louisiana, Minnesota, Maryland, Michigan, Nebraska, North Carolina, Oklahoma, Tennessee, West Virginia, and Wisconsin reported one data breach each.
HIPAA Enforcement Activity in February 2025
OCR announced its first OCR enforcement action with the Trump administration. Warby Parker Inc., a company and online merchant of prescription eyewear, resolved multiple HIPAA violations by paying a $1.5 million civil monetary penalty. In December 2018, Warby Parker reported its first breach that affected 197,986 customer accounts, prompting an investigation. The company reported more credential stuffing incidents in September 2019, January 2020, April 2020, and June 2022, though only 484 individuals were affected by those incidents. The OCR investigation found HIPAA compliance violations associated with risk analysis, risk management, and assessments of activity logs that contain ePHI. State attorneys general may also do something against HIPAA-covered entities about HIPAA violations, though no announcement of penalties or settlements yet in 2025.