In January, 66 big healthcare data breaches were reported by HIPAA-covered entities to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). In the last 12 months, the average number of healthcare data breaches reported is 61 per month. January had an 8.2% increase in reported data breaches, making it a tough month in terms of data breaches. The increase in data breaches was because 24 HIPAA-covered entities were affected by the security incident at business associate HCF Management and reported the incident individually. If only one entity reported the breach, January’s data breaches would be much less.
Although data breaches had a 32% month-over-month increase, the number of affected individuals decreased by 34%, from 4.14 million people in December 2024 to 2.7 million people in January 2025. Over the last 12 months, the number of breached records was 14,896,672 per month, however, that number is skewed by Change Healthcare’s 190 million-record data breach. The median data breach report per month was 5,381,188 impacted people. In 2024, 729 data breaches were reported as impacting 185,798,538 people. This number is lower than the 747 data breaches reported in 2023.
The Biggest Healthcare Data Breaches in January 2025
In January, 12 data breach reports affected 10,000 people, which is less than the 19 such breaches reported in December. One data breach was the Community Health Center in Connecticut hacking incident. A hacker accessed the system and stole information without encrypting files. Then the hacker asked for a ransom demand to stop exposing the stolen information and ensuring its removal. Without encryption, operations were not postponed or delayed.
More hacking groups are using this type of extortion-only attack. The threat of leaking the stolen data is frequently the primary reason why victims pay the ransom. A recent Chainalysis report revealed a greater unwillingness to pay ransom demands. Ransom payments decreased by 35% YOY and so hackers are compensating by conducting more attacks.
Business associates reported four of the 12 data breaches, and affected providers reported two data breaches that happened at a business associate. These attacks usually involve records from several providers and could lead to extensive disruption, just like the February 2024 Change Healthcare ransomware attack. All except one of the 12 biggest data breaches were hacking/IT incidents.
The unauthorized access incident is different because it involved several workers. Snooping on medical documents is fairly common, sometimes involving several workers, particularly when a high-profile person is being treated in a hospital. The Texas Health Services Commission’s unauthorized access was atypical because it seems that several people viewed medical records without any work reason. Nine staff members were laid off because of the violations, and 3 were brought to law enforcement. Two employees involved are alleged to have altered personal data numbers on Lone Star food stamp cards to make illegal purchases. These privacy breaches continued for 3.5 years before the unauthorized access was discovered, which raises critical questions about the tracking of staff access to records.
Two of the major healthcare data breaches in January 2025 were a result of unauthorized email access, and one was a verified phishing attack. The breached email accounts contained large volumes of patient records. Even if multifactor authentication can provide extra security to email accounts, with multifactor authentication defeating phishing tools, HIPAA-covered entities ought to minimize the quantity of data saved in email accounts.
1. Community Health Center, Inc. – 1,060,936 individuals impacted by a hacking incident with data theft
2. Medusind Inc. – 694,054 individuals impacted by a hacking incident with data theft
3. Allegheny Health Network Home Infusion LLC and Allegheny Health Network Home Medical Equipment LLC – 292,773 individuals impacted by the cyberattack on IntraSystems
4. Asheville Eye Associates, PLLC – 193,306 individuals impacted by a ransomware attack with Dragonforce data theft
5. University Diagnostic Medical Imaging, PC – 138,080 individuals impacted by a hacking incident
6. Buffalo Surgery Center – 64,000 individuals impacted by a hacking incident that likewise impacted Northtowns Orthopedics and Excelsior Orthopaedics
7. Texas Health and Human Services Commission – 61,104 individuals impacted by unauthorized access of data by employees
8. Pediatric Home Respiratory Services, LLC d/b/a Pediatric Home Service – 41,792 individuals impacted by a hacking incident
9. Lucent Health Solutions, LLC – 37,000 individuals impacted by an email account breach due to a phishing attack
10. Bankers Cooperative Group, Inc. – 14,403 individuals impacted by an email account breach
11. Heritage Health Care – 12,162 individuals impacted by a hacking incident at HCF Management with data theft
12. McNall & Associates, P.C. – 10,175 individuals impacted by a hacking incident
Aside from the above list of data breaches, 5 data breaches were reported by HIPAA-covered entities as impacting 500 or 501 individuals. Significantly more individuals are likely impacted by these incidents.
1. North Los Angeles County Regional Center – 500 individuals impacted by a hacking/IT Incident
2. OrthoMinds, LLC – 501 individuals impacted by a Hacking/IT Incident
3. Benefits Management Group, Inc. – 501 individuals impacted by a Hacking/IT Incident
4. Behavioral Health Resources – 501 individuals impacted by a Hacking/IT Incident
5. Newport Harbor Pathology Medical Group, Inc. – 501 individuals impacted by a hacking/IT Incident
Primary Causes of Healthcare Data Breaches in January 2025
Most of January 2025’s data breaches were a result of hacking and IT incidents. Due to lacking information provided in breach notifications, it’s hard for victims to assess how much risk they face. It’s also hard to monitor the reasons for these breaches correctly, Nevertheless, most are because of ransomware and extortion-linked incidents. Cybersecurity firms that monitor ransomware attacks have documented a rise in attacks in 2024. GuidePoint Security’s research showed that healthcare victims increased by 13% in 2024. Black Kite’s reports showed that healthcare ransomware attacks increased by 32.16% in 2024.
There are certain signs that Russia might take action against the ransomware groups that are free to operate in the country. Cybercriminals and ransomware groups had been operating unrestricted in Russia as long as they did not attack Russia or the Commonwealth of Independent States. Interestingly, the Russian hacker Mikhail Pavlovich Matveev, also known as Wazawaka, who professed to have carried out many ransomware attacks, was detained in Russia last November 2024. Matveev was among the people detained in Russia for cybercrime charges in the 4th quarter of 2024. A promise to fight ransomware attacks may be the start of a good relationship with the U.S. and the Trump Administration.
A fairly new ransomware group, ReliaQuest, had shown a 1,425% increase in posts on the data leak site of the BlackLock (El Dorado) ransomware group. This group might become 2025’s most prominent ransomware group after ALPHV/BlackCat disappeared.
Hacking and other IT incidents are likely to impact lots of healthcare records compared to other types of data breaches. In the 51 hacking/IT incidents in January, the records of about 2,649,026 people were compromised, viewed, or stolen. The average and median breach sizes were 51,942 individuals and 2,709 individuals, respectively. The 13 unauthorized access/disclosure incidents impacted 77,983 persons. The average and median breach sizes were 5,999 persons and 1,000 persons, respectively. Two theft incidents impacted 2,551 persons and no loss or improper disposal incident was reported. The most frequent location of exposed protected health information (PHI) was network servers, 12 were email-related and 6 involved paper documents.
Location of breached PHI in January 2025
The OCR breach portal indicates that healthcare providers reported 50 breaches impacting 1,895,607 individuals. Business associates reported 12 breaches impacting 770,306 individuals. Health plans reported 4 breaches impacting 63,647 individuals.
Distribution of Healthcare Data Breaches by State
HIPAA-covered entities in 30 states plus the District of Columbia reported data breaches. Ohio reported 18 breaches, although 17 of the breaches refer to the same breach at HCF Management. Pennsylvania reported 8 breaches, though 7 of the breaches were also related to the HCF Management breach. Texas reported 4 breaches, while California and New York reported 3 breaches. Georgia, New Jersey, Michigan, and Wisconsin reported 2 breaches. The following states reported 1 breach each: Alaska, Alabama, Connecticut, Delaware, Florida, Illinois, Idaho, Indiana, Kentucky, Kansas, Minnesota, Massachusetts, Montana, Missouri, Nebraska, North Carolina, New Mexico, Oregon, Oklahoma, Tennessee, the District of Columbia, and Washington.
January 2025 HIPAA Enforcement Activity
OCR announced in early January resolutions of 9 HIPAA compliance investigations, although the investigations were concluded in December 2024. The change to the Trump administration, which was followed by changes in HHS and OCR leadership could impact HIPAA enforcement activities. As of this time, it is still too early to say what the changes to HIPAA enforcement will be.