2025 Healthcare Data Breach Report Highlights Decline and Emerging Trends

Last week, The HIPAA Journal released its 2025 Healthcare Data Breach Report, which found a year-over-year decline in healthcare data breaches. Based on data downloaded from OCR, data breaches have fallen by 4.3 percent year over year, Steve Alder wrote.

However, Alder cautioned, it is a little early to draw conclusions, as data breaches from 2025 are still being added to the OCR (Office for Civil Rights) breach portal. No breaches were added to the portal during the 43-day federal government shutdown in late 2025. “The late additions in 2026 could therefore be considerably higher than in previous years,” Alder wrote.

According to the report, data breaches are plateauing in the 700 to 750 range, which is around two large healthcare data breaches a day, twice the rate in 2018. There has been a massive reduction in the number of individuals affected by healthcare data breaches, Alder highlighted. “In 2025, at least 61,556,256 individuals had their protected health information exposed or impermissibly disclosed, a 78.7 percent decrease from 2024.”

The biggest healthcare data breach of 2025 was a hacking attack at Aflac insurance, impacting over 22.6 million people worldwide. It involved unauthorized access to the protected health information (PHI) of nearly 14 million individuals in the U.S.

There has been a growing trend of entities involved in data breaches not disclosing the root cause, whether it involves data theft, extortion, malware, or ransomware, Alder noted.

The report stated that while small decreases occurred in hacking/IT incidents, loss/theft incidents, and improper disposal incidents compared to the previous year, there was a 17.4 percent increase in unauthorized access/disclosure incidents. 

Most of the year’s data breaches involved exposed or stolen PHI stored on network servers (61.5 percent). Nearly a quarter of breaches (24.9 percent) involved compromised email accounts. Physical PHI—such as paper documents and films—was compromised in 5.6 percent of breaches, while 4.6 percent involved unauthorized access to electronic medical records.

The OCR data breach portal currently lists 523 data breaches at healthcare providers, 56 at health plans, and two at healthcare clearinghouses, Alder reported. A further 128 data breaches were reported by business associates of HIPAA-covered entities.