From electronic health records (EHRs) and patient portals to telehealth and billing software, healthcare practices today rely on technology more than ever. While these technological advancements have helped make healthcare less complex for your teams and more accessible for your patients, they’ve also introduced new security risks that many doctors constantly worry about.
Data breaches in healthcare have become concerningly frequent, especially last year. According to the HIPAA Journal, 2025 saw the most number of healthcare data breaches: a staggering 772 reported incidents that affected at least 139.7 million individuals. This is a record-breaking number, compared with 2023’s 746. A 3.49% difference.
As a healthcare provider, these are more than just statistics. They emphasize how important it is to protect sensitive patient information, evaluate the vendors you work with, and adopt cybersecurity practices before a breach happens.
In this article, let’s look at the latest healthcare data breach statistics and discuss what you can learn from them so you can protect your patients’ welfare and that of your entire organization.
Data Overview of Healthcare Breaches in 2025
Despite the fact that many doctors are continuously investing time and money in cybersecurity efforts, data breaches in healthcare are alarmingly becoming more common.
2025 Healthcare Data Breach Statistics
| Large healthcare breaches reported | 772 |
| Individuals affected | 139.7 million+ |
| Breaches affecting more than one million people | 16 |
| Most common breach type | Hacking / IT Incident |
| Year-over-year increase from 2024 | 4.18% |
Source: The HIPAA Journal
These numbers are concerning by themselves, but the trend behind them gives a much more alarming reality. In the past, HIPAA breaches mostly happened to hospitals or physician groups. However, that’s no longer the case, with EHR vendors, billing companies, and even researchers recently becoming targets because they store data for multiple healthcare organizations at once.
Because of this, keeping PHI secure is now more than just protecting your own practice through HIPAA best practices. It’s also about evaluating how good the third-party vendors you’re working with are in protecting sensitive patient data.
Why Healthcare Continues to Experience Data Breaches
Unlike credit card information that users can quickly cancel after it gets stolen, PHI contains personal, financial, and medical data that cybercriminals can maliciously use for years. Hence, patient records are often considered more valuable than other types of personal information. However, its value isn’t the only reason why healthcare is constantly the target of cyberattacks.
As much as modern technology is being adopted in healthcare, many organizations still use outdated, legacy technology because they are either too difficult or expensive to replace. Ironically, embracing innovation can also make PHI vulnerable, with many providers depending on technology such as cloud hosting and remote access tools for their practice workflows, both of which cybercriminals constantly try to access.
Healthcare organizations also face another challenge that many other industries don’t: you cannot simply pause operations after a cyberattack because patient needs don’t stop. Regardless of whether it’s compromised security or data loss, you would still need access to appointment schedules, patient records, lab results, and other clinical information to continue delivering care.
Due to this urgency, cybercriminals look at healthcare as a sector that is very likely to give in to their demands in attempts to recover from an attack.
How Healthcare Data Breaches Affect Your Practice
The impact of data breaches in healthcare is more than just compromised patient information. For healthcare practices, it’s also reputational damage. Patients often hold doctors and healthcare organizations to a higher standard, trusting that you not only provide quality care but also protect the sensitive information they share with you or your team.
When that trust is damaged, their perception toward your practice can suffer even if the breach was caused by a third-party vendor or an external cyberattack. This is more true for smaller practices where doctors share a closer relationship with patients compared to larger practices with a bigger patient volume.
Recent Healthcare Data Breaches
Healthcare data breaches vary in size and cause, ranging from minor incidents to national interest. However, many of them are caused by the same operational weakness. Whether it’s an incident involving ransomware, phishing emails, or malicious system access, each breach is proof of how even the most negligible security gap can affect millions of patient records.
Here are some of the largest healthcare data breaches reported in 2025 and 2026:
| Organization | Year | Individuals Affected | Primary Cause |
| *Episource | 2025 | 6.72 million | Ransomware attack |
| **Yale New Haven Health System | 5.56 million | Unauthorized access to network systems | |
| **Blue Shield of California | 4.7 million | Google Analytics configuration issue | |
| **DaVita | 2.69 million | Ransomware attack | |
| ***Xsolis | 2026 | 1.39 million | Employee phishing attack |
* The HIPAA Journal article
** Becker’s Health IT article
*** TechRadar Pro article
Although each of these organizations experienced a different type of incident, they all highlight considerations you need to make so you can protect your patients and your practice from these unfortunate incidents.
Third-Party Vendors Can Also Put Your Data at Risk
Because your practice uses a lot of tools like EHR systems, cloud storage, and revenue cycle management (RCM) software, you rely heavily on third-party vendors who develop and maintain these tools from a technical standpoint. While these improve the efficiency of your practice, they also make PHI more accessible to unauthorized parties. But without the proper measures in place, cybercriminals can easily get access to sensitive patient information. The 2025 breaches involving Episource and Blue Shield of California are proof of this.
Although they both serve different roles in healthcare, each incident affected millions of individuals simply because sensitive healthcare information was entrusted to external platforms. For this reason, you shouldn’t just compare pricing, features, and customer service quality when choosing a vendor. You should also look at the measures and initiatives they have in place to protect the patient information you’ll trust them with.
This applies to staffing providers as well. Any external partner who has access to patient data, whether through scheduling, billing, or administrative support, should have a signed BAA and a documented HIPAA compliance process in place before they’re given access to any PHI.
Cybersecurity is More Than Just Technology
When people think about data breaches, they often associate them with hackers exploiting technical gaps that were either too insignificant or went unnoticed. However, the recent breaches are proof that they are often caused by much simpler issues, such as accidentally clicking on phishing emails, weak staff login credentials, or poor system configurations.
For example, Xsolis said that attackers gained access after successfully targeting an employee through phishing, while Blue Shield of California reported that a configuration issue with Google Analytics unintentionally exposed patient information. Both of these incidents emphasize the same thing: staff awareness is an important aspect of keeping PHI protected.
The Financial Cost of Healthcare Data Breaches
According to IBM’s Cost of a Data Breach Report 2025, the average cost of a data breach in healthcare has reached a staggering $7.42 million, the highest among other industries experiencing cybersecurity incidents. What makes this figure concerning is that it’s not just the total cost of recovering compromised systems but also the expenses related to system downtimes, legal services, and investigations.
Penalties can also increase these costs. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) follows a tiered penalty system to reinforce HIPAA compliance:
| HIPAA Violation Tier | Description | Penalty Range |
| 1 | The organization was unaware of the violation and could not reasonably have known about it. | $145–$73,011 per violation |
| 2 | The violation resulted from reasonable cause but was not due to willful neglect. | $1,461–$73,011 per violation |
| 3 | The violation resulted from willful neglect but was corrected within the required timeframe. | $14,602–$73,011 per violation |
| 4 | The violation resulted from willful neglect and was not corrected promptly. | $73,011–$2,190,294 per violation |
How to Prevent Data Breaches in Healthcare
The healthcare organizations that experienced cybersecurity incidents in 2025 and 2026 differ in size, specialty, and service. However, the lessons you can learn from them are relevant, regardless of whether you have a small or large practice.
First, you should consider cybersecurity as a responsibility, not just an IT concern. You, your practice staff, and the third-party vendors you work with all play important roles in protecting patient information because even the smallest compromised user account or system configuration can expose multiple sensitive data points, compromising not only your operations but the trust and safety of your patients.
Second, reviewing your cybersecurity practices should be a part of your regular operational planning. This includes evaluating the vendors you work with, reviewing your team’s access to sensitive information, and complying with the Minimum Necessary Rule, constantly updating how your multi-factor authentication is calibrated, updating tools regularly, and training your staff to recognize potential compromises and security threats.
Unfortunately, you cannot completely avoid cybersecurity risks. However, being proactive in securing PHI will not only significantly reduce your likelihood of experiencing a data breach, but it will also help you respond properly if an incident occurs.
The Future of Healthcare Cybersecurity
With how constantly patient demands and expectations are evolving, healthcare is bound to continue adopting technologies that make practice operations more efficient. As technologies like artificial intelligence (AI) and wearable monitoring devices continue to become part of how patient care is delivered, promoting cybersecurity will become more critical because every new system also introduces another point that must be secured.
In the coming years, healthcare cybersecurity will likely focus on balancing innovation with security. The more you implement protective measures that take into account existing vulnerabilities and future gaps, the more you’ll be able to keep PHI safe while maximizing new digital tools.
Ultimately, cybersecurity is no longer just about regulatory compliance. It has become an important part of maintaining the trust of your patients, protecting your reputation, and growing your practice.
Frequently Asked Questions
How often should I conduct a cybersecurity risk assessment for my practice?
Ideally, you should conduct a cybersecurity risk assessment at least once a year, or whenever you implement major changes such as migrating to a new EHR, adding or updating a patient portal, or switching to a cloud-based system. Doing so will help you spot vulnerabilities before they become security incidents.
What should I do immediately after discovering a possible data breach?
Control the incident first by temporarily limiting access and preserving evidence until a resolution is implemented. Then you can notify all the relevant or affected parties and determine whether the requirements for a formal HIPAA breach notification apply.
Can cyber insurance help protect my practice?
Only partially. Cyber insurance may help cover expenses incurred from breach recovery. However, it does not protect your practice from cyberattacks or individuals with malicious intent.
Is cloud storage secure enough for protected health information (PHI)?
It can be, provided the vendor reinforces strict cybersecurity practices and signs a HIPAA Business Associate Agreement (BAA).
What is a Business Associate Agreement (BAA)?
A BAA is a contract that details the role of a third-party vendor in keeping PHI secure while rendering their services for your practice. With regard to HIPAA, the law requires covered entities to have BAAs with applicable business associates.