September 2025 Healthcare Data Breach Report
As of December 18, 2025, OCR has added 41 data breaches affecting 500 or more individuals to its data breach portal, the lowest monthly total of the year to date. Data breaches are down 37.9% from the 66 data breaches reported in August; however, further data breaches may be added to the total. During the government shutdown, data breaches stopped being added to the OCR data breach portal. OCR has been working through the backlog, but some data breaches may not yet have been added.
Across the 41 September data breaches on the OCR data breach portal, the protected health information of at least 1,721,608 individuals was exposed or impermissibly disclosed, making it the third consecutive month where there has been a reduction in affected individuals. The number of affected individuals is down 54.8% from August, and the year to September 30, 2025 total now stands at 43,078,637 individuals.
The Biggest Healthcare Data Breaches Announced in September
Currently, 42% of the month’s breaches (17 incidents) involved the exposure or impermissible disclosure of the protected health information of 10,000 or more individuals. All but one of those 17 data breaches were hacking incidents. Goshen Medical Center was the worst-affected covered entity, with more than 456,000 patients affected by its hacking incident. There was a major data breach at the business associate Outcomes One involving a compromised email account. While only one email account was affected, it contained the protected health information of more than 257,000 individuals. One data breach that stands out is Sturgis Hospital, which was investigating a cyberattack that occurred in December 2024, when another intrusion was experienced in June 2025, both of which potentially affected 77,771 individuals.
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| Goshen Medical Center | NC | Healthcare Provider | 456,385 | Network server hacking incident |
| Outcomes One | FL | Business Associate | 257,481 | Compromised email account |
| Medical Associates of Brevard, LLC | FL | Healthcare Provider | 246,711 | Network server hacking incident |
| Doctors Imaging Group | FL | Healthcare Provider | 171,862 | Network server hacking incident – Data theft confirmed |
| Retina Group of Florida | FL | Healthcare Provider | 152,691 | Network server hacking incident |
| Sturgis Hospital | MI | Health Plan | 77,771 | Network server hacking incident |
| Sturgis Hospital | MI | Healthcare Provider | 77,771 | Network server hacking incident |
| Rockhill Women’s Care | MO | Healthcare Provider | 70,129 | Network server hacking/IT Incident |
| Sun Valley Surgery Center | NV | Healthcare Provider | 27,001 | Network server hacking/IT Incident |
| Superior Vision Services Inc. | NY | Business Associate | 25,341 | Network server hacking/IT Incident |
| PGA Development, Inc. | PA | Healthcare Provider | 23,899 | Network server hacking/IT Incident |
| Teamsters Union 25 Health Services & Insurance Plan | MA | Health Plan | 19,231 | Network server hacking incident |
| Thomas Davies, DPM | NY | Health Plan | 14,581 | Electronic medical record hacking incident |
| Health & Palliative Services of the Treasure Coast, Inc d/b/a Treasure Coast Hospice (“Treasure Health ”) | FL | Healthcare Provider | 13,234 | Email account breach |
| People Encouraging People | MD | Healthcare Provider | 13,083 | Ransomware attack – Data theft confirmed |
| Susan B. Allen Memorial Hospital | KS | Healthcare Provider | 12,097 | Network server hacking incident |
| City of St. Joseph, MO Health Department | MO | Healthcare Provider | 11,538 | Network server hacking incident |
The HIPAA Breach Notification Rule requires HIPAA-covered entities to report data breaches to OCR and issue notifications within 60 days of the discovery of a data breach; however, if the total number of affected individuals is not known at that point, an estimate should be provided to OCR. Many regulated entities submit a breach report using a placeholder figure of 500 or 501 affected individuals, then provide an updated total when the file review is concluded. Five data breaches were reported in September, using 500 or 501 totals indicative of a placeholder. These data breaches could affect considerably more individuals than the initial breach report suggests.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
| Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Type of Breach |
| Cookeville Regional Medical Center | TN | Healthcare Provider | 500 | Hacking/IT Incident |
| Hampton Regional Medical Center | SC | Healthcare Provider | 501 | Hacking/IT Incident |
| Coos County Family Health Services | NH | Healthcare Provider | 501 | Hacking/IT Incident |
| La Perouse, LLC | NV | Business Associate | 501 | Hacking/IT Incident |
| Healthcare Interactive | MD | Business Associate | 501 | Hacking/IT Incident |
Causes of September 2025 Healthcare Data Breaches
Out of the 41 large healthcare data breaches added to the OCR breach portal in September, 34 (82.9%) were reported as hacking/IT incidents, involving unauthorized access to the protected health information of 1,697,735 individuals, which is 98.6% of the total individuals affected by data breaches in September. The average number of individuals affected by these incidents was 49,933 (median: 6,528 individuals).
The exact nature of the hacking incidents, such as whether ransomware was used to encrypt files, if a ransom demand was received, or even if data was stolen, is often not disclosed. This trend has been growing for several years and is not confined to the healthcare industry. The Identity Theft Resource Center (ITRC) has reported that this trend is evident across many industry sectors.
There were 6 unauthorized access/disclosure incidents reported, affecting 21,165 individuals, with an average breach size of 3,528 individuals and a median breach size of 1,443 individuals. No theft or improper disposal incidents were reported, but there was one incident involving the loss of paper records containing the protected health information of 2,708 individuals.
Where Did the Data Breaches Occur?
Geographical Distribution of Healthcare Data Breaches in September
Florida and North Carolina were the worst-affected states, with five data breaches affecting 500 or more individuals reported by entities based in those states, and both states top the list in terms of the number of affected individuals, with 841,979 and 469,158 individuals affected, respectively.
| State | Data Breaches |
| Florida & North Carolina | 5 |
| Pennsylvania | 4 |
| Michigan | 3 |
| Illinois, Maryland, Missouri, New York, Nevada, Tennessee & Texas | 2 |
| California, Kansas, Louisiana, Massachusetts, Minnesota, New Hampshire, Oregon, South Carolina, Virginia & Washington | 1 |
The table below shows the number of individuals affected by healthcare data breaches based on the state where the regulated entity is based, not necessarily where the affected individuals reside.
| State | Individuals Affected |
| Florida | 841,979 |
| North Carolina | 469,158 |
| Michigan | 156,728 |
| Missouri | 81,667 |
| New York | 39,922 |
| Pennsylvania | 29,994 |
| Nevada | 27,502 |
| Massachusetts | 19,231 |
| Maryland | 13,584 |
| Kansas | 12,097 |
| Illinois | 9,387 |
| Louisiana | 6,243 |
| Minnesota | 3,572 |
| Tennessee | 2,957 |
| Texas | 2,148 |
| Oregon | 1,700 |
| Washington | 1,099 |
| California | 942 |
| Virginia | 696 |
| New Hampshire | 501 |
| South Carolina | 501 |
HIPAA Enforcement Activity in September 2025
It has been a busy year of HIPAA enforcement for OCR, with 20 enforcement actions involving settlements or civil monetary penalties announced this year, including one enforcement action in September. OCR agreed to settle alleged violations of the HIPAA Privacy Rule and Breach Notification Rule with Cadia Healthcare facilities, which agreed to pay $182,000 to resolve the alleged violations.
Cadia Healthcare is a group of five rehabilitation, skilled nursing, and long-term care providers in Delaware. An employee had posted success stories about its patients to its social media channel; however, it had not obtained valid HIPAA authorizations for that purpose, and therefore, the use of PHI in the stories was an impermissible disclosure of PHI. After being notified by OCR, Cadia found that 150 patients had PHI posted online without valid authorizations, deleted the posts, and shut down the success story program; however, notification letters about the HIPAA breach were not issued. The corrective action plan requires policies and procedures to be revised, training to be provided to staff members, and notification letters to be issued.
