October 3, 2025

If it feels like headlines about healthcare data breaches are popping up every week, you’re not imagining it. The last two years have been the most disruptive on record for patient privacy in the United States, with a single incident now topping 190 million people and several other major HIPAA breaches crowding the top 10. 

Beyond the shock factor, these events disrupt daily care – delaying claims, straining call centers, and undermining trust between patients and providers. For example, after the Change Healthcare attack, some pharmacies could not process prescriptions for days, leaving patients without critical medications. Recent industry tallies confirm the trend, and new federal updates around the Change Healthcare hack cement it as the largest HIPAA violation ever recorded. 

1.Change Healthcare – Approximately 192.7 Million People Affected

What happened: In February 2024, a ransomware attack against Change Healthcare – a UnitedHealth Group unit that touches a huge share of U.S. claims – cascaded across pharmacies, providers, and payers. Initial estimates sat around 190 million records. UnitedHealth now says the final total is about 192.7 million, making this the largest healthcare data breach ever in the U.S. Becker’s Hospital ReviewPYMNTS.com

What data was exposed: Investigations point to a trove of Protected Health Information (PHI) and Personally Identifiable Information (PII), including insurance IDs, diagnoses, treatment details, Social Security numbers, and billing codes. The Office for Civil Rights (OCR) has issued specific guidance given the incident’s unprecedented scope. HHS.gov

Why it matters: This single event eclipsed the previous record by more than 100 million people and revealed how fragile critical healthcare rails can be when a business associate is compromised. It also shows why robust segmentation, offline backups, and emergency payment workflows are no longer nice-to-haves – they are table stakes. 

2.Anthem Inc. – 78.8 Million

What happened: The 2015 Anthem hack stood as the largest U.S. healthcare breach for nearly a decade, exposing almost 79 million records. Anthem later paid a record HIPAA settlement and implemented a corrective action plan. HHS.gov

What data was exposed: Primarily demographic and identifier data such as names, dates of birth, member IDs, addresses, and Social Security numbers.

Why it matters: Anthem set the bar for response expectations and regulatory accountability that later healthcare breach cases would be measured against. It remains a core case study for large health plan risk. 

3.Welltok, Inc. – 14.78 Million

What happened: A 2023 incident tied to the MOVEit exploitation hit patient engagement vendor Welltok. OCR’s tally has been updated as additional clients reported in, pushing the count to roughly 14.78 million. The HIPAA Journal+1

What data was exposed: Depending on the client, data included names, contact details, insurance information, and in some cases clinical program engagement data.

Why it matters: This is a textbook example of a supply-chain breach where a single business associate creates outsized downstream risk for multiple health plans and systems. 

4.Kaiser Foundation Health Plan – 13.4 Million

What happened: In 2024, Kaiser reported that certain website and app tracking technologies inadvertently sent limited member data to third parties. It is the largest confirmed U.S. healthcare incident involving trackers.

What data was exposed: Information such as IP addresses and interactions with specific web pages or features, not full clinical charts. Still, it qualifies under HIPAA when it can reasonably identify a person.

Why it matters: Even when no ransomware is involved, design and analytics choices can become major HIPAA breaches. Privacy engineering and strict tag governance are now essential. 

5.Optum360 LLC – 11.5 Million

What happened: In 2019, a third-party billing vendor known as American Medical Collection Agency (AMCA) was compromised, and one of the largest client reports came through Optum360, tied to Quest Diagnostics patients. OCR’s table attributes 11.5 million to Optum360.

What data was exposed: Personal and financial data, including some Social Security numbers and medical information such as test-related billing details.

Why it matters: The AMCA episode demonstrated how a single vendor incident can splinter into dozens of reportable events across healthcare brands, magnifying reputational and regulatory exposure. 

6.HCA Healthcare – 11.27 Million

What happened: A July 2023 cyberattack triggered one of the largest health system notifications ever, covering more than 11 million patients across 20 states. In 2025, a proposed class action settlement moved forward in court. 

What data was exposed: Demographic and appointment-related information, not full clinical notes.

Why it matters: Even non-clinical fields can unlock identity theft and targeted fraud. Large systems must assume basic scheduling data is a lucrative target. 

7.Premera Blue Cross – 11.0 Million

What happened: The 2015 Premera breach affected roughly 11 million people. The company later reached a HIPAA settlement with OCR and separate agreements with state attorneys general. HHS.govatg.wa.gov

What data was exposed: In addition to identifiers, some medical and financial information were impacted.

Why it matters: Premera underscored how long threat actors can dwell in networks prior to discovery and the cost of insufficient risk analysis and monitoring.

8.LabCorp – 10.25 Million

What happened: Also linked to the AMCA compromise, LabCorp reported more than 10.25 million impacted. It remains one of the largest lab-related HIPAA incidents to date.

What data was exposed: Personal and financial details associated with billing and collections.

Why it matters: The AMCA cluster is still a benchmark for vendor risk governance and contract language around security controls and breach response. 

9.Excellus Health Plan – 9.36 Million

What happened: Attackers accessed Excellus networks for an extended period, affecting more than 9.3 million people. This breach, alongside Anthem and Premera, made 2015 a watershed year for payer security.

What data was exposed: Personal identifiers, member IDs, Social Security numbers, and some financial account information.

Why it matters: Long dwell times are deadly in healthcare environments. Continuous detection and response and strict privilege management can shorten the window from intrusion to containment.

10.Perry Johnson & Associates (PJ&A) – 9.30 Million

What happened: PJ&A, a medical transcription vendor, reported a 2023 incident that ultimately reached 9.3 million individuals across multiple provider clients.

What data was exposed: Depending on the provider, data included names, dates of birth, medical record numbers, and details linked to encounters and diagnoses.

Why it matters: Transcription and other seemingly routine back-office services can hold deeply sensitive PHI. These vendors need the same or stronger safeguards as front-line providers.

What The Top HIPAA Data Breaches Teach Us

Vendors are prime targets.
Many big breaches started with a third-party company that handles data for hospitals or insurers. Always check that your partners follow strong security rules.

Healthcare breaches are costly.
Studies show healthcare data breaches cost more than breaches in any other industry. Quick action can save money and protect patients.

Not every breach is a hack.
Some happen because of mistakes – like website tracking tools sending patient data to the wrong place. Good privacy settings can prevent this.

One breach can affect many companies.
If a vendor is hacked, the damage can spread to every client they work with. Clear contracts and fast communication help reduce harm.

Rules are getting stricter.
After huge breaches like Change Healthcare, regulators are setting clearer expectations. It’s important to stay up to date with HIPAA guidance.

Practical Steps to Avoid Joining This List

Limit the damage before it happens.
Break your network into smaller, separate sections so an intruder can’t easily move around. Only give people and systems the access they absolutely need – nothing more.

Treat outside vendors like they’re part of your own team.
Make sure business partners who handle patient data follow the same strong security rules you do. Require things like multi-factor authentication and security monitoring, and double-check they’re actually doing it.

Take care of the basics every day.
Keep software up to date, watch for unusual logins from administrators, change passwords and access keys regularly, and close accounts that aren’t being used anymore.

Be careful with tracking tools and website tags.
Review any analytics or tracking tools you use. Turn off anything that isn’t needed, and keep track of what data is leaving your website or app.

Practice your “bad day” plan.
Run drills so your team knows exactly what to do if there’s a data breach. Have backup ways to process payments or keep services running if your main systems go down. 

These are the same warning signs and weak spots we see again and again in major HIPAA breaches – whether it’s a cyberattack or an accidental leak.

FAQs

1) What is a healthcare data breach under HIPAA?
It’s when someone’s protected health information (PHI) is seen, shared, or stolen without permission. This can happen through hacking, stolen devices, or even website tracking tools that reveal patient details.

2) Why do vendor breaches affect so many people?
Vendors often handle data for many hospitals or insurance companies at once. If one vendor is hacked, it can impact millions of patients across different organizations.

3) Are healthcare breaches getting worse?
Yes. Reporting is better now, but the number and size of attacks are also going up. Healthcare remains the most expensive type of data breach.

4) What should I do if my data is part of a breach?
Sign up for credit monitoring, change passwords, and watch for suspicious activity on your accounts. If medical data is involved, ask your provider for a copy of your records.

5) Do “non-clinical” details really matter?
Yes. Even basic info like your name, address, or appointment times can be used for scams or identity theft.

6) Where can I check official breach reports?
The U.S. Department of Health and Human Services (HHS) has an online list of large healthcare breaches. It’s updated regularly.