Regulatory Reporting Highlights Rising GDPR Enforcement and U.S. Healthcare Breach Disclosures
European privacy regulators issued roughly €1.2B in GDPR fines in 2025 and received an average of 443 personal data breach notifications per day (a reported 22% increase year over year), according to DLA Piper’s GDPR Fines and Data Breach Survey as cited by DataBreaches.net. The reporting indicates sustained enforcement since GDPR’s introduction, with cumulative penalties reaching €7.1B since 2018, alongside a continued high volume of breach notifications to data protection authorities.
In the U.S. healthcare sector, HIPAA Journal reported that November 2025 showed unusually low counts of large breaches listed on the HHS OCR breach portal (32 incidents affecting 500+ individuals), but attributed the apparent decline to reporting delays during the U.S. government shutdown (Oct 1–Nov 12, 2025) and a resulting backlog. Separately, Central Maine Healthcare disclosed a breach affecting ~145,000 individuals, with unauthorized network access occurring between Mar 19 and Jun 1, 2025 and exposure of data including names and Social Security numbers plus clinical/insurance details; notifications began in late December 2025 and credit monitoring was offered.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
European breach notifications rise to 443 per day
DLA Piper reported that from 28 January 2025 to the present, European data protection authorities received an average of 443 personal data breach notifications per day. This was a 22% increase year over year and the first time the daily average exceeded 400 since GDPR began.
European GDPR fines exceed €1.2 billion in 2025
A DLA Piper survey found that data protection authorities across Europe issued more than €1.2 billion in GDPR fines during 2025, slightly above 2024 levels. The findings indicated a renewed phase of enforcement activity after a perceived plateau.
Fieldtex Products and Delta Dental of Virginia disclose major breaches
Fieldtex Products reported a breach affecting 238,615 individuals, while Delta Dental of Virginia reported 126,953 affected individuals due to an email account compromise. These were the second- and third-largest healthcare breaches reported for November 2025.
VITAS Hospice Services reports largest November healthcare breach
Among November 2025 healthcare incidents, VITAS Hospice Services in Florida disclosed the largest breach, affecting 319,177 individuals through a compromised vendor account. The report identified it as the biggest healthcare breach reported for that month.
November 2025 healthcare breaches affect 1.4 million people
Large U.S. healthcare data breaches reported for November 2025 totaled 32 incidents on the HHS OCR portal, affecting 1,415,934 individuals. Hacking and IT incidents accounted for 78% of breaches and 99.1% of affected individuals, with ransomware and email compromise remaining major drivers.
U.S. government shutdown pauses HHS OCR portal updates
A U.S. government shutdown ran from October 1 to November 12, 2025, pausing updates to the HHS OCR breach portal and creating a reporting backlog that affected November healthcare breach statistics. The disruption also contributed to the absence of HIPAA enforcement announcements in November.
GDPR takes effect across Europe
The EU General Data Protection Regulation came into force, establishing the breach notification and enforcement framework later measured by DLA Piper. The survey cited cumulative fines since this date reaching €7.1 billion.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Regulatory Reporting and Healthcare Data Breaches Highlight Rising Compliance Pressure
European regulators issued about **€1.2B in GDPR fines in 2025** and received an average of **443 personal data breach notifications per day**, according to DLA Piper’s GDPR Fines and Data Breach Survey. The report attributes the sustained reporting surge to multiple factors—geopolitical instability, repeated cyber incidents, and commoditized attack tooling—while warning that organizations are also contending with overlapping and faster disclosure expectations under newer regimes such as **NIS2** and **DORA**, increasing operational and management-level accountability pressure. In the US healthcare sector, HHS **OCR** used its 2026 quarterly cybersecurity newsletter to urge **HIPAA-regulated entities** to harden systems, standardize security controls, reduce attack surface, and strengthen **risk analysis and risk management**, signaling continued enforcement focus on Security Rule compliance. Separately, OCR breach-portal reporting showed **unusually low counts** of large healthcare breaches in October–November 2025 that likely reflect a **government shutdown backlog** rather than a true decline, while individual incidents continued to surface—**Central Maine Healthcare** reported unauthorized network access from **March–June 2025** affecting up to **145,000** individuals, with exposed data including **names and Social Security numbers** plus treatment/insurance-related information and credit monitoring offered to impacted patients.
Mar 21, 2026
Rising Regulatory and Governance Pressure on Data Protection and Cybersecurity
European regulators issued roughly **€1.2B** in **GDPR** fines in 2025 and received an average of **443 personal data breach notifications per day**, signaling increased enforcement and reporting volume alongside overlapping disclosure regimes such as **NIS2** and **DORA**. Ireland remained a leading enforcement authority, including a **€530M** fine against **TikTok**, while large technology firms continued to account for most of the largest penalties; cumulative GDPR penalties since 2018 were reported at **€7.1B**. In the U.S., an **HHS Office of Inspector General** management challenges report highlighted persistent federal healthcare cybersecurity gaps, including inconsistent governance and controls across HHS divisions and heavy dependence on contractors and grantees to implement security measures—conditions that complicate prevention and response as ransomware and other attacks continue to target healthcare. Separately, an academic study on insider risk reported that **58%** of surveyed college students in technology-related programs said they would violate **HIPAA** and disclose patient data for sufficient payment, underscoring the human/insider threat dimension that can drive breach risk and downstream regulatory exposure.
Mar 21, 2026
US Healthcare Privacy Lapses and Breach Reporting Trends
**US healthcare organizations reported unusually low numbers of large HIPAA breaches in late 2025**, with 41 incidents affecting 500+ individuals logged for December 2025 in the HHS OCR breach portal. Reporting volumes for September–December averaged ~40.75 large breaches per month versus ~66.5 in the prior four months, and 2025 totals stood at 697 breaches (a reported ~6% decrease from 2024), though the count was expected to rise as additional incidents are added. A key factor cited for the apparent decline was a **43-day US government shutdown** that furloughed most HHS staff and likely created a backlog in posting breach reports to the OCR portal, potentially suppressing late-2025 totals until processing is completed. Separately, a **VA Office of Inspector General** review found a **privacy and security compliance failure** within the Veterans Health Administration’s national cancer testing program tied to a collaborative research effort. The OIG reported that in 2022 a VHA research director created and shared a file containing electronic health record reports and a “significant amount” of **protected health information (PHI)** with non-VHA investigators **without institutional review board approval or de-identification**, and that required **audit logs** for secure ePHI management were missing. The OIG noted delays in reporting and inadequate early mitigation, and issued six recommendations that the VA agreed to implement, including removing PHI from shared materials, clarifying research processes, and improving training.
Apr 10, 2026