US Healthcare Privacy Lapses and Breach Reporting Trends
US healthcare organizations reported unusually low numbers of large HIPAA breaches in late 2025, with 41 incidents affecting 500+ individuals logged for December 2025 in the HHS OCR breach portal. Reporting volumes for September–December averaged ~40.75 large breaches per month versus ~66.5 in the prior four months, and 2025 totals stood at 697 breaches (a reported ~6% decrease from 2024), though the count was expected to rise as additional incidents are added. A key factor cited for the apparent decline was a 43-day US government shutdown that furloughed most HHS staff and likely created a backlog in posting breach reports to the OCR portal, potentially suppressing late-2025 totals until processing is completed.
Separately, a VA Office of Inspector General review found a privacy and security compliance failure within the Veterans Health Administration’s national cancer testing program tied to a collaborative research effort. The OIG reported that in 2022 a VHA research director created and shared a file containing electronic health record reports and a “significant amount” of protected health information (PHI) with non-VHA investigators without institutional review board approval or de-identification, and that required audit logs for secure ePHI management were missing. The OIG noted delays in reporting and inadequate early mitigation, and issued six recommendations that the VA agreed to implement, including removing PHI from shared materials, clarifying research processes, and improving training.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
February 2026 healthcare breaches reported to HHS OCR totaled 63 incidents
In February 2026, HIPAA-regulated entities reported 63 healthcare data breaches affecting 500 or more individuals to the HHS Office for Civil Rights breach portal, exposing or impermissibly disclosing at least 8,134,378 individuals' protected health information. The month's totals were driven by major hacking incidents at TriZetto Provider Solutions and QualDerm Partners, plus a large ApolloMD Business Services ransomware attack attributed to Qilin.
VA later adopted a mitigation plan and accepted OIG recommendations
At a later stage, the VA's mitigation plan was updated to remove PHI, clarify research processes, and improve staff training. The VA also agreed to implement six recommendations from the Office of Inspector General.
OCR announced HIPAA settlement with Concentra over access violation
In December 2025, the HHS Office for Civil Rights announced a HIPAA enforcement settlement with Concentra, Inc. over an alleged Right of Access violation. The settlement was highlighted alongside monthly healthcare breach reporting.
Fieldtex Products and AllerVie Health were among largest December breaches
Among the largest healthcare breaches reported for December 2025 were a hacking incident at Fieldtex Products in New York and a ransomware attack on AllerVie Health in Texas. The AllerVie attack was claimed by the Anubis ransomware group.
December 2025 healthcare breaches reported to HHS OCR totaled 41 incidents
In December 2025, HIPAA-regulated entities reported 41 healthcare data breaches affecting 500 or more individuals to the HHS Office for Civil Rights breach portal. The listed incidents affected 345,564 people, the lowest monthly total since December 2017.
New York AG reported 2025 settlement with OrthoNY over cybersecurity issues
During 2025, the New York Attorney General reported a settlement with Orthopedics NY LLP (OrthoNY) tied to alleged cybersecurity failures. The action was noted in the context of broader healthcare privacy and security enforcement developments.
VA testing project incident reporting and privacy response were delayed
After the 2022 data-sharing incident, investigators found delays in reporting the issue, failures to consult required experts, and initial mitigation steps that did not address privacy risks. Missing audit logs also meant secure management of electronic PHI could not be fully tracked.
VHA research director shared PHI with outside investigators without approvals
In 2022, a Veterans Health Administration research director created and shared a file containing electronic health record reports and significant protected health information with non-VHA investigators. The sharing occurred without institutional review board approval or de-identification, contrary to HIPAA privacy and security requirements.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
February 2026 Healthcare Data Breach Report
hipaajournal.com
Open sourceDecember 2025 Healthcare Data Breach Report
hipaajournal.com
Open sourceAudit: VA testing program failed to follow privacy rules | SC Media
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Regulatory Reporting and Healthcare Data Breaches Highlight Rising Compliance Pressure
European regulators issued about **€1.2B in GDPR fines in 2025** and received an average of **443 personal data breach notifications per day**, according to DLA Piper’s GDPR Fines and Data Breach Survey. The report attributes the sustained reporting surge to multiple factors—geopolitical instability, repeated cyber incidents, and commoditized attack tooling—while warning that organizations are also contending with overlapping and faster disclosure expectations under newer regimes such as **NIS2** and **DORA**, increasing operational and management-level accountability pressure. In the US healthcare sector, HHS **OCR** used its 2026 quarterly cybersecurity newsletter to urge **HIPAA-regulated entities** to harden systems, standardize security controls, reduce attack surface, and strengthen **risk analysis and risk management**, signaling continued enforcement focus on Security Rule compliance. Separately, OCR breach-portal reporting showed **unusually low counts** of large healthcare breaches in October–November 2025 that likely reflect a **government shutdown backlog** rather than a true decline, while individual incidents continued to surface—**Central Maine Healthcare** reported unauthorized network access from **March–June 2025** affecting up to **145,000** individuals, with exposed data including **names and Social Security numbers** plus treatment/insurance-related information and credit monitoring offered to impacted patients.
Mar 21, 2026
Regulatory Reporting Highlights Rising GDPR Enforcement and U.S. Healthcare Breach Disclosures
European privacy regulators issued roughly **€1.2B in GDPR fines in 2025** and received an average of **443 personal data breach notifications per day** (a reported 22% increase year over year), according to DLA Piper’s GDPR Fines and Data Breach Survey as cited by DataBreaches.net. The reporting indicates sustained enforcement since GDPR’s introduction, with cumulative penalties reaching **€7.1B** since 2018, alongside a continued high volume of breach notifications to data protection authorities. In the U.S. healthcare sector, HIPAA Journal reported that **November 2025** showed unusually low counts of large breaches listed on the HHS OCR breach portal (**32 incidents affecting 500+ individuals**), but attributed the apparent decline to reporting delays during the **U.S. government shutdown (Oct 1–Nov 12, 2025)** and a resulting backlog. Separately, Central Maine Healthcare disclosed a breach affecting **~145,000 individuals**, with unauthorized network access occurring between **Mar 19 and Jun 1, 2025** and exposure of data including **names and Social Security numbers** plus clinical/insurance details; notifications began in late December 2025 and credit monitoring was offered.
Mar 21, 2026
Healthcare Sector Data Breaches and Security Risks in Late 2025
A significant reduction in the number of large healthcare data breaches was reported for October 2025, with only 28 incidents affecting 500 or more individuals, the lowest monthly total since May 2020. However, the number of individuals impacted surged by 540% to over 11 million, largely due to a few major breaches still under investigation. The reporting delay was attributed to a government shutdown that created a backlog at the HHS Office for Civil Rights, potentially causing underreporting for the month. Notably, the Bosch Choice Welfare Benefit Plan disclosed a breach affecting 55,000 members, stemming from a business associate's cybersecurity incident that exposed sensitive personal and health information. The affected business associate also notified other covered entities and implemented additional safeguards in response. Security risks in the healthcare sector remain acute, particularly for small practices with limited IT resources. A technical investigation highlighted the dangers of improper hardware disposal and lack of disk encryption, revealing that sensitive data and password hashes can be easily extracted from discarded computers. Industry experts emphasize that business associates are a major source of breached records, accounting for a disproportionate share of affected individuals despite submitting fewer incident reports. This underscores the need for robust vendor oversight and comprehensive HIPAA compliance strategies, especially for small and mid-sized healthcare organizations.
Mar 21, 2026