Biggest Healthcare Cyber Attacks in 2025

Hospitals save lives every day – but they’re also fighting battles far from the operating room. Increasingly, cybercriminals see the healthcare industry as a lucrative target. Patient data is rich with personal and financial details, making it more valuable than credit card numbers on the dark web. At the same time, the pressure on hospitals to keep critical systems running leaves them especially vulnerable to ransomware and other disruptive attacks.

So far this year, millions of patients across the world have been affected by breaches that range from stolen medical records to ransomware-driven service shutdowns. The consequences extend beyond privacy concerns: care has been delayed, trust has been shaken, and healthcare organizations faced mounting financial losses.

In this article, we will break down the scale of breaches in 2025, review the most significant incidents, and finally explore what these patterns mean for the future of healthcare security.

The Scope of 2025 Healthcare Breaches in Numbers

So far in 2025, the U.S. Department of Health and Human Services (HHS) has logged 318 healthcare hacking and IT incidents, impacting more than 29 million individuals. Each breach represents more than just data on a spreadsheet; it means patients facing uncertainty about their privacy and organizations scrambling to restore trust.

Some states have become repeat targets, with California (25 incidents), Florida (21), and Texas (19) topping the list. Georgia and New York follow closely behind. Together, these clusters suggest that large healthcare hubs with dense populations and sprawling networks are especially vulnerable.

The number of incident reports by healthcare organizations in different U.S. states

Looking at entity types, healthcare providers were the primary targets with 241 incidents, while business associates accounted for 63 and health plans for 14. This breakdown shows that while direct providers remain the most exposed, third-party partners also represent a significant point of vulnerability.

Rising Dark Web Exposure of Healthcare Data

But official reports capture only what surfaces. Beneath the surface, on the dark web, a parallel market of stolen healthcare data continues to thrive.

SOCRadar, through its Advanced Dark Web Monitoring capabilities, detected nearly 75,000 healthcare-related incidents so far in 2025. Of these, more than 14,000 targeted the U.S., followed by India (4,288), Russia (2,893), and the U.K. (2,693). Another 7,685 incidents involved posts aimed at organizations or individuals worldwide.

Breaking this activity down further:

• ~33,000 posts involved the sharing of databases or other stolen data.
• 7,700 posts contained customer data specifically.
• 7,130 posts advertised access sales, often offering stolen credentials.

Together, these numbers show a two-sided reality: while regulators tally breaches on the surface, an invisible trade in stolen health data continues to expand in underground forums. For healthcare organizations, the challenge is not only preventing intrusions but also stopping their patients’ information from becoming part of this hidden economy.

SOCRadar’s Dark Web News feed tracks hacker forums, exposing data breaches, leaks, and illicit sales as they surface.

Top Healthcare Cyber Incidents This Year

From numbers to names, here are the healthcare industry breaches that shaped 2025. Each year, certain breaches stand out for their scale and for the disruptions they cause across hospitals, patients, and the broader healthcare system.

We previously examined the major healthcare breaches spanning 2023–2024; now, we look at how this year has unfolded so far. In 2025, headlines have been dominated by massive ransomware incidents, sprawling data exposures, and the ripple effects of breaches at third-party service providers.

1. Ascension Cyberattack: 5.6 Million Patients Exposed

Even though the Ascension breach took place in 2024, its consequences echoed well into 2025, making it impossible to leave out of this year’s review.

As one of the nation’s largest nonprofit health systems, Ascension became the victim of a ransomware attack in May 2024 that exposed data from nearly 5.6 million people. The compromised information ranged from demographic details and Social Security numbers to insurance records and medical data.

The impact went beyond privacy violations. Ascension was forced to take critical technology systems offline, including its electronic health records and patient portals. Ambulances had to be diverted, elective procedures were delayed, and hospital staff were left scrambling to maintain continuity of care.

Financially, the organization reported a staggering $1.1 billion net loss for the fiscal year, citing the attack as a major contributing factor.

The breach traced back to something as simple and devastating as an employee downloading a malicious file. While Ascension confirmed that its core EHR systems remained intact, the sheer volume of exposed personal and health data made it one of the largest healthcare breaches ever reported to federal regulators.

Key details: Ascension breach

2. Yale New Haven Health: 5.5 Million Patients Exposed

In March 2025, Yale New Haven Health (YNHHS) – one of Connecticut’s largest healthcare systems – discovered unusual activity on its IT network. What began as a precautionary investigation quickly escalated into one of the largest healthcare breaches of the year, affecting more than 5.5 million people.

The attackers gained access to the network on March 8 and exfiltrated sensitive data, including demographic details, Social Security numbers, patient types, and medical record identifiers. Fortunately, YNHHS confirmed that its electronic medical record system remained untouched, meaning no full clinical files were compromised. Financial accounts, payment data, and employee records were also not involved.

While patient care was never disrupted, the breach forced YNHHS into extensive investigations, law enforcement reporting, and large-scale notifications to millions of affected individuals.

Key details: Yale New Haven Health breach

3. Episource Breach: 5.4 Million Records Across Multiple Providers

Between late January and early February 2025, healthcare services firm Episource suffered a ransomware-driven intrusion that exposed data from more than 5.4 million individuals. As a business associate supporting providers and health plans – including giants like Optum and UnitedHealth Group – the breach rippled across multiple organizations, making it the second largest healthcare data breach of the year after Yale New Haven Health.

The compromised information included contact details, insurance records, and health data such as medical record numbers, diagnoses, test results, and treatment information. In some cases, Social Security numbers and birth dates were also involved. While Episource has stated that no misuse of data has been confirmed to date, the scale of this supply chain exposure has left many partner organizations scrambling to notify patients.

For example, Sharp Healthcare in San Diego confirmed that Episource’s breach extended to its systems, forcing the health system to report separate incidents affecting tens of thousands of its patients.

Key details: Episource breach

4. Ransomware at DaVita: Over 1 Million Impacted, $13.5M in Costs

Dialysis giant DaVita became another major healthcare provider to fall victim to ransomware. The attack, which took place between March and April, ultimately exposed the personal and health information of more than a million individuals.

The stolen data was extensive: names, dates of birth, Social Security numbers, medical and treatment information, insurance details, lab test results, and even financial records like tax IDs and images of personal checks. Notably, some of the exposed individuals were not DaVita patients at all, but had their information stored through DaVita Labs, which processes lab results for outside providers, widening the breach’s scope.

The attack was later claimed by the Interlock Ransomware, a group known for high-volume data theft across critical infrastructure targets. Interlock boasted that it had stolen roughly 1.5 terabytes of DaVita’s data, aligning with its pattern of exfiltrating massive datasets.

SOCRadar threat actor card for Interlock Ransomware

Beyond data exposure, the incident carried a steep financial burden. In SEC filings, DaVita disclosed $13.5 million in direct costs, including system restoration and increased patient care expenses, not counting the long-term business interruption.

Key details: DaVita breach

5. Blue Shield of California: 4.7M Members Exposed by Misconfiguration

Not every large-scale healthcare data exposure in 2025 came from hackers. In February, Blue Shield of California disclosed a significant privacy incident affecting roughly 4.7 million members – the result of a misconfigured web analytics tool rather than a malicious attack.

The issue stemmed from Google Analytics, which Blue Shield had used between April 2021 and January 2024 to monitor member interactions on its websites. The configuration inadvertently allowed certain protected health information (PHI) to be shared with Google Ads, potentially enabling targeted advertising campaigns directed at members.

The exposed information may have included insurance plan details, medical claim service dates, provider names, and patient financial responsibility data. While no Social Security numbers, driver’s licenses, or financial accounts were involved (and no evidence has emerged that Google misused the information) the scope and sensitivity of the data made it a material incident.

Blue Shield severed the Google Analytics connection in January 2024 and formally disclosed the exposure in April 2025, while assuring members that additional safeguards were being implemented.

Key details: BlueShield of California data breach

Healthcare Cybersecurity Trends and the Path Forward

The major incidents of 2025 make it clear that healthcare remains one of the most attractive and vulnerable targets for cybercriminals. From ransomware and supply chain compromises to accidental misconfigurations, the healthcare sector faces a mix of persistent threats and systemic weaknesses.

The breaches discussed above each carried a lesson:

• A single employee mistake, as with Ascension, can trigger cascading crises across an entire health network.
• Even the most prepared organizations, like Yale New Haven Health, can still be compromised by determined intruders.
• Vendors such as Episource highlight the supply chain risks that ripple through the industry when business associates are breached.
• DaVita showed how ransomware remains uniquely disruptive, blending data theft with operational shutdowns and high recovery costs.
• And Blue Shield of California demonstrated that not all exposures require hackers – misconfigurations alone can compromise healthcare privacy at scale.

Taken together, these cases show that healthcare organizations must go beyond compliance checklists and adopt proactive, intelligence-driven defenses.

Strengthening Healthcare Security with SOCRadar

In an industry where every breach can directly impact patient care, proactive intelligence is the cornerstone of security. Healthcare organizations need intelligence that sees the full picture. SOCRadar provides that visibility in a single platform, helping healthcare organizations stay ahead of adversaries and protect patient trust.

With SOCRadar, healthcare organizations can:

• Protect PII and PHI: Scan the clear, deep, and dark web to detect leaks of sensitive patient data and ensure compliance with privacy regulations. Track underground forums and marketplaces in real time, exposing database leaks, credential sales, and active hacker chatter against healthcare.
• Supply Chain Intelligence: Identify exposures in third-party vendors and business associates, preventing ripple-effect breaches across networks.

SOCRadar’s Supply Chain Intelligence module, 3rd Party Companies page

• Threat Actor Intelligence: Monitor threat actors and groups. Gain insights into their tactics, techniques, and procedures (TTPs) for proactive defense.
• Attack Surface Management: Continuously map internet-facing assets, reduce blind spots, and maintain an accurate inventory. Combine with SOCRadar’s Vulnerability Intelligence to prioritize critical vulnerabilities most likely to be exploited in healthcare environments, reducing exploitable entry points.

SOCRadar’s Attack Surface Management (ASM) module, Company Vulnerabilities page

• Brand Protection: Detect phishing domains, fake apps, and impersonation attempts before they reach patients or staff.