The healthcare industry is amid an unprecedented cybersecurity calamity in 2025, with data breaches at staggering new highs. For the 14th straight year, the industry also faces the highest breach cost across any sector, and ransomware attacks as well as highly sophisticated cyber-attacks have not slowed down.
Through October 2025, there have been 139 large breaches in the third quarter alone impacting 9.5 million patients. Ransomware attacks against healthcare organizations have increased by 30% from this time last year, and attackers are honing-in on third-party vendors and business associates rather than direct care providers. The cost of a healthcare data breach is $7.42M, which is above the global average of $4.44M, and it takes an average of 279 days to identify and contain the breach – five weeks more than in any other industry.
Major Healthcare Breaches of 2025
Change Healthcare: The Largest Healthcare Breach in History
The Change Healthcare ransomware attack still resonates across the healthcare industry as the largest and most impactful U.S. healthcare cyber attack. First reported on February 21, 2024, it continues to unfold its full impact throughout 2025. As of July 31, 2025, Change Healthcare reported that approximately 192.7 million people have been impacted – nearly an estimated 60% of the US population – making it the largest health data breach documented to date.
The team behind the BlackCat (ALPHV) ransomware is responsible for the attack, which targeted a Citrix server without multi-factor authentication. The intruders got into the network and lived on it for nine days before being discovered, during which time they managed to steal 6TB of information. Change Healthcare paid a $22 million ransom to avoid the data being published, but the BlackCat group made an exit scam and the stolen data was later victim of further extortion attempts by the RansomHub ransomware gang.
Financially, the result has been disastrous. The company’s earnings reports note that the price tag for the Change Healthcare ransomware attack is now at $2.457 billion, which includes direct costs, business interruption and legal fees and cleanup. The halt to operations dragged on for a few weeks, stopping doctors and health insurers from being able to use Change Healthcare’s systems as part of what became crippling revenue cycles across the country, and patients endured service disruptions. When asked how much of an impact the attacks had on their practice, 77 percent said they were without access to some patient care services for anywhere between a few hours to days; 80 percent experienced a reduction in revenue through unpaid claims, and 55 percent used personal funds to cover expenses during the attack.
DaVita: Kidney Care Provider Under Siege
One of 2025’s biggest breaches saw kidney dialysis provider DaVita announce in August that it had some 2.7 million individuals impacted by a discovered ransomware attack on April 12, 2025. The Interlock ransomware gang has taken credit for the breach, saying it stole over 20 terabytes of sensitive data, including more than 200 million rows of patient information from SQL databases.
The unauthorized access is believed to have started on Mach 24, 2025, and it continued through April 12 when DaVita managed to remove the hackers from its systems. Stolen data included names, addresses, birth dates, Social Security numbers and health insurance information as well as clinical details like treatment specifics and dialysis lab results. Some reports said the attackers also gained access to images of checks.
DaVita runs over 2,650 outpatient dialysis clinics in the United States and serves roughly 200,000 patients with kidney disease that require regular dialysis. The ransomware attack locked parts of DaVita’s network and disrupted internal operations, though patient care was not interrupted by utilizing backup systems and manual workarounds. The company disclosed $13.5 million in expenses during the latest quarter related to the incident, including $1 million associated with increased patient care costs and $12.5 million in general and administrative spending.
Episource: Third-Party Vendor Breach Exposes Millions
Episource LLC, a medical coding and risk adjustment provider owned by UnitedHealth Group, suffered a breach of over 5.4 million patients in what amounts as the second largest healthcare data breach in 2025. The organization discovered unusual activity on its network on February 6, 2025, after unauthorized access was discovered that began around January 27, 2025.
The forensics team determined that an unauthorized actor had gained access and removed data from Episource’s systems within that 10-day period. Exposed data varied per person, and included names, contact information (addresses, phone numbers, email addresses), health information (diagnosis and treatment-related details, prescriptions information like dosages and test results, medical images and reports, medical record numbers, and doctors’ names); as well as healthcare plan info (details about policies purchased by members or their representative’s identification number group/policy numbers; Medicaid/Medicare payor identifiers), and personal info including DOBs and Social Security numbers.
Yale New Haven Health: Major Academic Medical Center Compromised
In April 2025, Yale New Haven Health System who is Connecticut’s largest healthcare provider, had a data security incident that compromised the information of over five and a half million individuals, making it one of the top healthcare breaches for 2025. The health system said it first discovered suspicious activity in its information technology systems on March 8, 2025.
The health system quickly began containing the incident and brought in cyber security service provider Mandiant to help investigate. The swift response limited the scope of the incident and avoided any patient care disruptions. Yale New Haven Health indicated that an unauthorized individual was able to access its network on March 8, 2025, and steal files that included patient data. There is no evidence that electronic health record or financial information systems were compromised, according to the release.
Frederick Health: Regional Provider Faces Ransomware Attack
Right in our own backyard of the DC-Maryland-Virginia area, ransomware struck Maryland’s Frederick Health Medical Group on January 27, 2025, affecting 934,326 patients. The health system notified law enforcement and hired an outside forensic firm to investigate the breach. The investigators confirmed that an unauthorized actor gained access to their network and extracted files from a shared server.
The compromised data differed from person to person, but included patient names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, medical record numbers, health insurance information, and clinical information about patients’ care. It’s important to note that the electronic medical records system was not compromised. The ransomware group that carried out the attack has not been publicly identified, and it is unclear if Frederick Health paid the ransom.
Vulnerabilities and Breach Methods
Third-Party and Supply Chain Risks
Third-party suppliers and business associates are a weak point in healthcare security. Business associates were the source of 20% of breaches in August 2025 alone. These are third-party vendors who have access to protected health information. Although such breaches affected fewer numbers of patients than direct provider attacks, they were one clear step in the wrong direction for the healthcare breaches.
The many vendors supporting healthcare systems creates multiple access points for attackers. Medical device manufacturers, cloud providers, billing companies, medical transcription services, and healthcare IT firms are all relied upon by healthcare organizations. Every vendor relationship opens up potential holes in the security fabric, particularly smaller vendors that don’t have funds to institute robust cyber measures.
Network and System Vulnerabilities
Network servers are still the most targeted and vulnerable element of health IT. Network servers were the focus of 67.3% of breaches in Q3 2025, which resulted in 99.2% of stolen patient records. This risk concentration in core IT infrastructure exposes underlying constraints where healthcare organization’s architect their cybersecurity defense.
Legacy systems and older medical devices in use at healthcare facilities often do not have the appropriate security safeguards or are unable to be adequately patched. The healthcare cyber threat picture entails constant OS and endpoints misconfigurations, and out-of-date medical devices that place critical infrastructure at risk of exploitation.
Emerging AI-Powered Threats
In 2025, AI is posing a new cybersecurity threat to healthcare. Artificial intelligence is revolutionizing health care with a storm of new innovations like genome mapping and fast laboratory test analysis, but it also presents an equally massive privacy issue. The integration of AI often places sensitive patient data outside hospital-controlled environments, exposing it to third-party systems and potentially unauthorized access.
Of course, AI is also used by adversaries to make their attacks more effective. AI-powered voice deepfakes have been used to con doctors into authorizing unauthorized prescriptions. By the end of this yea, AI will have been injected into nearly every step of the medical process, introducing new potential areas for spoofing and fraud.
Fundamental Security Measures
Healthcare organizations need a comprehensive security strategy that covers an increasingly hostile threat landscape. At the heart of these trends, Zero Trust architecture has gained significant prominence as a fundamental framework that assumes nothing is trusted by default – not even devices or users, whether they are within an organization’s network perimeter or not. If the policy is narrowly defined as least privilege, only personnel or devices with authorization are allowed access to sensitive data and services.
Secure data encryption is also key to preserving critical patient information in motion and at rest. organizations must implement measures to encrypt all data at rest on servers, and in motion between devices, using encryption standards that are strong. This security protection is critically needed to safeguard patient information, billing and insurance records, and medical histories from hackers.
Personnel Training and Awareness
Frontline workers are the first line of defense against cyber-attacks. The majority is still going to “fall victim” to phishing, social engineering, or just old-fashioned human error. Ongoing cybersecurity awareness training is essential to make staff aware of suspicious activity and how to respond. This training should address legal compliance, such as HIPAA, and emphasize the significance of maintaining patient data across all stages.
Vendor and Third-Party Risk Management
Given the escalating threat from third-party breaches, organizations must tighten vendor access controls and implement continuous monitoring of all external partners. Zero Trust principles should be applied to all third-party relationships, especially those involving protected health information.
Incident Response and Recovery Planning
No breach is 100% preventable, but the damage can be reduced with defined incident response plans. Health care organizations must create and regularly test clear incident response plans that provide guidance on how to respond to a variety of cyber threats such as ransomware, data breaches and system weaknesses. A concrete plan should be provided, with a proposed communications approach and include details on how the breach is to be contained and managed, along with provisions for recovery of systems and services with minimal disruption.
The Human Impact and Patient Safety Concerns
Disruption to Patient Care
In addition to financial and regulatory repercussions, data breaches in the healthcare sector have direct effects that can be life-threatening for patients. 76% of U.S. health organizations experienced a patient care disruption caused by a cyberattack. The Change Healthcare breach was a perfect example of this impact, with 74% of impacted providers indicating the incident had negative effects on patient care such as delays in medical necessary treatments/authorizations. Some providers said that death rates increased following ransomware attacks.
The down time can be significant and long lasting. The London Synnovis assault led to the cancellation of more than 6,000 appointments and procedures and a shortage in blood donations. The breach at Frederick Health led the health system to temporarily divert ambulances to other facilities. When DaVita’s systems were locked, they put in place workarounds, to ensure that 200,000 patients who need regular care for kidney disease got treatment.
Long-Term Consequences
Healthcare data breaches have far-reaching implications beyond the initial incident. There is something unique about healthcare data, in terms of its value and the dangers it can pose when breached. Medical identity theft can also yield financial fraud where impostors file for false insurance claims, get unauthorized prescription refills and have falsified medical histories that could cause patients to receive the wrong treatment. Unlike financial information (which can be cancelled and reissued), medical data cannot be altered after it’s been stolen.
The loss of trust resulting from breaches has wider implications for service delivery in health. If patients don’t trust that their doctors will keep their information private, they may not want to reveal full medical histories or other information necessary for appropriate treatment. The reputational harm can take years to mend, affecting patient retention and new patient acquisition.
Future Outlook and Emerging Challenges
Projected Trends for Late 2025 and Beyond
Healthcare cybersecurity pros predict trends to get worse through end of 2025 and into 2026. Health-ISAC projects that the total number of healthcare and all-cause breaches will exceed 2024’s count in 2025, with as many as 4,040 incidents tallied in the first half of the year, and another 1,930 filed during Q3. Hacks of network servers and business associates will remain at the top of breach counts as if the industry is locked in a rinse-and-repeat cycle with ransomware, vendor risk and cloud security.
IOT devices will continue to be ‘the Achilles’ heel of healthcare cybersecurity. Common in hospitals during critical operations, these devices can go unpatched because there are no rules dictating the conditions under which updates need to be made available, making them ripe for exploitation by attackers. With the absence of universal patching practices, IoT
Geopolitical and Nation-State Threats
There’s now evidence that ransomware groups are working in concert with nation-state actors to elevate the level of attacks. These alliances exploit sophisticated tactics, techniques and procedures to defeat the conventional defenses of healthcare organizations, which are on their hit list since patient care and related data are so valuable. Cyber activity in the healthcare field remains geopolitical driven.
Though profit is the motive behind 90% of attacking incidents in healthcare, espionage continues to be a growing concern as more indefinite global conflicts take place. Such data is strategically valuable to nation-state actors, as it includes far more than just patient information — namely, research, pharmaceutical compounds and infrastructure capabilities.
Call to Action
The healthcare sector is at a cyber security crossroads. 2025’s breach data offers a literal map of where the holes are and what bad actors are doing with them. The issue is not if healthcare organizations live will be a target—it’s will they survive when attacks happen.
Healthcare executives need to acknowledge that cybersecurity is an issue which being left for IT to manage, but rather a concern of patient safety and the organization. The same way hospitals invest in medical equipment to save lives, they are going to have to invest in cybersecurity infrastructure for the digital lives under their care. Organizations that take rapid action to remediate identified vulnerabilities will be protecting their patients and fortifying their infrastructure. Those who don’t might be on next month’s list of breaches.
The decision is clear: invest in cybersecurity through comprehensive risk assessments, ongoing vendor management, and employee training and engagement with technology-driven security solutions and incident response planning — or pay a costlier price for a breach at some point in the future. And given that the average breach costs exceed $7.42 million, breach lifecycles of nine months or more and the potential for patient harm or loss of life, the need for action has never been more urgent.
