2025 has seen an alarming surge in cyberattacks targeting the healthcare sector in the United States. By October, at least 364 major hacking incidents had been reported to federal regulators, compromising the health records of over 33 million Americans[1]. From hospital networks to insurance providers and third-party vendors, no corner of healthcare was untouched. Below we highlight ten of the most significant healthcare cyber incidents of 2025 – including both publicly disclosed breaches and those revealed in cybersecurity reports – and examine their impact. Each incident’s summary details the scope of data compromised, financial losses or legal fallout, system downtime, and other operational disruptions. We also include expert insights on the nature of these attacks (ransomware, phishing, supply chain vulnerabilities, etc.) and conclude with best practices to help healthcare organizations defend against similar threats.
Yale New Haven Health’s March 2025 breach impacted 5.56 million patients, exposing personal identifiers but no financial data.
What Happened: On March 8, 2025, Yale New Haven Health System – Connecticut’s largest health network – discovered “unusual activity” on its IT systems. Hackers had infiltrated the network and exfiltrated data from a server containing patient records[2]. This ranks as the biggest healthcare data breach reported in 2025 so far[3]. Notably, the attackers did not access the Epic electronic medical record system or any treatment charts, and no ransomware encryption occurred (patient care systems remained intact). However, the breach briefly disrupted the hospital’s phone and internet services[4].
Data Compromised: Approximately 5.5 million individuals had personal data stolen[3]. Exposed information varied by patient, potentially including names, dates of birth, addresses, phone numbers, email addresses, medical record numbers, and even Social Security numbers[5]. Sensitive demographic details (such as race/ethnicity and patient types) were accessed, but no financial account or payment information was involved[5]. This implies attackers targeted identity and medical data rather than billing systems.
Impact and Response: Yale New Haven Health swiftly notified affected patients and offered credit monitoring. Within seven months, the health system agreed to an $18 million class-action settlement to compensate victims[6]. At least two lawsuits have alleged that basic security measures could have prevented such a breach[7]. Experts note that despite the large scale, the incident could have been worse – critical clinical operations were not directly impacted, as the hospital’s core EMR and patient care continued uninterrupted[4]. This case highlights that attackers often aim for data outside primary clinical systems, such as backup servers or ancillary databases, which may be less protected[8].
Attack Nature: Cybersecurity analysts suspect a hacking/IT incident involving unauthorized access to network servers[9][10]. Although Yale New Haven did not publicly confirm the culprit, the tactics align with double-extortion ransomware groups – data theft without encryption, possibly for later extortion or dark web sale. The breach underscores how even well-resourced hospitals remain vulnerable if any part of their IT environment is left undefended. In this case, stolen login credentials or unpatched system vulnerabilities may have enabled the intruders to slip past defenses. The fact that over 90% of hacked health records come from outside core EHR systems[11] is a sobering reminder that hospitals must secure not just clinical systems but all repositories of patient data.
Episource, a healthcare data vendor, suffered a ransomware breach in February 2025 affecting 5.4 million patients.
What Happened: Episource LLC – a California-based medical coding and analytics vendor (owned by UnitedHealth’s Optum) – fell victim to a ransomware attack that went undetected for ten days[12][13]. Between January 27 and February 6, 2025, cybercriminals accessed Episource’s network, stealing sensitive files before the company shut down systems to contain the attack[12][14]. The incident was confirmed in June and is considered the second-largest U.S. healthcare breach of 2025, second only to the Yale New Haven incident[15]. Multiple healthcare organizations nationwide were indirectly affected, since Episource manages data for various providers and health plans.
Data Compromised: Roughly 5.4 million individuals’ records were exposed[15]. Stolen data included an extensive range of protected health information – full names, contact information, dates of birth, and Social Security numbers, as well as health insurance details (policy numbers, Medicaid/Medicare IDs) and clinical data like diagnoses, medications, test results, and treatment histories[16][17]. In essence, the attackers obtained a trove of medical records and personal identifiers. Episource’s forensic review confirmed data exfiltration had occurred, though the company initially stated it was unaware of any misuse of the data as of notification time[18][19].
Impact and Response: The breach had a supply-chain ripple effect. Major clients of Episource – such as Sharp HealthCare in California and Horizon Blue Cross Blue Shield of New Jersey – had to notify their own patients that data held by their vendor was compromised[20]. Episource reported the incident to law enforcement and offered two years of free identity protection services to victims[19]. The company did not disclose which ransomware group was responsible and did not confirm if a ransom was paid[21]. Cybersecurity experts note this attack exemplifies the rising trend of threat actors targeting business associates of healthcare providers. By breaching one vendor like Episource, hackers gain access to records from many hospitals and insurers at once[22]. Mike Hamilton, CISO of cybersecurity firm Lumifi, commented that covered entities “should be holding their business associates to the same [security] requirements as their own organizations” – including regular audits and contractual penalties – to limit liability and downstream risk[23].
Attack Nature: This was a classic ransomware + data theft (double extortion) incident. Partners confirmed Episource had been hit by ransomware, even though the company’s public notice was initially vague[19]. The attackers likely infiltrated via phishing or exploiting a software vulnerability, then moved laterally and exfiltrated databases before deploying the ransomware payload[24][25]. The sheer scale (over 5 million patients) and the fact that multiple clients’ data were commingled in Episource’s systems show the supply chain vulnerability in healthcare. As one industry report noted, this breach “highlights growing threats from attacks on third-party vendors rather than hospitals directly”, thereby increasing risk across the healthcare supply chain[22]. Organizations are urged to map and monitor their data held by vendors, enforce strong access controls, and consider data encryption so that even if a vendor is breached, stolen records would be unusable[19][15].
A data analytics misconfiguration at Blue Shield of California exposed 4.7 million members’ data via Google’s ad network.
What Happened: Not all major breaches in 2025 were due to criminal hacking – in Blue Shield of California’s case, a technology misconfiguration led to a massive privacy violation. In early 2025, the health insurance giant disclosed that for nearly three years (April 2021–Jan 2024) certain member data had been inadvertently shared with Google due to an improperly configured Google Analytics tool on its website[26][27]. Essentially, a tracking code meant to analyze website traffic was also feeding sensitive health-related data to Google’s advertising systems without authorization. Blue Shield discovered the issue on February 11, 2025 and severed the Google Analytics connection immediately[26]. By April, it reported the breach – affecting up to 4.7 million individuals – to regulators, making it one of the largest healthcare breaches of the year[28].
Data Exposed: The information disclosed was “digital exhaust” from members’ interactions on Blue Shield’s sites, which nonetheless qualifies as protected health information (PHI). Depending on what pages a member visited or what tools they used (such as “Find a Doctor”), the leaked data could include names, insurance plan types and group numbers, ZIP codes, cities, gender, family size, and Blue Shield member ID numbers[27]. In some cases, even details like medical claim service dates, provider names, or search queries for doctors were transmitted to Google’s advertising platform[27]. Blue Shield emphasized that no Social Security numbers, financial account info, passwords, or clinical treatment data were involved[29][30]. However, the incident is troubling because it means advertising trackers were potentially profiling users based on their healthcare interactions – a clear HIPAA violation when done without consent.
Impact and Response: Blue Shield’s analysis indicated that Google may have used this data to serve personalized ads to members[26]. While no malicious hacker was behind the leak, the privacy impact is significant – millions of individuals’ health-related actions (like searching for specific doctors or services) were exposed to a third-party advertiser. Upon discovery, Blue Shield promptly fixed the configuration and conducted a full review of all web analytics and tracking tools to ensure no other data leaks existed[29]. The company began notifying all affected members and offered assurances that the problematic data-sharing had been stopped in January 2024[29]. Regulators took note because using PHI for advertising without explicit consent is an impermissible disclosure under HIPAA, making this a reportable breach[31]. This case serves as a cautionary tale: even well-intentioned use of analytics can backfire in healthcare. As one security expert noted, it highlights the privacy risks of using web trackers without strict controls in healthcare settings[32]. Blue Shield’s misstep underscores that cybersecurity isn’t just about keeping hackers out – it’s also about properly configuring technology so sensitive data isn’t accidentally sent out.
Attack Nature: This incident was not a cyberattack by outsiders but rather an internal technical error with serious privacy consequences. In effect, the breach occurred because a snippet of code (integrating Google Analytics and Google Ads) was mis-set to collect PHI, behaving in a way it shouldn’t[26][29]. No unauthorized party “hacked” Blue Shield; however, from members’ perspective, their data was exposed to an entity (Google) that shouldn’t have it. Experts point out that such exposures can be as damaging as a hack, since advertisers or data aggregators might exploit health info for targeting. Blue Shield’s experience is prompting other insurers and hospital systems to re-examine their use of third-party analytics, ensuring compliance with HIPAA’s guidance that tracking tools on healthcare websites must not leak individually identifiable health info without consent. In short, this breach underscores the need for strong data governance: even simple web plugins can become a leak vector if misconfigured.
Lockton Companies’ Southeast division suffered a breach affecting ~1.1 million individuals, caused by a single compromised employee account.
What Happened: In late 2024, the Southeast Series of Lockton Companies – a Missouri-based insurance brokerage firm handling employee benefits across industries, including healthcare – experienced a stealthy cyber intrusion. On November 20, 2024, an attacker gained access to a single Lockton employee’s account and computer and, over the span of just a few hours, siphoned off a cache of sensitive files[33]. Lockton did not detect the breach immediately; it was initially reported to HHS in February 2025 as affecting only 1,706 individuals, but subsequent investigations revealed the true impact exceeded 1 million people[34][35]. By March 2025, Lockton updated the breach report to 1,025,956 victims, making it the second-largest healthcare-related breach in early 2025 (at that time)[35]. The breached data primarily involved individuals covered under various employers’ health and benefit plans serviced by Lockton.
Data Compromised: The attacker accessed files containing a trove of personal and financial details. Compromised information included names, addresses, phone numbers, email addresses, dates of birth, and Social Security numbers of plan members[36]. In addition, some financial information was taken – likely bank account or payment data related to insurance billing – and possibly health insurance details or medical information since Lockton’s services span employee health benefits[37]. Essentially, this one hacked account became a gateway to a vast combined dataset of multiple companies’ employees and dependents. The breach illustrates how an attack on an intermediary can expose data from dozens of client organizations at once[38]. Indeed, Lockton confirmed that victims came from “multiple employee-benefit plans across dozens of employer groups” using its Southeast division[39].
Impact and Response: The fallout was significant. Lockton had to notify over a million individuals and offer 24 months of free identity theft protection (including credit monitoring and $1 million identity insurance) to those affected[40]. At least 11 class-action lawsuits were filed accusing Lockton of inadequate cybersecurity and negligence in protecting data[41]. Plaintiffs pointed out that such a breach – one user account compromising so many – suggested a lack of multi-factor authentication or network segmentation, which could have limited access. Lockton’s breach letters indicated the compromise occurred via an “unauthorized party” accessing an employee’s account[33], implying either phishing or stolen credentials were used. The firm faced harsh scrutiny for initially underestimating the scope (reporting only 1,706 impacted) and then revising the count to over a million, raising questions about its incident response and audit processes[34][35]. Lockton has since enhanced security and cooperated with regulators, but the incident underscores how one weak link (an email or login) can result in a massive breach when aggregated data is at stake.
Attack Nature: This was a targeted unauthorized access incident, likely through business email compromise (BEC) or spear-phishing. The fact that a single employee’s account was the entry point[33] suggests the attacker obtained that user’s credentials (perhaps via a convincing phishing email) and then escalated privileges or navigated the network to copy data. It’s notable that the files stolen dated back to a specific day, implying the attacker had limited time before being noticed or losing access[33]. Experts classify this as a supply-chain attack in effect: a criminal didn’t hack any hospital or insurer directly, but by hacking Lockton (a benefits administrator), they breached data from countless healthcare plans at once. Forensic details remain sparse publicly, but the case shows the importance of multi-factor authentication, vigilant monitoring of employee accounts, and least-privilege access. Lockton’s breach is a textbook example of how phishing and poor access controls can open the floodgates to sensitive data. As one cybersecurity attorney observed, “social engineering is the most significant cybersecurity threat” and even robust technical safeguards fail if employees are tricked[42].
What Happened: On January 2, 2025, Community Health Center, Inc. (CHC) – a nonprofit network of clinics serving Connecticut – detected unauthorized activity in its computer systems[43]. An investigation confirmed that a criminal hacker had infiltrated the network months earlier, in October 2024, and stealthily exfiltrated patient data[44]. Unlike typical ransomware incidents, CHC reported that none of its files were encrypted or deleted, and daily operations were not disrupted[45]. In fact, CHC believes it cut off the hacker’s access “within hours” of discovery, preventing further harm[46]. However, by the time the breach was contained, the damage was done: the attackers had absconded with personal and medical information on over 1 million patients – making it, at that point, the largest healthcare breach reported in 2025[47].
Data Compromised: A painstaking review of CHC’s compromised files revealed a wide array of patient information was stolen. The data included patients’ names, addresses, phone numbers, email addresses, dates of birth, and Social Security numbers, as well as detailed medical information[48]. “Diagnosis information, test results, treatment information” and health insurance details were among the types of PHI that may have been exfiltrated[48]. Notably, both adult and pediatric patients’ records were impacted, and even some data of deceased patients (with notifications sent to next of kin)[49]. In total, up to 1,060,936 individuals were affected[48]. This comprehensive data theft could enable identity theft, medical fraud, or public exposure of sensitive health conditions if misused. However, CHC reported in February that at that time it had “no indications” the stolen data had surfaced or been exploited[50].
Impact and Response: The immediate operational impact was minimal – since the attacker focused on data theft without deploying ransomware, CHC’s clinics continued to function normally. But the privacy impact and potential future harm are significant. CHC moved quickly to notify all patients whose information was compromised and offered 24 months of free identity theft protection services[50]. The breach also drew attention from multiple state attorneys general, as it affected not only Connecticut residents but also patients in other states (e.g. California’s AG was notified, suggesting some patient data across state lines)[47]. CHC bolstered its cybersecurity, adding new monitoring software and reinforcing defenses to spot suspicious activity sooner[50]. The organization did not disclose whether any ransom demand was made – the absence of encryption suggests this may have been a data-theft-only attack, possibly with the intent to sell the data rather than extort CHC. From a legal standpoint, CHC likely faces investigations under HIPAA and state laws for any security shortcomings. The incident underlines that even nonprofits and community clinics are juicy targets for hackers, given the sensitive nature of health data. It also shows that attackers don’t always announce themselves via ransomware; some quietly steal information and try to remain undetected.
Attack Nature: This was a malicious network intrusion by external hackers, classified as a hacking/IT incident in breach reports[51]. The exact entry vector wasn’t disclosed, but common culprits are phishing emails or exploiting an unpatched software vulnerability. CHC’s notification hints that the hacker’s dwell time was long (mid-October to Jan 2) before detection[52][53]. The fact that CHC “stopped the hacker’s access within hours” of noticing suggests an active compromise was ongoing – perhaps an employee noticed something abnormal or a security system triggered an alert. Because no ransomware was used, it’s possible the attacker intended to quietly monetize the stolen data (e.g., sell it on the dark web for identity theft or insurance fraud schemes). In expert commentary, this attack exemplifies the trend of data breaches for profit: attackers may refrain from noisy ransomware if they value the data more than an immediate payout. It reinforces the need for robust network monitoring and early intrusion detection in healthcare networks. Also, given CHC’s quick containment, one silver lining is that having an incident response plan and skilled security team can dramatically limit an intruder’s window – potentially preventing them from escalating to sabotage or widespread encryption.
What Happened: Frederick Health Medical Group, a healthcare provider in Maryland, was struck by a ransomware attack on January 27, 2025[54]. The cyberattack forced Frederick Health to shut down portions of its IT systems and investigate, initially unsure how much patient data was compromised[55]. The incident disrupted the organization’s operations – reports indicate that some appointments and procedures had to be postponed and patients were diverted to other facilities during the outage[56]. Over the following weeks, it became clear the attackers not only encrypted systems but also stole data. By late March 2025, Frederick Health confirmed that the personal and medical information of 934,326 patients had been accessed and taken by the attackers[57][58]. This breach is among the largest ransomware-related healthcare breaches of 2025, affecting nearly the entire patient population of the health system.
Data Compromised: According to Frederick Health’s breach disclosure, the ransomware gang obtained a wide range of patient records[58]. Names, addresses, dates of birth, and Social Security numbers were compromised, along with driver’s license numbers in some cases[58]. Importantly, the attackers also accessed clinical information and health insurance details related to patients’ care[58]. Medical record numbers and possibly treatment or diagnosis information were part of the haul, though Frederick Health noted that its core electronic medical record (EMR) system itself was not breached[59]. This suggests the data might have been exfiltrated from other systems or backups that stored patient information. Still, the leak of such data poses severe risks: criminals could commit identity theft, insurance fraud, or even attempt phishing scams against patients using their health details.
Impact and Response: The immediate impact was a significant IT downtime. Local reports and a cybersecurity briefing indicated the attack caused system outages and some emergency patients had to be diverted during the recovery period[60][61]. Frederick Health engaged cybersecurity experts and law enforcement right away[55]. By the end of March, once data theft was confirmed, the hospital began mailing individual notification letters and offering affected patients free credit monitoring and identity protection services[62]. At least five class-action lawsuits have been filed by patients, accusing Frederick Health of failing to adequately protect their data[63]. These suits claim negligence – citing that the hospital could have prevented the breach with better security practices – and even criticize the breach notification for not fully explaining what happened[64]. The incident has likely cost Frederick Health substantial resources in investigation, bolstering security, legal fees, and potentially a ransom payment (though it was not disclosed whether they paid the attackers). Security analysts observed that no ransomware group publicly claimed responsibility, which is somewhat unusual[65]. This could mean Frederick Health negotiated quietly, or the attackers focused on selling the data rather than public shaming. Frederick Health has since stated it implemented additional cybersecurity safeguards and monitoring to prevent future attacks[62].
Attack Nature: This was a ransomware attack with data exfiltration, part of the double-extortion trend. The attackers likely penetrated the network (possibly via a phishing email or an unsecured remote access point) and deployed malware that encrypted systems to disrupt operations, while simultaneously stealing patient data to use as leverage[66][58]. The strain of ransomware and the hacker group were not named by the hospital[65]. Given the timing (early 2025) and targets, groups like ALPHV (BlackCat) or LockBit – known to target healthcare – are possible culprits, but that remains speculative. Experts underscore a few lessons from Frederick Health’s ordeal: First, backups and downtime procedures are critical so that patient care can continue even if systems are locked (Frederick had to divert patients, indicating some gaps). Second, the fact that data was stolen despite the EMR not being touched shows that attackers often target secondary databases or file shares that contain PHI. Finally, this case reiterates that most healthcare ransomware incidents now involve data theft; in 2025, nearly 97% of people affected by healthcare breaches were victims of hacking incidents like this[51][67]. Robust network defenses, employee training, and segmented network architecture can help blunt the impact of such attacks.
What Happened: Medusind Inc., a Florida-based provider of medical and dental billing services and software, suffered a major hacking incident in late 2023 that came to light in 2025 due to its far-reaching impact. On December 23, 2023, Medusind’s systems were breached by an unauthorized actor, compromising data it handles for numerous healthcare clients[68][69]. Medusind began notifying affected healthcare providers and individuals in January 2025, and by that time it reported the breach to HHS as affecting nearly 701,500 people[70][71]. This places Medusind among the five largest healthcare business-associate breaches reported in 2025[72]. The timing suggests the incident was likely a ransomware attack or similar hack executed in 2023, but full discovery and analysis of affected records took weeks, pushing notifications into the new year.
Data Compromised: Medusind has not publicly enumerated every data element stolen, but as a revenue cycle management vendor, it would hold extensive personal and health information from patients of various medical and dental practices. According to a class action lawsuit, the breach exposed names, Social Security numbers, dates of birth, addresses, and other medical or financial information entrusted to Medusind[73]. Essentially, any data patients provided to their doctors or dentists for billing (insurance details, treatment codes, etc.) could have been in Medusind’s databases. State breach notices and settlement filings indicate hundreds of thousands of individuals had their PHI and personally identifiable information accessed[74]. The scale of 700k+ victims underscores that multiple healthcare entities’ data was pooled on Medusind’s systems – making it a one-stop target for hackers.
Impact and Response: The breach triggered a wave of legal action. In 2025, Medusind agreed to a $5 million settlement to resolve a consolidated class action lawsuit by victims of the incident[70]. Affected patients (spanning many states and provider offices) could claim financial reimbursement for losses and receive credit monitoring as part of the settlement[75]. Operationally, the incident likely disrupted Medusind’s billing services around late December 2023, possibly delaying some healthcare providers’ revenue cycles until systems were secured and restored. Medusind’s reputation took a hit, as healthcare clients and their patients lost trust in the company’s data security. Regulators also probed the case: because Medusind is a HIPAA business associate, it faces potential enforcement for any lapses in safeguards. In terms of remediation, Medusind claims to have bolstered its cybersecurity and cooperated with investigators. One notable aspect is how long it took to identify all affected individuals – initial notices covered around 360,000 people in early January[76], but the tally almost doubled by the time of the HHS report, reflecting the complexity of forensic analysis in such breaches.
Attack Nature: The Medusind hack aligns with the spate of ransomware attacks on healthcare vendors in late 2023 (many tied to gangs exploiting zero-day vulnerabilities in common software). While Medusind did not confirm the culprit, security journalists have noted it occurred around the same time as other healthcare breaches via the MoveIT file transfer software exploit or other similar attacks by groups like Clop or ALPHV. Indeed, 2023 saw record healthcare breaches due to third-party software compromises[77]. Medusind’s case is a reminder that even “small” vendors can pose “significant, well-known” security concerns if they lack the resources to maintain strong defenses[78]. Commenting on breaches like Medusind, regulatory attorney Paul Hales noted that “inadequate health information privacy and security safeguards among small HIPAA-regulated entities” (like many billing firms) are a major issue[79]. He emphasized that not only technical safeguards but also workforce training are essential, since social engineering often opens the door[42]. In summary, the Medusind breach underlines the need for due diligence in vendor selection and continuous monitoring: healthcare providers must ensure their partners protect patient data as diligently as they do themselves.
What Happened: Kelly & Associates Insurance Group – commonly known as Kelly Benefits – is a Maryland-based benefits administration firm that serves as a third-party broker and enrollment platform for numerous employers and insurers. In December 2024, Kelly Benefits fell victim to a targeted cyberattack that allowed intruders to access and steal data from its systems over the course of several days. The breach occurred between December 12 and 17, 2024, when hackers infiltrated Kelly’s network and copied files containing client information[80]. Initially, Kelly Benefits’ disclosure estimated a relatively small number of victims (just over 32,000), but as the forensics continued, the scope expanded dramatically[81]. By April 2025, the company confirmed that 553,660 individuals nationwide were impacted by the breach[82]. This incident highlights how complex and far-reaching breaches can be when a central service provider for many organizations is compromised.
Data Compromised: Because Kelly Benefits handles a broad set of data for employee benefits (from health insurance enrollment to payroll and HR info), the breach exposed a rich collection of personal data. The stolen files likely contained full names, Social Security numbers, dates of birth, and Tax ID numbers of employees and dependents[83]. Additionally, affected individuals’ health insurance information (e.g. plan enrollment details, member IDs) was involved, and in some cases even limited medical information related to their benefits may have been included[83]. Financial account information (such as direct deposit bank details for payroll or benefits contributions) was also part of the compromised data set[83]. Essentially, the attackers grabbed anything Kelly Benefits had on file for the 46 client entities that were impacted[84]. Those clients spanned major health insurers (UnitedHealthcare, Aetna, CareFirst BCBS, Humana, Guardian Life, Mutual of Omaha, etc.) as well as employers using Kelly’s services[85]. This means the breach was effectively a hub-and-spoke: by breaching one hub (Kelly), data from dozens of insurers and employers’ plans leaked out.
Impact and Response: The Kelly Benefits breach illustrates the wide blast radius a vendor incident can have. Over half a million insurance customers and employees across 46 organizations had to be notified that their sensitive data was in criminal hands[84]. Kelly Benefits worked with authorities and began sending out breach notices on April 1, 2025[86]. In response, the firm offered 12 months of free credit monitoring and identity protection via IDX to all impacted individuals[87]. They also urged vigilance against phishing or fraud attempts, knowing the exposed data could be used in social engineering schemes[87]. The breach led to at least one major lawsuit and multiple investigations. For example, Guardian Life Insurance (one of the affected insurers) faced questions from regulators and facilitated notifications to its customers via Kelly’s information[88][89]. Kelly Benefits has not publicly detailed the cause of the attack, but a breach notice filed with states indicated that hackers gained access to the network and stole certain files over that five-day window in December[90]. The incident spotlights how challenging it can be to determine the full scope: it took Kelly Benefits months to “review logs, cross-reference files, and confirm affected individuals” across all its clients[91]. This delay in fully assessing the breach size drew some criticism but also reflects the complexity when so many stakeholders are involved.
Attack Nature: The Kelly Benefits breach was a hacking/IT incident likely involving unauthorized network access, but the precise method remains undisclosed. Security analysts suspect a ransomware group might have been behind it, as several benefit administrators were hit by ransomware around that time. However, interestingly, Kelly did not report any system encryption or outage; the focus was data theft. A clue from a leaked internal memo suggests the compromise may have started with a phishing email to a Kelly Benefits employee, allowing the attackers to infiltrate the network in mid-December[92]. Once inside, they would have navigated file shares or databases and exfiltrated data. The fact that multiple Fortune 500 insurers’ data was stored in one place made Kelly a high-value target. This attack underscores the supply-chain vulnerability in insurance and benefits services: companies outsource data handling to firms like Kelly Benefits for efficiency, but this concentrates risk. Going forward, this breach has been a case study in the importance of timely breach detection and comprehensive incident response. As the Paubox security blog noted, the lag between discovery and full reporting in Kelly’s case shows how hard it can be to track data spread across interconnected systems[93] – a challenge that the entire industry must address with better auditing and data management practices.
What Happened: Numotion (United Seating & Mobility), one of the nation’s largest providers of wheelchairs and mobility equipment, experienced a significant data breach stemming from a sustained email account compromise in late 2024. Attackers conducted a phishing campaign that fooled several Numotion employees into giving up access to their Office 365 email accounts[94][95]. According to Numotion’s investigation, multiple staff email accounts were illicitly accessed between August 23 and November 18, 2024[96]. During this nearly three-month window, the attackers potentially rifled through emails and attachments containing sensitive customer information. Numotion only became aware of the issue on September 6, 2024 (when suspicious activity was detected), but it appears the compromise had already begun in late August[96]. The company took until January 22, 2025 to fully ascertain what data was exposed and who was affected[97]. Ultimately, Numotion confirmed that the breach impacted 494,326 individuals, which it reported in early 2025[98].
Data Compromised: The breached data came from the contents of the compromised email accounts. Numotion’s review found that emails (and likely file attachments) in those accounts contained various types of customers’ personal and health information[99]. Data exposed differed by individual but could have included names, dates of birth, contact information (addresses, phone numbers), health insurance details, product order information, and medical information regarding the mobility equipment or services a person received[99]. In some cases, financial account information and payment details were also present in emails, as well as a minority of individuals’ Social Security numbers or driver’s license numbers[99]. Essentially, anything that might be communicated between a patient, their doctor, and Numotion – such as prescriptions for a wheelchair, medical justification documents, invoices, and insurance claims – could have been caught up in this breach. It’s worth noting that in a separate incident in early 2024, Numotion suffered a ransomware attack affecting 602,000 people[100]. But the email breach is distinct: it was more of a stealthy espionage operation via phishing rather than a system-wide malware attack.
Impact and Response: The direct operational impact on Numotion’s services from the email breach was not widely reported – likely, the company’s product deliveries and customer support continued normally, since email access alone can be restored relatively quickly after password resets. The main impact was the privacy breach of nearly half a million customers, essentially Numotion’s entire client base (reports noted it affected “its entire customer base” across the U.S.)[101][102]. Numotion began notifying individuals and regulators in March 2025, once the analysis was done[98]. They offered complimentary credit monitoring and identity theft protection to everyone whose sensitive information (like SSN) was exposed[103]. The company also had to contend with multiple lawsuits alleging it failed to implement adequate email security (such as multi-factor authentication) and did not act swiftly enough to stop the prolonged breach[96]. Indeed, it appears that despite noticing something by Sept 6, the attackers still had access through November, implying some gaps in containment[96]. Numotion has stated that they “have no reason to believe” the emails were accessed specifically to steal info, and claimed no evidence of misuse of the data has been found[104]. However, experts treat such assurances cautiously – absence of evidence is not evidence of absence. The stolen data (equipment prescriptions, etc.) could potentially be used for fraud (for example, filing false insurance claims for medical equipment or targeting patients with scams related to their condition).
Attack Nature: This incident was essentially a phishing-enabled breach leading to Business Email Compromise (BEC). The attackers likely sent convincing emails to Numotion staff (perhaps posing as IT support or a trusted contact) to harvest their email login credentials. Once in control of those mailboxes, the hackers quietly harvested data over weeks – either manually reading emails or programmatically downloading mailboxes. The fact that multiple accounts were involved suggests either several employees fell for phishing, or the attackers hopped from one account to another using information gleaned internally. The overlap in dates with another smaller Numotion email breach (Aug–Sept 2024 affecting ~2,300 people) suggests this was part of a broader campaign[105]. The lesson here is that even without deploying malware, adversaries can cause a major breach by targeting email, which often contains a wealth of unencrypted sensitive information. Simple best practices like enabling multi-factor authentication (MFA) on email accounts and training employees to spot phishing could have thwarted this attack. Unfortunately, Numotion’s case shows that without those measures, attackers had free reign in the company’s email system for months. As a result, numerous lawsuits argue that Numotion was negligent by not having “reasonable safeguards” like MFA and email encryption in place[106]. This breach reinforces the healthcare industry mantra that email is the No. 1 threat vector – and organizations must treat the protection of email accounts with the same seriousness as securing their core networks.
What Happened: Serviceaide, Inc., a California-based IT service management company providing an AI-powered helpdesk platform, inadvertently exposed nearly half a million patient records through a cloud misconfiguration. Serviceaide was a vendor for Catholic Health – a six-hospital system in Buffalo, New York – handling parts of its IT and support workflows[107][108]. On November 15, 2024, Serviceaide discovered that an Elasticsearch database it used for Catholic Health had been left unsecured on the internet, accessible without any login required[108]. This database contained cached information from IT support tickets and related patient data. It had been openly exposed for about six weeks (from September 19 to November 5, 2024) before Serviceaide found and secured it[109]. In May 2025, after thorough analysis, Serviceaide notified Catholic Health and regulators that 483,126 patients’ data was potentially compromised by this leak[110]. The breach is unusual in that it was not a result of a hacker’s break-in, but rather an internal error – though it’s possible unknown parties may have accessed the data while it was publicly visible.
Data Compromised: The exposed Serviceaide database contained a comprehensive array of personal and medical information on Catholic Health’s patients[110]. The data points included full names, dates of birth, Social Security numbers, medical record numbers, patient account numbers, and details of patients’ medical care (diagnoses, treatment information, prescriptions, clinical notes)[110]. It also listed provider names and locations, and notably, even email addresses/usernames and passwords – likely credentials for Catholic Health’s patient portals or Serviceaide’s support system – were in the database in some form[111]. In short, virtually any data that might have been part of IT support requests or records was present. The inclusion of login credentials is especially worrying; if those passwords were for patient accounts (and if they were reused elsewhere by individuals), the risk extends to unauthorized access of those accounts. Serviceaide emphasized that it found no evidence that any unauthorized person actually downloaded or misused the information during the exposure[112]. However, because the data was exposed to the open web, one cannot rule out that opportunistic attackers or researchers stumbled upon it during that six-week window.
Impact and Response: This breach illustrates how a single configuration mistake can have wide-reaching privacy implications. The patients affected were all those who had some interaction logged in Catholic Health’s IT support system – which turned out to be nearly half a million people, reflecting Catholic Health’s large patient base. Catholic Health posted a notice acknowledging that one of its vendors (Serviceaide) had a data breach but carefully termed the exposed data as “limited patient information”[113]. In reality, the data was quite extensive in scope. Serviceaide took responsibility by sending out notification letters to all 483,000+ patients and offering them credit monitoring and identity protection services[114]. The company also reported the incident to the HHS Office for Civil Rights on May 9, 2025[114]. As a remedy, Serviceaide tightened its cloud security configurations and promised additional measures to prevent such lapses in the future[114]. The breach sparked multiple class-action lawsuits on behalf of patients, alleging Serviceaide was negligent in failing to password-protect the database and thus violating privacy laws[115][116]. From a regulatory standpoint, because Serviceaide is a HIPAA business associate, it could face hefty fines; OCR has penalized companies in the past for exposed servers even absent evidence of malicious access[117]. For Catholic Health, this incident was a stark reminder that its data security is only as strong as the security practices of its vendors. Patients, for their part, were advised to change any accounts whose credentials may have been leaked and to watch out for suspicious emails or scams.
Attack Nature: Uniquely, this was a non-malicious data leak – essentially a cloud configuration error – not an active cyberattack. No sophisticated hacking was needed: anyone with an internet connection could have stumbled onto the Serviceaide database because it lacked authentication. These kinds of leaks are often discovered by security researchers scanning for open ports or by search engine indexing. It’s not clear who, if anyone beyond Serviceaide, accessed the data; however, the danger is that criminal actors run automated scans for exactly such exposures. The Serviceaide case underscores the growing challenge with cloud storage and “shadow data”: a vendor spins up a cloud database for convenience but fails to secure it properly. The lesson for all healthcare entities is to enforce strict cloud security policies and routinely audit cloud resources for misconfigurations[118]. The Department of Health and Human Services even highlighted that exposed databases are a common cause of breaches, urging entities to double-check authentication controls on any cloud-based data stores[118]. In summary, while no mastermind hacker breached Serviceaide, the incident had the same effect as a hack – sensitive data in the open – and thus it’s counted among the top “cyber” incidents. It reminds us that cybersecurity isn’t just about defeating hackers; it’s also about avoiding unforced errors that can leak data just as surely as any malware.
The 2025 healthcare cyberattacks reveal critical patterns and lessons for the entire industry. A striking insight is that an overwhelming majority of compromised health records came not directly from hospitals, but from their vendors and business associates[8]. Attackers have realized that breaching one third-party service provider (like a billing company or IT firm) can yield data from dozens of healthcare organizations at once[22][93]. Additionally, many attacks exploited basic security lapses such as phishing, weak or misconfigured systems, and lack of network segmentation. Below are key takeaways and best practices to help healthcare institutions bolster their cyber defenses:
In conclusion, the top cyberattacks of 2025 underscore that healthcare data – rich with personal, financial, and medical details – remains a prized target for cybercriminals. Attacks ranged from sophisticated ransomware operations to preventable errors like misconfigured databases. The silver lining is that each incident holds lessons. By learning from these breaches and implementing robust cybersecurity and privacy practices, healthcare institutions can better safeguard their systems and, most importantly, protect the patients who entrust them with their most sensitive information. As attackers continue to evolve, so must the defenses – through vigilance, education, and a proactive, layered security approach that treats every link in the chain as mission-critical to protect[123][118].
Sources: The information in this article is sourced from official breach notifications, industry analyses, and cybersecurity news reports, including the U.S. Department of Health and Human Services breach portal and expert commentary from the American Hospital Association and security firms. Notable references include HIPAA Journal reports on each incident[6][15][26][33][48][58][70][82][99][110], as well as summaries by security researchers and organizations like BankInfoSecurity[124][125], Paubox[126][127], and Bright Defense[128][129]. These sources provide a comprehensive view of the attacks’ scope, impact, and the cybersecurity lessons learned.
[1] [8] [11] [77] [119] [120] [121] 2025 Cybersecurity Year in Review, Part One: Breaches and Defensive Measures | AHA News
[2] [3] [5] [6] Yale New Haven Health Will Pay $18M to Settle Hack Lawsuit
https://www.bankinfosecurity.com/yale-new-haven-health-will-pay-18m-to-settle-hack-lawsuit-a-29827
[4] [7] [22] [32] [37] [38] [39] [40] [128] [129] 60+ Healthcare Data Breach Statistics (Oct - 2025)
https://www.brightdefense.com/resources/healthcare-data-breach-statistics/
[9] [10] [20] [23] [51] [67] [124] [125] Hacks Lead Health Data Breach Trends So Far in 2025
https://www.bankinfosecurity.com/hacks-lead-health-data-breach-trends-so-far-in-2025-a-28909
[12] [13] [14] [16] [24] [25] Anatomy of an Attack: Healthcare Data Breach Exposes 5.4 Million Patient Records — ExtraHop
https://www.extrahop.com/blog/healthcare-data-breach-exposes-5.4-million-patient-records
[15] [17] [18] [19] Episource Cyberattack Attack Affects More Than 5.4 Million Individuals
https://www.hipaajournal.com/episource-data-breach/
[21] [54] [55] [57] [58] [59] [62] [63] [64] [65] [66] Ransomware Attack on Frederick Health Medical Group Affects 934,000 Patients
https://www.hipaajournal.com/frederick-health-medical-group-ransomware-attack/
[26] [27] [28] [29] [31] Blue Shield of California Announces Impermissible Disclosure of PHI to Google Ads: 4.7 Million Affected
https://www.hipaajournal.com/blue-shield-of-california-google-ads-data-breach/
[30] [107] [108] [109] [110] [111] [112] [114] [117] [118] Unsecured Serviceaide Database Exposed Data of 483,000 Catholic Health Patients
https://www.hipaajournal.com/serviceaide-data-breach/
[33] [34] [35] [36] [41] Southeast Series of Lockton Companies Facing Multiple Lawsuits over 1M-Record Breach
https://www.hipaajournal.com/southeast-series-of-lockton-companies-data-breach-litigation/
[42] [69] [70] [71] [72] [74] [78] [79] Vendors Veradigm and ApolloMD Report Health Data Hacks
https://www.bankinfosecurity.com/vendors-veradigm-apollomd-report-health-data-hacks-a-29542
[43] [44] [45] [46] [47] [48] [49] [50] [52] [53] Over 1 Million Patients Affected by Community Health Center Data Breach
https://www.hipaajournal.com/community-health-center-data-breach/
[56] [60] One in Three Hospitals Confirm Cyber Incidents Directly Impacted ...
https://censinet.com/perspectives/hospitals-cyber-incidents-impact-patient-care
[61] Frederick Health Data Breach Exposes 934,326 Patient Records
https://ssojet.com/blog/frederick-health-data-breach-exposes-934326-patient-records
[68] [76] Medusind Data Breach Investigation - Strauss Borrelli PLLC
https://straussborrelli.com/2025/01/08/medusind-data-breach-investigation/
[73] Owings v. Medusind Settlement Layout - Home
https://www.medusinddataincidentsettlement.com/
[75] Medusind to Pay $5 Million to Settle Data Breach Litigation
https://www.hipaajournal.com/medusind-5-million-data-breach-settlement/
[80] [81] [82] [83] [84] [85] [87] [89] [91] [93] Kelly Benefits data breach impacts over half a million customers
https://www.paubox.com/blog/kelly-benefits-data-breach-impacts-over-half-a-million-customers
[86] [88] Kelly Benefits Notifies Guardian Life Insurance Customers of Data ...
https://www.jdsupra.com/legalnews/kelly-benefits-notifies-guardian-life-3734938/
[90] [92] [PDF] kelly-and-associates-insurance-group-data-breach-notice.pdf
https://www.classaction.org/media/kelly-and-associates-insurance-group-data-breach-notice.pdf
[94] [95] [96] [97] [98] [99] [100] [103] [104] [105] [106] Numotion Reports Email Data Breach Affecting Almost 500,000 Individuals
https://www.hipaajournal.com/numotion-email-data-breach-494k/
[101] [102] Almost 500K impacted by Numotion breach - SC Media
https://www.scworld.com/brief/almost-500k-impacted-by-numotion-breach
[113] Agentic AI Tech Firm Says Health Data Leak Affects 483,000
https://www.bankinfosecurity.com/agentic-ai-tech-firm-says-health-data-leak-affects-483000-a-28424
[115] Agentic AI data breach exposes 483,000 New York health system ...
[116] Serviceaide Facing Multiple Class Action Lawsuits Over 483K ...
https://www.hipaajournal.com/serviceaide-class-action-data-breach-lawsuits/
[122] Healthcare ransomware attacks surge 30% in 2025, as cybercriminals shift focus to vendors and service partners - Industrial Cyber
[123] [126] [127] Top healthcare data breaches of 2025 affect over 29 million (so far)
https://www.paubox.com/blog/top-healthcare-data-breaches-of-2025-affect-over-29-million-so-far
