10-14-2025, 10:27 PM
One dangerous aspect of centralized mass data collection is the inevitable fact that it can and will be hacked:
1. Yale New Haven Health System: 5,556,702 individuals affected
Yale New Haven Health System (YNHHS), the largest health system in Connecticut, reported a multimillion-record healthcare data breach in April 2025. YNHHS said that it discovered unusual activity within its IT systems on March 8, 2025, prompting it to launch an investigation.
YNHHS determined that an unauthorized third party had gained access to its network and obtained copies of data, including names, birthdates, phone numbers, race or ethnicity, addresses, email addresses, patient type, medical record numbers and Social Security numbers.
2. Episource: 5,418,866 individuals affected
Episource, an IT vendor that provides risk adjustment and medical coding services to health plans and providers, suffered a ransomware attack in February 2025 that resulted in a data breach.
The company found unusual activity in its computer systems on Feb. 6, 2025. Episource launched an investigation and determined that a cybercriminal had accessed Episource systems between Jan. 27, 2025, and Feb. 6, 2025, and copied some data.
The data involved in the breach varied but included some combination of name, address, phone number, email, health insurance data, medical record numbers, treatment information and other sensitive data, such as Social Security numbers.
3. Blue Shield of California: 4,700,000 individuals affected
Blue Shield of California notified 4.7 million individuals of a breach that stemmed from a configuration of Google Analytics that allowed it to share member data with Google Ads. Blue Shield said that it used Google Analytics to track website usage of its members in order to improve its services.
4. DaVita: 2,689,826 individuals affected
DaVita's official breach notice stated that the incident began on March 24, 2025, and was not contained until April 12, when experts were able to block the cyberthreat actors from DaVita's servers.
DaVita determined that sensitive data from its dialysis labs database was involved in the incident. The impacted patient information included names, addresses, Social Security numbers, health insurance information, dates of birth, health condition and certain dialysis lab test results. For some impacted individuals, pictures of checks written to DaVita and tax identification numbers were involved.
5. Anne Arundel Dermatology: 1,905,000 individuals affected
Anne Arundel Dermatology disclosed a 1.9-million-record data breach to OCR in July. The dermatology practice operates more than 30 locations across Maryland, Florida, Virginia, Georgia, North Carolina, Pennsylvania and Tennessee.
Anne Arundel Dermatology said that an unauthorized party accessed certain files containing health information between Feb. 14, 2025, and May 13, 2025.
The incident involved names, health insurance information, birth dates and addresses.
6. Radiology Associates of Richmond: 1,419,091 individuals affected
Virginia-based Radiology Associates of Richmond (RAR) suffered a data breach in 2024 that it reported to OCR on July 1, 2025. The incident impacted 1.4 million individuals and occurred when an unauthorized party accessed RAR's network between April 2, 2024, and April 6, 2024.
7. Southeast Series of Lockton Companies: 1,124,727 individuals affected
According to a filing that Lockton submitted to the Maine Attorney General's Office, Lockton first discovered suspicious activity on a single computer in November 2024. The company immediately engaged law enforcement and third-party cybersecurity experts to investigate.
The investigation revealed that an unauthorized party had breached a single account and obtained certain files containing sensitive information, such as names, addresses and Social Security numbers.
8. Community Health Center: 1,060,936 individuals affected
Community Health Center, a Middletown, Connecticut-based organization that provides primary care services, reported a data breach that occurred in January 2025. Upon noticing unusual activity within its computer systems, Community Health Center found that a "skilled criminal hacker" had entered its systems and taken some data.
"Fortunately, the criminal hacker did not delete or lock any of our data, and the criminal's activity did not affect our daily operations," a notice provided to state attorneys general stated. "We believe we stopped the criminal hacker's access within hours, and that there is no current threat to our systems."
The information included in the breach included names, addresses, phone numbers, emails, diagnoses, dates of birth, treatment details, test results, Social Security numbers and health insurance information.
9. Frederick Health 934,326 individuals affected
Maryland-based Frederick Health suffered a ransomware attack on Jan. 27, 2025, that disrupted its IT systems and reportedly resulted in an uptick in patient volume at a neighboring hospital.
The healthcare organization, which operates 25 locations and a network of specialty providers, immediately activated its incident response protocols and took steps to secure its systems. Further investigation determined that an unauthorized party had gained access to the network and copied certain files from a file share server.
The impacted documents contained patient names, addresses, Social Security numbers, driver's license numbers, medical record numbers, dates of birth, health insurance information and clinical information.
10. McLaren Health Care: 743,131 individuals affected
Michigan-based healthcare system McLaren Health Care suffered a criminal cyberattack in August 2024 that resulted in disruptions to its information technology and phone systems. The health system is made up of 13 hospitals as well as a physician network and several ambulatory surgery centers.
McLaren had to activate downtime procedures and cancel some non-emergency appointments and tests as it worked to recover from the cyberattack. According to the official breach notice, the unauthorized network access occurred between July 17, 2024, and Aug. 3, 2024.
The information involved in the breach included names, Social Security numbers, billing or claims information, physician information, dates of birth, diagnoses, medical record numbers and prescription information.
All data pulled from this article: techtarget
All these cases share one moral failing:
Data was collected for profit — not protection.
Security was an afterthought.
Transparency was treated like a liability.
The result? The same corporations who claim to “protect your privacy” are the ones handing it away wholesale, either through negligence or quiet consent agreements buried in legalese.
Quote:Healthcare data breaches remain a challenge for healthcare organizations and their business associates, as exemplified by the nearly 30 million records implicated in large data breaches in the first six months of 2025 alone.
The HHS Office for Civil Rights (OCR) displays healthcare data breaches impacting more than 500 individuals on its breach portal, giving covered entities and the public a peek into this pervasive issue.
Notably, all 10 of the largest breaches involved hacking or IT incidents.
techtarget
Quote:While some of the following data breaches occurred in 2024, this list reflects breaches reported to OCR in 2025.
1. Yale New Haven Health System: 5,556,702 individuals affected
Yale New Haven Health System (YNHHS), the largest health system in Connecticut, reported a multimillion-record healthcare data breach in April 2025. YNHHS said that it discovered unusual activity within its IT systems on March 8, 2025, prompting it to launch an investigation.
YNHHS determined that an unauthorized third party had gained access to its network and obtained copies of data, including names, birthdates, phone numbers, race or ethnicity, addresses, email addresses, patient type, medical record numbers and Social Security numbers.
2. Episource: 5,418,866 individuals affected
Episource, an IT vendor that provides risk adjustment and medical coding services to health plans and providers, suffered a ransomware attack in February 2025 that resulted in a data breach.
The company found unusual activity in its computer systems on Feb. 6, 2025. Episource launched an investigation and determined that a cybercriminal had accessed Episource systems between Jan. 27, 2025, and Feb. 6, 2025, and copied some data.
The data involved in the breach varied but included some combination of name, address, phone number, email, health insurance data, medical record numbers, treatment information and other sensitive data, such as Social Security numbers.
3. Blue Shield of California: 4,700,000 individuals affected
Blue Shield of California notified 4.7 million individuals of a breach that stemmed from a configuration of Google Analytics that allowed it to share member data with Google Ads. Blue Shield said that it used Google Analytics to track website usage of its members in order to improve its services.
4. DaVita: 2,689,826 individuals affected
DaVita's official breach notice stated that the incident began on March 24, 2025, and was not contained until April 12, when experts were able to block the cyberthreat actors from DaVita's servers.
DaVita determined that sensitive data from its dialysis labs database was involved in the incident. The impacted patient information included names, addresses, Social Security numbers, health insurance information, dates of birth, health condition and certain dialysis lab test results. For some impacted individuals, pictures of checks written to DaVita and tax identification numbers were involved.
5. Anne Arundel Dermatology: 1,905,000 individuals affected
Anne Arundel Dermatology disclosed a 1.9-million-record data breach to OCR in July. The dermatology practice operates more than 30 locations across Maryland, Florida, Virginia, Georgia, North Carolina, Pennsylvania and Tennessee.
Anne Arundel Dermatology said that an unauthorized party accessed certain files containing health information between Feb. 14, 2025, and May 13, 2025.
The incident involved names, health insurance information, birth dates and addresses.
6. Radiology Associates of Richmond: 1,419,091 individuals affected
Virginia-based Radiology Associates of Richmond (RAR) suffered a data breach in 2024 that it reported to OCR on July 1, 2025. The incident impacted 1.4 million individuals and occurred when an unauthorized party accessed RAR's network between April 2, 2024, and April 6, 2024.
7. Southeast Series of Lockton Companies: 1,124,727 individuals affected
According to a filing that Lockton submitted to the Maine Attorney General's Office, Lockton first discovered suspicious activity on a single computer in November 2024. The company immediately engaged law enforcement and third-party cybersecurity experts to investigate.
The investigation revealed that an unauthorized party had breached a single account and obtained certain files containing sensitive information, such as names, addresses and Social Security numbers.
8. Community Health Center: 1,060,936 individuals affected
Community Health Center, a Middletown, Connecticut-based organization that provides primary care services, reported a data breach that occurred in January 2025. Upon noticing unusual activity within its computer systems, Community Health Center found that a "skilled criminal hacker" had entered its systems and taken some data.
"Fortunately, the criminal hacker did not delete or lock any of our data, and the criminal's activity did not affect our daily operations," a notice provided to state attorneys general stated. "We believe we stopped the criminal hacker's access within hours, and that there is no current threat to our systems."
The information included in the breach included names, addresses, phone numbers, emails, diagnoses, dates of birth, treatment details, test results, Social Security numbers and health insurance information.
9. Frederick Health 934,326 individuals affected
Maryland-based Frederick Health suffered a ransomware attack on Jan. 27, 2025, that disrupted its IT systems and reportedly resulted in an uptick in patient volume at a neighboring hospital.
The healthcare organization, which operates 25 locations and a network of specialty providers, immediately activated its incident response protocols and took steps to secure its systems. Further investigation determined that an unauthorized party had gained access to the network and copied certain files from a file share server.
The impacted documents contained patient names, addresses, Social Security numbers, driver's license numbers, medical record numbers, dates of birth, health insurance information and clinical information.
10. McLaren Health Care: 743,131 individuals affected
Michigan-based healthcare system McLaren Health Care suffered a criminal cyberattack in August 2024 that resulted in disruptions to its information technology and phone systems. The health system is made up of 13 hospitals as well as a physician network and several ambulatory surgery centers.
McLaren had to activate downtime procedures and cancel some non-emergency appointments and tests as it worked to recover from the cyberattack. According to the official breach notice, the unauthorized network access occurred between July 17, 2024, and Aug. 3, 2024.
The information involved in the breach included names, Social Security numbers, billing or claims information, physician information, dates of birth, diagnoses, medical record numbers and prescription information.
All data pulled from this article: techtarget
All these cases share one moral failing:
Data was collected for profit — not protection.
Security was an afterthought.
Transparency was treated like a liability.
The result? The same corporations who claim to “protect your privacy” are the ones handing it away wholesale, either through negligence or quiet consent agreements buried in legalese.
![[Image: qa.png]](https://cypherage.com/images/ficons/qa.png)
