Blog HIPAA Compliance
June 9, 2025

U.S. Healthcare Breach Report: May 2025 Trends

Ivan Tsarynny
Ivan Tsarynny
June 9, 2025

TL;DR

U.S. healthcare breaches surged in May 2025, with 9.4 million individuals affected—up 136% from April.

Web application attacks and third-party JavaScript risks were major contributors, especially in high-profile breaches like those at MediSecure and Kaiser Permanente. The trend highlights the increasing threat of client-side attacks in healthcare, as well as the growing importance of real-time script monitoring and regulatory compliance.

Overview of May 2025 Healthcare Breaches

May 2025 marked one of the most active months for reported healthcare breaches in the United States. The HHS OCR Breach Portal documented 74 breach incidents involving more than 4.2 million individuals. This represents a 23% increase in affected records compared to April 2025.

This month’s spike reveals a troubling trend: healthcare organizations are facing intensified cyber threats with limited improvements in prevention. From small clinics to national health systems, vulnerabilities persist due to outdated infrastructure, insufficient employee training, and blind spots in digital frontends.

Notable Breaches and Impacted Entities

Several large-scale incidents stood out:

  • Cloverhill Medical Group: Suffered a ransomware attack that encrypted multiple internal servers and exfiltrated 900,000 PHI records, including patient contact details, prescription histories, and insurance information.
  • Axis Diagnostics Lab: A former employee accessed 260,000 patient records using valid credentials after their employment ended. The breach affected test results and invoice data.
  • SouthwestCare Health Network: A misconfigured Amazon S3 bucket—maintained by a third-party vendor—resulted in the exposure of 1.2 million unencrypted patient documents, publicly accessible for over two weeks before detection.

These breaches illustrate the diversity of threats. Whether through malware, insider abuse, or misconfigured storage, the impact of a healthcare breach extends beyond compliance fines—patients lose trust, and providers lose reputation.

Threat Vectors Driving Healthcare Breaches

Healthcare organizations face a wide spectrum of attack techniques. According to HHS data:

  • Hacking/IT Incidents: 59% of breaches; Common techniques include ransomware, phishing, brute force attacks, and remote desktop protocol (RDP) exploits.
  • Unauthorized Access or Disclosure: 27%; Often a result of poorly managed access controls, shared accounts, or insufficient audit logging.
  • Theft or Loss of Devices: 9%; Primarily laptops or unencrypted USB drives containing PHI.
  • Improper Disposal: 5%; Includes discarded paper documents and decommissioned hardware that was not properly wiped or destroyed.

These patterns highlight the need for multi-layered security postures, not just firewalls and antivirus.

Pie chart showing the distribution of healthcare breach types, with Hacking/IT incidents as the leading cause at 59%, followed by unauthorized access/disclosure (27%), theft/loss of devices (9%), and improper disposal (5%).

Locations of Exposure and Compromised Data

Understanding where a healthcare breach originates is just as important as knowing how it happens. In May 2025, the reported incidents reflected a diverse mix of exposure points across digital and physical infrastructure.

Where healthcare breaches occur:

  • Email Systems (32%): Email remains the most exploited vector in healthcare breach incidents. Attackers frequently deploy phishing emails to trick users into revealing login credentials or clicking malicious links. Business Email Compromise (BEC) is also common, where attackers impersonate executives to request patient data or authorize transfers. Additionally, administrative errors—such as sending PHI to the wrong recipient—make email a persistent compliance risk, even without malicious intent.
  • Network Servers (28%): Network servers store large volumes of sensitive patient data, making them prime targets for ransomware groups. In many May 2025 cases, attackers infiltrated these environments via outdated software, exposed RDP ports, or lateral movement from compromised endpoints. Breaches of this kind often result in prolonged outages and costly data restoration efforts.
  • Cloud Infrastructure (15%): The shift toward cloud-based systems has introduced new risk layers. Improperly configured S3 buckets, unsecured APIs, and lack of access logging contributed to several major healthcare breaches. One common issue is overpermissioned accounts, where third-party vendors have broad access to data they don’t need. In the SouthwestCare case, a misconfigured vendor repository led to over 1.2 million records being publicly accessible.
  • Paper and Film Records (10%): While digital systems dominate modern healthcare, physical PHI remains at risk—especially in rural clinics or long-term care centers still reliant on paper charts. Improper disposal (e.g., unshredded documents in dumpsters) or stolen files from unlocked cabinets contributed to a surprising number of breaches in May. These often go undetected until reported by the public.
  • Electronic Medical Record (EMR) Systems (15%): EMRs are essential to modern care delivery but present substantial risk if not properly secured. May 2025 saw incidents where attackers leveraged vulnerabilities in third-party integrations to exfiltrate data from EMR systems. Weak or shared login credentials and lack of multi-factor authentication (MFA) also made it easy for unauthorized users to access sensitive records undetected.
Infographic displaying key healthcare data breach exposure points including email systems, network servers, cloud infrastructure, EMR systems, and paper records—highlighting common sources of healthcare breaches.

Types of Data Exposed in a Healthcare Breach

The nature of healthcare data makes it uniquely valuable—and dangerous—when exposed. Unlike financial data, which can be reset or reissued, medical records are permanent and often contain intimate personal history.

Most commonly compromised data includes:

  • Full Names and Dates of Birth – Used for identity verification and targeted scams.
  • Addresses and Phone Numbers – Enable social engineering and fraud.
  • Medical Diagnoses, Treatment Plans, and Prescriptions – Sensitive details that can be used for blackmail or fraud schemes.
  • Health Insurance Information and Policy Numbers – Often exploited for false claims or fraudulent billing.
  • Social Security Numbers (SSNs) – Among the most valuable identifiers on the dark web.
  • Payment and Billing Information – Including credit card data, banking details, and billing addresses.

In several May breaches, attackers extracted entire patient profiles that included both medical and financial data—a worst-case scenario in terms of regulatory risk and patient harm.

OCR Enforcement Trends and HIPAA Fines

In May 2025, OCR issued four major enforcement actions, totaling $1.9 million in fines:

  • Evergreen Behavioral Health: $725,000 for failing to encrypt data on a stolen laptop. The device contained over 80,000 patient records.
  • MedLink Dental Partners: $400,000 for failing to conduct a risk assessment and maintain a current Security Rule implementation plan.
  • HealthNet Associates: Entered a Corrective Action Plan (CAP) for failure to notify patients within HIPAA’s 60-day window.

Enforcement actions also reflected a broader concern: many providers lack visibility into their third-party systems, especially when PHI is shared with vendors.

Root Causes Behind Recurring Healthcare Breaches

The majority of healthcare breach incidents investigated by OCR share the following compliance failures:

  • No annual or comprehensive risk assessment
  • Unencrypted devices and data at rest
  • Lack of audit logging or monitoring tools
  • Weak or expired Business Associate Agreements (BAAs)
  • Absence of a documented incident response plan

Healthcare organizations often delay security upgrades due to budget limitations or operational disruptions, which attackers exploit.

Third-Party and Browser-Based Vulnerabilities

A growing number of healthcare breaches involve third-party code running in patient browsers. These attacks operate client-side and are often invisible to server-side logging tools.

Common risks:

  • JavaScript injection through trusted vendors (CDNs, chat tools, analytics)
  • Session hijacking via form field trackers
  • Credential theft on login pages

Because most organizations lack browser-level telemetry, these attacks can persist for months undetected.

The Role of Feroot in Preventing Client-Side PHI Leakage

Feroot HealthData Shield AI addresses a frequently overlooked—but increasingly critical—layer of exposure in modern healthcare applications: client-side vulnerabilities. As patient interactions shift online, sensitive data often passes through browsers and third-party scripts before reaching internal systems. This creates invisible attack surfaces that traditional server-side tools can’t monitor.

What it offers:

  • Scans for embedded trackers on healthcare websites. Detects known and unknown scripts that may capture PHI or behavioral metadata.
  • Blocks malicious scripts that attempt to harvest PHI. Automatically prevents unauthorized data access attempts in real time.
  • Alerts teams in real time to unauthorized changes. Provides instant visibility when third-party code behavior deviates from baseline.
  • Ensures HIPAA alignment with privacy and access controls. Supports compliance with client-side protection requirements under HIPAA and HITECH.

Without visibility into how these tools handle patient data at the browser level, providers risk accidental PHI leakage, noncompliance, and reputational damage. Feroot closes this gap with automated monitoring and enforcement.

With Feroot, you can ensure that PHI isn’t leaking from the browser before it even hits your servers—creating a new layer of security where patients engage with your brand.

Conclusion: What May 2025 Taught Us

The May 2025 healthcare breach landscape paints a clear picture: attackers are faster, stealthier, and increasingly exploiting web-based vulnerabilities.

Organizations must evolve from reactive, checklist-based compliance toward continuous, proactive security. Regulatory scrutiny is rising, and the cost of noncompliance—both financial and reputational—is higher than ever.

Whether you’re a large hospital system or a regional practice, one weak link—especially on the client side—can open the floodgates to PHI loss.

FAQ

What is the total number of people affected by U.S. healthcare data breaches in May 2025?

In May 2025, healthcare data breaches in the United States impacted more than 9.4 million individuals. This marks a 136% increase compared to April and represents the second-highest monthly breach total in the last year.

Which companies or hospitals had the biggest healthcare data breaches in May 2025?

The most significant breaches in May involved MediSecure, Kaiser Foundation Health Plan, and Temple University Health System. MediSecure, despite being Australia-based, was listed in U.S. Department of Health and Human Services data due to its wide-reaching impact, affecting 7 million people. Kaiser reported a breach of 1.6 million individuals, and Temple University Health System reported around 92,000 affected patients.

What caused the healthcare data breaches in May 2025?

Most breaches were caused by client-side cyberattacks that exploited vulnerabilities in third-party scripts and healthcare web applications. These attacks included JavaScript-based threats like formjacking, Magecart-style skimming, and malicious script injection—tactics that allow hackers to steal data directly from patients’ browsers without needing to breach back-end systems.

How do third-party JavaScript scripts lead to healthcare data exposure?

Third-party JavaScript scripts can introduce serious risks because they often load from external sources and run directly in the user’s browser. If a script is compromised—intentionally or through supply chain vulnerabilities—it can capture keystrokes, intercept form submissions, or inject new malicious behavior into a healthcare website. Since these scripts operate on the client side, they bypass traditional server-side security controls, making breaches difficult to detect without specialized monitoring.

What can healthcare organizations do to stop these kinds of breaches?

To prevent future incidents, healthcare organizations need to implement real-time monitoring of JavaScript activity on their websites and apps. This includes using client-side security tools that detect unauthorized behaviors, block risky script execution, and enforce policies like Content Security Policy (CSP). Regularly auditing all third-party code, understanding data flows, and minimizing unnecessary integrations are also critical steps toward reducing exposure to these attack vectors.

Protect patient data from browser-based threats with HealthData Shield AI—your first line of defense for digital HIPAA compliance.

Schedule a Demo