Number of health records stolen in 2025 was down, but breach risk is up

The Buzz This Week

New data from the US Department of Health and Human Services’ (HHS) Office for Civil Rights found that cyberattacks in 2025 compromised almost 57 million medical records, down from 259 million in 2024 and 138 million in 2023.

While this is a meaningful decrease in the number of records affected, the volume of successful cyberattacks remains elevated. The scale of what is at risk in the event of a breach underscores the need for continued vigilance.

Simultaneously, the rapid adoption of AI may be introducing new vulnerabilities and increasing risk for healthcare organizations.

According to the HHS Office for Civil Rights:

15 healthcare data breaches affected more than 500,000 individuals.
Hackers stole more than 80% of the compromised protected health information (PHI) from third-party vendors, software services, business associates, non-hospital providers, and health plans.
Hackers stole more than 90% of the PHI outside of an electronic health record system.

Much of the drop in affected patients can be attributed to healthcare organizations’ increased focus on cybersecurity in the wake of the 2024 Change Healthcare attack. But recent surveys and studies suggest the healthcare sector is not confident in its ability to combat cybersecurity risks. The average cost of healthcare data breaches is in the millions, and each one takes the better part of a year to identify and contain.

Why It Matters

Cyberattacks can derail typical healthcare operations, shutting off access to key technology, delaying care, and forcing hospitals to divert emergency cases. They can also lead to compromised patient data and identify theft. The pediatric population is especially vulnerable and a high-value target due to their unmonitored credit histories.

Data privacy and cybersecurity remain top of mind for the healthcare sector as technology continues to advance faster than healthcare organizations can write policies.

These increased cyber incidents come as the industry pursues increased technological innovation, including AI tools. Across industries, AI models and applications are an emerging attack surface.

With the proliferation of AI, threats are evolving more quickly and are harder to spot. AI compresses the time to impact, resulting in faster fraud, faster intrusion, and higher-scale targeting. Cyber criminals are using agentic automation that accelerates phishing and intrusion. And deepfakes can convincingly impersonate trusted individuals, driving fraud and credential theft.

From a data privacy perspective, AI models and sensitive datasets have become prime targets. These high-value assets are ideal for theft and tampering—resulting in multiple layers of downstream impact.

In the most recent Verizon Data Breach Investigations Report, threat actors are using AI-written content to scale phishing. Synthetic text in malicious emails doubled over the past 2 years. At the same time, routine employee use of generative AI is creating a data-leak pathway, typically outside established corporate controls and guardrails.

The healthcare industry’s focus on defense and resilience has become essential. In a survey published by law firm Norton Rose Fulbright, litigation over data privacy regulation and legal trouble related to medical data breaches were among the top concerns for healthcare respondents. Settlements frequently make headlines and cost organizations upwards of $1 million.

According to John Riggi, the American Hospital Association’s national advisor for cybersecurity and risk, an increasing portion of data theft breaches target third parties, business associates, and non-hospital providers.

This is in part because vendors are handling patient data when provider organizations use software as a service (SaaS) and cloud-based solutions. Consequently, hospital leaders are demanding their vendors, suppliers, and partners have robust cybersecurity controls.

In a sector where downtime directly affects patient care, faster recovery is paramount. But prevention should be the goal—safeguarding care delivery, patient privacy, and even the organization itself. Healthcare organizations need to design durable cybersecurity programs that can withstand the strain of stressful events and operationalize lessons learned to develop more effective and resilient security processes.

Additional contributors: Zahid Rathore, Senior Partner, and John Petersen, Partner.