Here’s a number that sounds terrible: at least 642 healthcare data breaches were reported to HHS in 2025, exposing the records of nearly 57 million people.
Here’s a number that sounds almost encouraging by comparison: that’s actually a 78.9% drop in affected people from 2024, when 251 million records were compromised.
Both numbers are real. Both come from the HHS Office for Civil Rights breach portal. And together, they tell a story that every small practice needs to understand — because the threat isn’t getting smaller. It’s getting closer to you.
Strip the Change Healthcare Outlier and the Picture Changes
The 2024 numbers were dominated by one event: the Change Healthcare breach, which exposed data on 192.7 million Americans. That single incident — one company, one set of stolen credentials, zero multi-factor login checks — accounted for more than three-quarters of all records compromised that year.
Strip Change Healthcare from the 2024 totals and the year-over-year comparison looks very different. The remaining breaches in 2024 affected roughly 58 million people. In 2025, it was 57 million. Nearly identical.
What did change is the number of groups getting hit. The breach count in 2025 represents a 13.5% decline from 2024’s 742 reported breaches — but that 2024 figure included late additions from the government shutdown processing backlog. The real story is that hundreds of separate healthcare groups reported breaches to OCR in a single year. That’s roughly 12 new breaches per week, every week, for the entire year.
And the groups absorbing those attacks aren’t all hospital systems with 10,000 beds. Increasingly, they’re habits like yours.
Healthcare Breach Trends: The Shift Toward Smaller Targets
The data from 2025 confirms a trend that’s been building for three years: attackers are going wider and smaller.
Minor breaches involving fewer than 5,000 records represented 53% of all incidents in 2025. But they contributed less than 2% of total exposed records. That’s a pattern of widespread, contained attacks — lots of groups getting hit, each losing a relatively small number of records.
Meanwhile, ransom demands dropped 91%, falling to an average of $343,000 in 2025 from $4 million in 2024. That’s not because attackers got more charitable. It’s because they shifted strategy. Instead of spending months infiltrating a major health system and demanding a multi-million dollar payout, they’re hitting dozens of smaller targets with lower demands that are easier to collect.
The math works for them. Ten habits paying $50,000 each is more reliable income than one hospital that might refuse to pay $4 million.
For a small practice, this is the number that matters: ransomware attacks on healthcare surged 30% in 2025, with attackers increasingly targeting vendors and service partners rather than hospitals directly. Over 80% of stolen protected health information came from third-party vendors, software services, business associates, and non-hospital providers.
You don’t have to be a big target to be a target. You just have to be a connected one.
The 5 Attack Patterns Hitting Small Practices in 2025
Based on the 2025 breach data from the HIPAA Journal’s annual report and OCR’s breach portal, here’s what’s actually happening at the practice level.
1. Phishing and Email Compromise Remain the Top Attack Vector
Hacking and IT incidents accounted for more than 80% of large healthcare data breaches in 2025. Within that category, email-based attacks were a major driver. These aren’t sophisticated zero-day exploits. They’re fake login pages, spoofed vendor emails, and credential-stuffing attacks that work because someone reused a password or clicked a link without checking the sender.
2. Exploited weak spots Overtook Credential Theft
For the first time in three years, healthcare providers identified exploited weak spots as the most common tech root cause, showing up in 33% of incidents. That means unpatched software, outdated systems, and internet-facing applications with known security holes. If your practice management software or remote access tools haven’t been updated recently, they may already be on an attacker’s list.
3. The Staffing and Capacity Problem Is Real
The most common factor contributing to successful ransomware attacks was lack of people and capacity, cited in 42% of incidents. Right behind it: known security gaps that simply hadn’t been handled, at 41%. Small habits don’t have dedicated security teams. That’s not a moral failing — it’s a resource reality. But attackers know it, and they exploit it.
4. Business Associates Are a Growing Attack Surface
Healthcare ransomware attacks shifted focus to vendors and service partners in 2025. There were 130 confirmed attacks on healthcare businesses, breaching over 6 million records with an average ransom demand of $532,000. Your billing company, your IT vendor, your EHR provider — if they get compromised, your patients’ data goes with them.
5. The Largest 2025 Breaches Show Nobody Is Immune
The biggest breaches of 2025 included Yale New Haven Health System (5.6 million records), Episource (5.4 million from a ransomware attack), Blue Shield of California (4.7 million from a Google Analytics misconfiguration), and DaVita (2.7 million from encrypted network elements). Even well-resourced groups with dedicated security teams got hit.
What a Healthcare Data Breach Actually Costs in 2025
IBM’s 2025 Cost of a Data Breach report found that healthcare breaches cost an average of $7.42 million. That’s down from $9.77 million in 2024, but healthcare has held the top spot as the most expensive industry for breaches for 14 consecutive years.
A small practice obviously isn’t absorbing a $7.42 million loss — that average includes large health systems with complex IT settings. But the cost categories are instructive no matter what of size:
- Detection and escalation: $1.47 million average
- Lost business costs: $1.38 million average
- Post-breach response: $1.2 million average
- Breach lifecycle: 279 days from compromise to containment — five weeks longer than the global average
For a small practice, scale those numbers down and you still get a devastating picture:
- Forensic review: $15,000 to $50,000
- Legal counsel: $10,000 to $100,000
- Patient notice: $5,000 to $25,000
- OCR review and possible fines: $50,000 to $2 million
- Lost patients and reputational damage: incalculable
Four times as many healthcare groups suffered financial losses of at least $200,000 in 2025 compared to 2024. And 12% of healthcare groups experienced cyberattack-related losses exceeding $500,000, up from just 2% the year before.
The financial impact is spreading down-market along with the attacks themselves.
OCR Enforcement Is Targeting Small Practices
If you think OCR only goes after hospital systems, the 2025 enforcement data says otherwise.
OCR imposed 21 financial penalties in 2025 — the second-highest annual number on record. Many of those came through OCR’s risk analysis enforcement effort, which namely targets groups that failed to conduct or record a proper HIPAA risk review.
The total in enforcement collections since 2024: $9.4 million. groups that settled paid about 18% less on average than those who received civil monetary penalties — which tells you that cooperation matters, but only if you have something to cooperate about. If OCR comes knocking and you have no risk review, no written down policies, and no training records, the conversation starts in a very different place.
The 2026 HIPAA penalty tiers — updated in January 2026 for inflation — start at $145 per breach for unknowing breaches and go up to $2,190,294 per year per breach category for willful neglect. Those aren’t theoretical numbers. They’re the enforcement schedule OCR is actively applying.
Risk analysis failures remain the most commonly cited breach in OCR reviews. That’s the single most important record in your rule-keeping program — and the one that’s most often missing.
Cyber Insurance for Healthcare Is No Longer Optional
Cyber insurance for healthcare habits often runs $1,500 to $8,000 per year for $1 million to $5 million in coverage. For a small practice, that’s probably $1,200 to $3,000 annually.
That sounds like an expense until you compare it to what you’d pay without it.
Practices with cyber insurance during the Change Healthcare outage in 2024 had greatly better outcomes. Insurance covered business interruption losses, legal fees, breach response costs, and forensic review. Practices without it absorbed those costs directly — or couldn’t absorb them at all.
Most cyber insurance policies now require baseline security controls to qualify: multi-factor login checks, endpoint detection, backup steps, and staff training. Those rules aren’t arbitrary. They’re the same controls that would have prevented a major percentage of the 2025 breaches.
Getting insured forces you to get your house in order. And if something still goes wrong, the policy absorbs the financial shock that would otherwise threaten your practice’s survival.
7 Things Small Practices Should Do Right Now
The 2025 data is clear about who’s getting hit and why. Here’s what actually reduces your risk.
1. Enable Multi-Factor login checks on Everything
Email, EHR, remote access, cloud storage. MFA stops the majority of credential-based attacks. The Change Healthcare breach — 192.7 million records — happened because MFA wasn’t enabled on a remote access portal. One setting.
2. Train Your Staff This Quarter
Not next year. This quarter. Email-based attacks rely on human error. A 30-minute training session on recognizing phishing emails, verifying sender addresses, and reporting suspicious messages costs nothing and addresses the single largest attack vector in healthcare.
3. Patch and Update Your Systems
Exploited weak spots were the top tech root cause of healthcare attacks in 2025. If your practice management software, operating systems, or network equipment have pending updates, they’re pending weak spots.
4. Audit Your Business Associates
Make a list of every vendor that touches patient data. Confirm you have a signed BAA with each one. Ask them about their security habits. If they can’t answer basic questions about MFA, data scrambling, and incident response, that’s a red flag.
5. Complete Your Risk review
If you don’t have a written down, current risk review, you have the single most common rule-keeping gap that OCR investigates. HHS offers a free Security Risk review tool — updated to version 3.6 in September 2025. Use it. Or get help — but do it.
6. Get Cyber Insurance
If you don’t have it, get quotes this month. If you do have it, review your policy. Make sure it covers ransomware, business interruption, rule-based fines, and breach notice costs. The coverage rules will also tell you exactly which security controls you need in place.
7. Build a Ransomware Response Plan
Know exactly what you’ll do in the first 72 hours after an attack. Who calls whom. How you isolate systems. When you notify OCR. Having a plan before you need one is the difference between a bad week and a practice-ending event.
The Bottom Line on Healthcare Breach Statistics
The 2025 breach data tells a specific story: attackers are targeting more groups with less effort for smaller payouts, and the groups absorbing the most new risk are small and mid-sized habits with limited IT resources.
The era of “we’re too small to hack” ended years ago. The 2025 numbers just made it impossible to ignore.
Related Reading
- The Change Healthcare Breach One Year Later — What the largest healthcare breach in history means for your practice
- Ransomware Hit Your Practice — The First 72 Hours — Step-by-step response when an attack happens
- Your Vendor Got Hacked — Now What? — How to respond when a business associate is breached
- $6.6 Million in HIPAA Fines in 2025 — The enforcement actions that hit hardest
- The affordable HIPAA Compliance Starter Kit — What small habits actually need to get in line
Getting your practice protected doesn’t require an enterprise budget. It requires knowing what to do first and doing it methodically. One Guy Consulting builds affordable HIPAA rule-keeping programs for independent habits and small clinics — starting at affordable. Explore HIPAA rule-keeping services HIPAA compliance help