Communications Director, Connecticut Hospital Association
110 Barnes Road, Wallingford, CT
rall@chime.org, 203-265-7611
DAILY NEWS CLIP: January 21, 2026
Modern Healthcare – Wednesday, January 21, 2026
By Tim Broderick
After the largest-ever number of Americans had their health data compromised in 2024, the last year saw significant improvement.
Roughly 46 million medical records were breached in 2025, an 84% decrease from the year before, according to the Health and Human Services Department’s Office for Civil Rights.
Security experts attribute the reduction to an increased provider focus on third-party business partners.
Breach incidents in 2025, including those from loss or unauthorized disclosures, were down 10.6% from 2024. The number of individual records affected plummeted, although some people may have had their records involved with multiple breaches. The Change Healthcare data breach, affecting 192.7 million people, accounted for the vast majority of individuals affected by breaches in 2024.
John Riggi, the American Hospital Association’s national advisor for cybersecurity and risk, and his colleague, Deputy National Advisor for Cybersecurity and Risk Scott Gee, specifically track healthcare data breaches through hacking or IT intrusions, which accounted for about 80% of all reported breaches last year. Most of those kinds of breaches are due to criminal activity, Riggi said.
“It’s preposterous we’re relieved that it’s only 44.6 million people that had their healthcare records stolen in 2025,” he said.
The federal shutdown delayed the OCR from publishing some breaches to its portal, and some 2025 reports may not have been posted as of Jan. 20.
Still, Riggi and Gee said no massive incidents were reported in 2025.
Much of the drop is due to increased focus from healthcare organizations on cybersecurity, especially after the Change Healthcare incident, Riggi said. With an increasing portion of data theft breaches targeting third parties, business associates and non-hospital providers, hospitals have to do more than look internally, he said.
“We hear the message from leaders in hospitals that they understand, especially after Change Healthcare, that they have to focus more on third-party risk identification and risk mitigation,” Riggi said.
Hospital leaders are demanding their vendors, suppliers and partners have robust cybersecurity controls, shifting the primary responsibility for security to the technology and software developers, Riggi said.
“The field is doing a better job at truly understanding risk and strengthening their defenses,” he said.
In a recent survey by law firm Norton Rose Fulbright, cybersecurity topped the list of healthcare legal teams’ concerns about potential exposure to litigation.
Gee said some of the reduction in 2025 may also have been due to international threat actors being busy elsewhere, such as with Russian groups targeting Ukraine.
“It may have been a matter of bandwidth,” Gee said.
The Health and Human Services Department was unable to confirm whether all breaches affecting more than 500 individuals had been posted for 2025, given the potential for more breaches to be reported.