TL;DR: Healthcare data breaches hit 57 million affected individuals in 2025, and 2026 is already stacking up worse. Major breaches at SimonMed Imaging (1.27M patients), Covenant Health (478K), Anne Arundel Dermatology (1.9M), and Illinois DHS (670K+) have dumped medical records, Social Security numbers, and insurance details onto the dark web. Ransomware gangs are treating hospitals like ATMs. If you've had medical care in the last year, there's a decent chance your data is already compromised.

The Numbers Don't Lie

Between 2024 and 2025, the healthcare sector leaked more than 275 million patient records. That's an 63.5% increase from 2023, the worst data exposure in U.S. healthcare history.[1]

Since 2020, over 590 million medical records have been compromised. The American Hospital Association points out the obvious: that's nearly every American, many of them multiple times.[2]

The HHS Office for Civil Rights logged 642 breaches affecting 500 or more people in 2025 alone. Total damage: 57 million individuals.[3]

And that's just the official count. Plenty of breaches go unreported or underreported for months.

The Major Breaches (January 2025 - February 2026)

Here's a sampling of the carnage:

SimonMed Imaging: 1.27 Million Patients

One of the largest outpatient imaging providers in the country got hit by Medusa ransomware in January 2025. Attackers had access to their systems for 16 days (January 21 to February 5) before anyone noticed.[4]

The Medusa gang demanded $1 million ransom and claimed to have stolen 200 GB of data, including identity documents, payment details, medical reports, and raw imaging scans. The entry point? A trusted vendor with system access. SimonMed operates 170+ imaging centers across 11 states.[5]

At least one class action lawsuit is already filed.

Anne Arundel Dermatology: 1.9 Million Patients

This Maryland dermatology practice had hackers in their systems for three months (February 14 to May 13, 2025) before detecting anything.[6]

Exposed: names, dates of birth, Social Security numbers, claim information, billing data, test results, and diagnoses. The company can't even confirm whether the data was exfiltrated. They just know it was accessed.

No ransomware group has claimed credit. Sometimes attackers are just after the data.

Illinois DHS: 672,000+ People

This wasn't a hack. It was negligence.

The Illinois Department of Human Services accidentally made internal mapping data publicly accessible online. For years. They discovered it in September 2025 and announced it in January 2026.[7]

Exposed: names, addresses, and case numbers for 32,000 rehabilitation services customers and 672,600 Medicaid/Medicare recipients. The maps were supposed to help the agency decide where to open new offices. Instead, they exposed the people they're supposed to serve.[8]

Covenant Health: 478,000 Patients

The Qilin ransomware gang hit this Massachusetts-based healthcare system in May 2025. Covenant initially reported 7,864 people affected. After actually analyzing the data in December, they revised it to 478,188.[9]

The stolen data includes SSNs, medical record numbers, insurance information, diagnoses, and treatment details. Qilin published the stolen files online, meaning a ransom wasn't paid and your data is now searchable on the dark web.

McLaren Health Care: 743,000 Patients (Round Two)

McLaren got hit by Inc Ransom in August 2024. They finally notified 743,131 patients in June 2025, almost a year later.[10]

This was McLaren's second ransomware attack in a year. In 2023, ALPHV/BlackCat compromised 2.1 million patient records. Same organization, different gang, same result: stolen SSNs, billing info, and medical records.

During the 2024 attack, some McLaren hospitals diverted ambulances. Appointments and treatments were delayed. Getting hacked has consequences beyond data theft.

Why Hospitals Make Such Good Targets

Healthcare organizations check every box that ransomware gangs love:

  • Can't shut down: Hospitals can't just take systems offline for a week. Lives depend on uptime.
  • Rich data: Medical records contain SSNs, insurance details, addresses, and health conditions: everything you need for identity theft or extortion.
  • Underfunded IT: Many hospitals run ancient systems with minimal security budgets.
  • Sprawling networks: Dozens of connected vendors, imaging systems, electronic health records, billing platforms, each one a potential entry point.
  • Regulatory pressure to pay: HIPAA fines and lawsuits create pressure to make breaches go away quietly.

Ransomware attacks on healthcare increased 128% between 2022 and 2023, according to the Cyber Threat Intelligence Integration Center. The trend hasn't slowed down.[11]

When Hospitals Get Hacked, Patients Get Hurt

A 2024 JAMA Network Open study found that 36% of healthcare facilities reported increased medical complications after ransomware attacks.[12]

Nearly 70% saw longer hospital stays and delayed procedures. When electronic health records go dark, doctors work from memory. Lab results don't get delivered. Medication histories disappear.

Data theft is one thing. Treatment delays kill people.

2026 Predictions: It Gets Worse

Security experts expect attacks to evolve in 2026. From BankInfoSecurity's annual predictions:[13]

"We will see more disruptive attacks masquerading as traditional ransomware events. Attackers are shifting from simply encrypting data to corrupting backups, damaging infrastructure, or compromising clinical systems in ways that prolong downtime."

AI is also changing the game:

"Adversaries are already using AI to accelerate phishing, discover misconfigurations and generate malware variants. In 2026, this will become more commonplace, and it will challenge healthcare organizations that still rely heavily on manual processes."

Translation: the attackers are getting smarter faster than the hospitals are getting more secure.

What You Can Do

Assume You're Already Compromised

If you've received any medical care in the last few years, act as if your data is already out there. Freeze your credit with all three bureaus (Equifax, Experian, TransUnion). It takes 10 minutes and costs nothing. If someone opens an account in your name using your stolen medical data, they'll hit a wall.

Check the Breach Portal

The HHS Office for Civil Rights maintains a public breach portal listing all healthcare breaches affecting 500+ people. Search for any providers you've used. If they're on the list, you're probably affected, even if you never got a notification letter.

Watch for Fraud Years Later

Medical identity theft often surfaces years after the initial breach. Criminals open insurance accounts, file fraudulent claims, or even receive treatment under your name. Review your Explanation of Benefits statements for services you didn't receive. Check your credit reports quarterly.

Take the Free Monitoring

Breach notifications usually include 12-24 months of free identity monitoring. Sign up. It's not much, but it's something. And if you find fraudulent activity, the documentation from a monitoring service helps when fighting with creditors.

The Uncomfortable Truth

Healthcare data protection in America is fundamentally broken. Hospitals run Windows XP machines connected to networks with admin passwords of "password123." HIPAA violations result in fines that are rounding errors on a health system's annual revenue. And patients have zero visibility into how their data is stored or secured.

Every time you get blood drawn, have an X-ray taken, or fill a prescription, you're trusting an institution that probably got ransomwared last year and hasn't told you about it yet.

The 2024 Change Healthcare attack affected 193 million people, more than half the country. It wasn't an aberration. It was a preview.

Your medical data is already somewhere it shouldn't be. Plan accordingly.

References

  1. BrightDefense - 60+ Healthcare Data Breach Statistics for 2026
  2. Astra Security - 80+ Healthcare Data Breach Statistics 2026
  3. BankInfoSecurity - 2025 in Health Data Breaches and Predictions for 2026
  4. HIPAA Journal - SimonMed Imaging: 1.27M Individuals Affected by January 2025 Cyberattack
  5. SecurityWeek - SimonMed Imaging Data Breach Impacts 1.2 Million
  6. HIPAA Journal - Anne Arundel Dermatology Data Breach Affects 1.9 Million Patients
  7. Chicago Sun-Times - Health care data breach affects 600,000 patients, Illinois agency says
  8. NPR Illinois - Health care data breach affects over 600,000 patients
  9. The Record - Nearly 480,000 impacted by Covenant Health data breach
  10. HIPAA Journal - McLaren Health Care Notifies Almost 750,000 Individuals About August 2024 Ransomware Attack
  11. Centrexit - 2025's Biggest Healthcare Data Breaches: Lessons for 2026
  12. JAMA Network Open - Ransomware Attacks and Data Breaches in US Health Care Systems
  13. BankInfoSecurity - 2026 Healthcare Security Predictions