In 2025, the Data Breach Chronology captured 8,019 data breach notification filings from state and federal agencies that publish breach reports. These represented 4,080 unique breach events impacting at least 375 million individuals.

The year's statistics were dominated by Change Healthcare, whose final notification arrived in October, twenty months after the February 2024 ransomware attack, confirming 192.7 million people were affected. It's the largest healthcare data breach ever recorded, more than double the Anthem breach that held that record for a decade.

This survey analyzes and compares data breach notification laws across all 50 U.S. states and the District of Columbia. Using a standardized framework of 50 questions, we examined each jurisdiction's requirements for breach notification timing, covered data types, notification recipients, enforcement mechanisms, and consumer remedies.

This survey reflects statutes enacted as of January 1, 2026.

Explore the Data

Our May 2025 update—the fifth this year—brings our complete data through May along with this focused analysis of Q1 breach statistics. The first quarter saw 876 new breach notifications representing 658 distinct security incidents that impacted over 32 million people. This release also includes major database enhancements with completely refactored grouping algorithms and improved categorization models, making our breach tracking and analysis more accurate than ever.