2025 Data Breach Report
Posted: January 29 2026
In 2025, the Data Breach Chronology captured 8,019 data breach notification filings from state and federal agencies that publish breach reports. These represented 4,080 unique breach events impacting at least 375 million individuals.
The year's statistics were dominated by Change Healthcare, whose final notification arrived in October, twenty months after the February 2024 ransomware attack, confirming 192.7 million people were affected. It's the largest healthcare data breach ever recorded, more than double the Anthem breach that held that record for a decade.
This report examines what those 4,080 breaches tell us about the state of data security, and where the gaps in breach reporting leave consumers in the dark.
Key Findings
Healthcare remains a consequential breach target. The sector accounted for 66% of all affected individuals in 2025, driven by Change Healthcare but extending across hospital systems, radiology practices, dialysis providers, and dental groups.
Vendor and supply chain risk dominates. Eight of the twenty largest breaches reported in 2025 occurred at service providers, together accounting for 231 million of the year's 375 million affected individuals. Most of those people likely had no direct relationship with the company that exposed their data.
Notification timelines remain problematic. Of breaches with known dates, the most common notification window is 91 to 180 days, and less than 10% would meet California's new 30 day standard under SB 446.
Breach transparency remains inadequate. More than half of 2025 notifications came from state agencies that publish only summary data rather than the underlying notification letters. Where letters were available, only 17% mentioned a specific attack method.
Notable Breaches First Disclosed in 2025
| Organization | Affected | Breach Date | Sector |
|---|---|---|---|
| Prosper Marketplace | 13.1M | April to September 2025 | Financial |
| Episource | 6.6M | January 2025 | Healthcare |
| 700Credit | 5.8M | October 2025 | Financial |
| Yale New Haven Health | 5.6M | 2025 | Healthcare |
| Blue Shield of California | 4.7M | 2025 | Healthcare |
| TransUnion | 4.5M | July 2025 | Financial |
| U.S. Department of Treasury | 2.4M | January 2025 | Government |
About the Data
The Data Breach Chronology aggregates notification filings from 14 state attorneys general offices and the U.S. Department of Health and Human Services. When a single breach generates notifications in multiple states, we cluster those filings together and report them as one event. The impact totals in this report sum these event level figures. This is not a unique headcount, as the same person affected by multiple breaches is counted multiple times.
Download the Full Report
For the complete analysis, including detailed breakdowns of major breaches, the breach method transparency gap, notification timing data, and historical comparisons, download the full 2025 Data Breach Report:
Supporting Privacy Research
One of the most rewarding parts of maintaining the Data Breach Chronology is seeing how researchers use it. In 2025, we granted 63 requests for complimentary research access from 56 institutions across 14 countries. The researchers came from economics departments, business schools, law schools, and public policy programs as often as from cybersecurity programs.
The questions they're pursuing reflect how deeply data breaches have become embedded in economic and corporate life. Economists are modeling how breaches propagate through supply chains and affect market concentration. Finance researchers are studying whether ESG scores or CEO characteristics predict breach vulnerability. Legal scholars are examining which breach types lead to class action litigation and how often victims receive compensation.
We're proud the Data Breach Chronology has found its way into research programs around the world. Privacy Rights Clearinghouse has been tracking breaches for twenty years and educating consumers about their rights for more than thirty. The Data Breach Chronology exists because of the researchers, journalists, and organizations who support it.
About the Data Breach Chronology
The Data Breach Chronology is Privacy Rights Clearinghouse's database of publicly reported breaches, aggregating notification filings from state attorneys general and federal agencies. Anyone can explore the Chronology at privacyrights.org/data-breaches, where users can search, filter, and browse breach records going back to 2005.
When a single breach generates notifications in multiple states, we cluster those filings together and report them as one event. The impact totals in this report sum these event level figures. This is not a unique headcount, as the same person affected by multiple breaches is counted multiple times.
For researchers, journalists, and organizations that need the complete dataset, the full Chronology is available for download at store.databreachchronology.org. Purchases of the database, grants, cy pres awards, and individual donations directly support continued development, maintenance, and expansion of the Data Breach Chronology.