May 2025 Data Breach Analysis: LexisNexis and Harbin Clinic Lead Month's Impact on Consumers

Data Breaches
Data Brokers

Posted: June 06 2025

Nearly One Million People Affected Across 75 Breach Incidents

Our May 2025 analysis of data breach notifications reveals another active month in the ongoing challenge of protecting consumer data. We documented 75 distinct breach incidents between May 7 and June 6, affecting 992,863 people across various sectors.

June by the Numbers

During the reporting period, we tracked:

  • 75 total breach incidents (61 newly reported, 14 ongoing from previous periods)
  • 992,863 people potentially impacted
  • 101 individual breach notifications processed
  • 46 incidents affecting business organizations
  • 11 incidents in the healthcare sector

Major Breaches Drive Impact Numbers

Two breaches accounted for over 570,000 of June's affected individuals:

  1. LexisNexis Risk Solutions (May 27): 364,333 individuals affected in a cyber attack on the data broker and consumer reporting agency
  2. Harbin Clinic, LLC (May 16): 210,140 people impacted in a healthcare system breach

The LexisNexis breach is particularly concerning given the company's role as both a data broker and consumer reporting agency. These companies aggregate consumer data for identity verification, risk assessment, and marketing purposes. When data brokers experience breaches, the ripple effects can be far-reaching—affecting people who may have never directly provided their information to these companies. We've called for stronger regulations for data brokers for decades, and breaches like this are part of the reason why we cosponsored the California Delete Act, SB 362.

Sector Distribution Shows Broad Vulnerability

June's incidents spread across multiple sectors:

  • Business organizations: 46 total incidents
    • Business-Other: 33 incidents
    • Business-Financial: 10 incidents
    • Business-Retail: 3 incidents
  • Medical/Healthcare: 11 incidents
  • Non-profits: 7 incidents
  • Education: 5 incidents
  • Government: 3 incidents

What June's Breaches Mean for Consumers

The LexisNexis breach really exemplifies a particularly insidious privacy problem. As a data broker and consumer reporting agency, LexisNexis collects information from public records, financial institutions, and any other source of data they can find to create detailed profiles used for background checks, insurance underwriting, and identity verification. The 364,333 people affected may have no idea LexisNexis even had their data—yet now face risks from a breach at a company they never chose to do business with. And as a response, they're advised to then freeze their credit at one of the three other major data brokers (Equifax, Experian and TransUnion).

The Harbin Clinic breach, on the other hand, affected 210,140 people who entrusted their healthcare provider with medical information. Healthcare breaches are particularly damaging because medical records contain information that can't be changed—your health history, genetic information, and treatment records are permanent. This data is valuable to criminals not just for insurance fraud, but because it provides a complete picture of someone's vulnerabilities.

Together, these breaches affected over 570,000 people in June alone. Whether it's a data broker you've never heard of or a healthcare provider you rely on, the reality is that our most sensitive information is stored in more places than most people realize—and June's breaches show that all of these repositories remain vulnerable.

Practical Steps for Protection

If you were among the 992,863 people affected by June's breaches, you should have received a notification letter by now. However, if you see an organization in our database that you've done business with but haven't received notice, don't assume you're safe. Notification letters can be delayed, lost, or sent to old addresses.

We recommend these protective measures:

  1. Monitor all financial and medical accounts for unusual activity
  2. Update passwords for any accounts associated with breached organizations (use a password manager with multi-factor authentication and passkeys where available)
  3. Consider placing a free security freeze with all three major credit reporting agencies (Equifax, Experian, and TransUnion)
  4. Be especially vigilant for phishing attempts that may reference information from the breach

Taking Action and Understanding Your Rights

June's breaches add to the more than 35,000 incidents we've tracked since 2005, creating a cumulative privacy crisis where most American adults have been affected multiple times. 

Given the LexisNexis breach, we encourage you to explore our recently updated Data Broker Database, which tracks over 750 registered data brokers in the US. Understanding which companies may be buying and selling your information is crucial for protecting your privacy in an era where breaches can expose data you never knew was being collected.

Search our Data Breach Chronology at privacyrights.org/data-breaches to check if organizations you do business with have experienced breaches. Knowledge is the first step in protecting your privacy.

The Privacy Rights Clearinghouse has served as a leading nonprofit source of privacy information and consumer advocacy since 1992.