In the past year, a wave of healthcare data breaches has upended the lives of patients, employees, and even high-profile visitors across the United States. From sprawling hospital systems to local community providers, no corner of the healthcare industry has been spared, raising urgent questions about privacy, security, and the growing sophistication of cyber threats targeting sensitive medical information.
Perhaps the most far-reaching of these incidents came to light in May 2025, when ApolloMD—a major US-based healthcare services company—disclosed a cyberattack that compromised the personal information of more than 626,000 individuals. According to data published by the US Department of Health and Human Services, the breach affected exactly 626,540 people, including patients of affiliated physicians and medical practices served by ApolloMD. The company, which provides practice management, staffing, and administrative support across specialties like emergency medicine and radiology, detected unusual activity on its IT systems on May 22, 2025. What investigators soon discovered was deeply troubling: an unauthorized party had gained access to ApolloMD’s network between May 22 and May 23, slipping into patient files and stealing a trove of private data.
The compromised information was varied and highly sensitive. As ApolloMD’s official security breach notice explained, “The information involved varied by patient and includes names in combination with one or more of the following: dates of birth, addresses, diagnosis information, provider names, dates of service, treatment information, and/or health insurance information. For some individuals, the incident may have also involved their Social Security numbers.” Notification letters began reaching affected patients on September 17, 2025, months after the initial breach, as the company worked to determine the full scope of the incident and coordinate with law enforcement and forensic experts. Notably, ApolloMD did not disclose technical details about how the breach occurred, but the Qilin ransomware group publicly claimed responsibility in June 2025, adding another layer of complexity and alarm to the unfolding crisis.
While ApolloMD’s breach dwarfed others in sheer numbers, it was far from the only healthcare provider to fall victim to cybercrime. In October 2025, Cottage Hospital, a community provider in Woodsville, New Hampshire, experienced its own data breach. For one week, an “unauthorized party” accessed files on a single server within the hospital’s computer network. The breach, discovered in December, exposed the personal information of more than 1,600 current and former employees—including names, Social Security numbers, driver’s license numbers, and bank account details. Employees who were also patients faced the added risk of having their medical or health insurance information exposed. “We take this matter very seriously,” Cottage Hospital emphasized in its notification letter, adding, “To help prevent a similar incident, we will continue to implement and evaluate enhanced safeguards and security measures to further protect our systems, and continue to provide security training to our employees.” Impacted individuals were offered a one-year subscription to Experian IdentityWorks to help guard against identity theft, a small measure of reassurance in the wake of such a violation.
The fallout from these breaches has been felt at every level of the healthcare system, but perhaps nowhere more dramatically than at Kettering Health, a large hospital network that suffered a devastating ransomware attack in the spring of 2025. According to Kettering Health’s own investigation, hackers gained unauthorized access to the network between April 9 and May 20, viewing and potentially acquiring files containing names, Social Security numbers, financial account numbers, driver’s license numbers, medical and treatment records, health insurance details, billing and claim information, passport numbers, and even usernames with passwords. The May 20 cyberattack triggered a systemwide outage that lasted more than two weeks, leaving patients unable to access MyChart, shutting down phone and internet lines, and forcing staff to revert to paper charts. Ambulances had to be diverted and some treatments were rescheduled as the hospital scrambled to contain the chaos.
During the attack, hackers threatened to destroy or publicly release sensitive data if hospital officials didn’t reach out and negotiate within 72 hours—a chilling ultimatum. Kettering Health administrators confirmed on May 23 that the incident was indeed a ransomware attack, but they maintained that no ransom was paid and that there was no direct contact with the perpetrators. Later, the ransomware group Interlock claimed responsibility, boasting that it had stolen 941 gigabytes of data—more than 730,000 files. By mid-June, Kettering Health announced a return to normal operations, but the scars of the breach lingered. Affected patients were notified and offered free credit monitoring services, with a 90-day window to enroll. The hospital system also pledged to review its policies and procedures to reduce the likelihood of future incidents, stating, “As part of our ongoing commitment to the privacy of information in our care, Kettering is reviewing policies, procedures and processes to reduce the likelihood of a similar future event.”
While the attacks on ApolloMD, Cottage Hospital, and Kettering Health were all perpetrated by external actors seeking to exploit system vulnerabilities, not every data breach in healthcare is the result of shadowy hackers. Sometimes, the threat comes from within. In January 2026, British social media influencer Josh Cauldwell-Clarke found himself at the center of a personal data breach while visiting Michigan. During a hospital stay, employees accessed his electronic health record “without a work-related reason” on January 18 or 19. Cauldwell-Clarke, who had been traveling the state with fellow influencer Jason Riley as the duo “Josh & Jase,” took to social media to clarify that this was not a mass data breach, but a targeted violation of his privacy. The accessed data included his name, date of birth, home address, phone number, account number, reason for admission, and clinical details. “This makes me very uncomfortable knowing there are strangers out there who have my personal and private information,” Cauldwell-Clarke said, adding that he had been in contact with legal counsel. The incident also highlighted the unique risks faced by public figures, as staff reportedly asked for selfies and the hospital attempted to keep his presence “low key” by removing his name from a notice board. Under US law, such unauthorized access is a violation of the Health Insurance Portability and Accountability Act (HIPAA), and hospitals are required to notify victims. As of mid-February, it was unclear if any disciplinary action had been taken at the Michigan hospital involved.
These incidents collectively underscore the daunting challenges facing the healthcare industry in protecting patient data. Whether the threat comes from sophisticated ransomware groups, lone hackers, or even insiders with access privileges, the consequences for patients, employees, and providers can be severe and long-lasting. The breaches have spurred hospitals and healthcare companies to reevaluate their security protocols, invest in staff training, and offer identity protection services to those impacted. Yet, as the digital transformation of healthcare accelerates, so too does the risk of future breaches. For patients and providers alike, vigilance and transparency remain the only real defense in a landscape where privacy can be shattered in an instant.