According to Identity Theft Resource Center (ITRC), the number of reported system compromises and data breach remains high, though incidents slightly dropped compared to the last quarter. In Q2 2025, ITRC monitored 913 compromise cases, and another 835 cases in Q3. This 2025, ITRC already monitored 2,563 compromises with about 202 million victim notifications.
Considering the high number of reported data compromises every quarter this 2025, only 640 compromises need to be reported to have a new record. Although compromises are higher, the number of notifications sent to victims is down significantly compared to 2024’s total because of less mega data breaches. Having said that, a few data breaches are sizeable this 2025.
In H1 of the year, five of the biggest data breaches affected protected health information (PHI). Over 15.6 million patients were affected by the data breaches at Episource, Yale New Haven Health System, and Blue Shield of California. In Q3, although the biggest data breach happened at TransUnion, affecting 4.46 million victims, the other four biggest data breaches happened at these healthcare companies:
DaVita, kidney dialysis provider, affected 2,689,826 individuals
Anne Arundel Dermatology affected 1,905,000 individuals
Radiology Associates of Richmond affected 1,419,091 individuals
Absolute Dental Group affected 1,223,635 individuals
Of the 835 data breaches in Q3, 749 affected 23,053,451 victims.
- 691 were due to cyberattacks; 22,985,802 individuals were affected
- 46 were caused by system and human error; 62,297 individuals were affected
- 33 involved supply chain attacks; 3,793,381 individuals were affected
- 19 were caused by physical attacks; 5,352 individuals were affected
The number of data breaches in different sectors are as follows:
- Financial services sector – 188 data breaches
- Healthcare sector – 149 data breaches
- Professional services sector – 114 data breaches
- Manufacturing sector – 76 data breaches
- Education sector – 45 data breaches
The pattern of withholding information about the attack vector in breach notices is still growing, as 71% of victim notifications in Q3 lack that detail, higher than the 69% in H1 of 2025. The attack vector can enable breach victims to evaluate their level of risk. Not stating the actual reason for the breach can put victims at a greater risk of identity theft and fraud. ITRC advises placing a credit freeze at the three primary credit reporting firms (Equifax, Experian, and TransUnion), whether personal data was compromised or not. Additionally, it is necessary to employ good cyber hygiene, use unique passphrases on all accounts, and activate multi-factor authentication wherever possible. Following a HIPAA compliance checklist is also good.
Image credit: kaliel, AdobeStock
