The Breach Nobody Talked About
Data breaches hit a record high in 2025. Most of them never made the news. Here's what happened, why it matters, and what to actually do about it.
In 2025, the United States recorded 3,322 reported data breaches — a record high, representing a 4% increase over the previous year. That works out to roughly nine breaches every single day.
You probably heard about a handful of them.
The gap between what actually happens and what makes the news is not a minor discrepancy. It is the norm. The breaches that get coverage are the ones with dramatic numbers or recognizable names. The thousands of others — affecting hospitals, local governments, insurance companies, logistics firms, and payroll processors — move through the system quietly, noticed only by the people whose data was taken.
This is a look at what 2025 actually looked like, why most of it stayed invisible, and what the pattern tells us about how data security works in practice.
What Actually Happened in 2025
The scale is difficult to absorb. According to IBM's 2025 Cost of a Data Breach Report, the global average cost of a data breach reached $4.44 million — while US breaches hit a record $10.22 million, a 9% increase year over year, driven by regulatory penalties and slower detection times. That figure covers detection, containment, notification, legal exposure, and reputational damage. It does not cover what happens to the individuals whose data was taken.
The largest single incident of the year involved over 16 billion leaked credentials — usernames and passwords — from platforms including Google, Apple, and Facebook. To put that in context, there are approximately 5.5 billion internet users globally. This was not a breach of one company's systems. It was a compiled leak aggregating credentials from hundreds of previous breaches, surfaced in one massive dataset that circulated among cybercriminals.
Healthcare was the hardest-hit sector. Yale New Haven Health disclosed that 5.56 million patients had been affected by a breach detected on March 8, 2025 — the largest healthcare breach reported to federal regulators that year. Anne Arundel Dermatology saw the personal information of nearly 1.9 million individuals compromised. A ransomware attack on Union County, Ohio, exposed the Social Security numbers, financial information, and medical details of more than 45,000 residents and employees.
Financial services reported the greatest number of individual incidents at 739, followed by healthcare at 534 and professional services at 478.
The Third-Party Problem Nobody Wants to Talk About
The most consistent pattern across 2025's major breaches was not sophisticated hacking. It was third-party access.
Conduent Business Services, a New Jersey-based business services provider, was breached between October 2024 and January 2025. The total number of affected individuals is still under investigation — confirmed figures have grown past 10 million, with Texas alone reporting over 15 million affected — because Conduent processes data on behalf of hundreds of clients. About 462,000 customers of Blue Cross Blue Shield of Montana had their details exposed through Conduent alone. Volvo Group North America disclosed in February 2026 that nearly 17,000 of its employees were also caught in the same breach, notified more than a year after the original intrusion.
Coinbase confirmed an insider breach in February 2026 after a contractor improperly accessed customer data in December 2025. The contractor had visibility into names, email addresses, phone numbers, dates of birth, KYC verification details, wallet balances, and transaction histories of around 30 affected customers. The contractor no longer works with the firm.
The pattern here is consistent with what security researchers have been saying for years: your data is only as safe as the least secure vendor your service provider uses. When you sign up for an insurance plan, a bank account, or a subscription service, you are implicitly trusting their entire supply chain of data processors.
Why Most Breaches Never Make the News
The media coverage of data breaches follows a predictable formula. A breach needs either a large number — tens of millions of affected records — or a recognizable brand name to generate significant coverage. Everything below that threshold passes largely unnoticed outside specialist publications.
This is not purely a media failure. It is partly structural. In the United States, breach notification laws vary by state and sector. Companies are generally required to notify affected individuals and relevant regulators, but the timing, format, and public disclosure requirements differ. Many breaches are disclosed quietly through letters to state attorneys general or filings with the Department of Health and Human Services — technically public, practically invisible.
The result is a population that receives breach notification letters regularly — 80% of surveyed consumers received at least one in the past twelve months according to the Identity Theft Resource Center — but has little broader context for what those letters mean or what to do about them.
What the Numbers Actually Mean for You
The most useful thing to understand about the 2025 breach landscape is what data was taken and why it matters more than the number of records.
Two-thirds of reported breaches involved Social Security numbers. Unlike a compromised password, a Social Security number cannot be changed. Once exposed, it remains a vector for identity theft, fraudulent tax filings, and new account fraud indefinitely. Credit card numbers, by contrast, can be canceled and reissued — which is why they represent a smaller share of high-value targets.
The practical implication is straightforward. If your data has been in a breach that involved Social Security numbers — and statistically, given the volume of healthcare and financial sector incidents, there is a reasonable chance it has — the relevant risk is not immediate. It is long-term and intermittent. Fraudsters acquire large datasets and use them months or years later, when scrutiny has faded.
What to Do That Actually Helps
Most advice given after data breaches is either too vague to be useful or too late to matter. Here is what is actually worth doing:
Freeze your credit. This is the single most effective action available to individuals following a breach involving personal identifiers. A credit freeze prevents new lines of credit from being opened in your name without your explicit action to unfreeze. It is free at all three major credit bureaus — Equifax, Experian, and TransUnion — and does not affect your existing accounts or credit score. It should be done proactively, not reactively.
Use a password manager. The 16 billion credential leak was not primarily a result of sophisticated attacks. It was a consequence of credential reuse — people using the same password across multiple services, meaning one compromised account cascades into many. A password manager generates and stores unique passwords for every service, eliminating this risk.
Enable two-factor authentication — but not SMS-based. Text message-based two-factor authentication is better than nothing, but it is vulnerable to SIM swapping attacks, where an attacker convinces a carrier to transfer your phone number to a new SIM. App-based authentication using tools like Google Authenticator or Authy is significantly more resistant.
Monitor for breach exposure. Services like Have I Been Pwned allow you to check whether your email address appears in known breach datasets and receive alerts when new breaches are added. It is free and takes less than a minute to set up.
Watch for healthcare fraud specifically. Given the volume of healthcare breaches in 2025, monitoring for fraudulent medical billing is particularly relevant. Unexpected bills for services you did not receive, or letters from insurers for claims you did not make, are indicators worth investigating.
The Bottom Line
Record breach numbers in 2025 did not translate into record public awareness. Most people know, abstractly, that data breaches happen constantly. Far fewer understand the specific patterns — which sectors are hit hardest, which types of data create the most durable risk, and what the realistic consequences look like over time.
The gap between what is disclosed and what is understood is where the real damage happens. Breach notification letters get filed or discarded. The data circulates. The fraud arrives later, when the connection is harder to make.
The record is not a warning about a future threat. It is a description of a system that is already failing, quietly, at scale.