US Data Breach Reporting Transparency and State Notification Enforcement Gaps
The Identity Theft Resource Center (ITRC) reported a record 3,322 data breaches in the US last year, while noting that roughly 70% of breach notices lacked key incident details, limiting defenders’ ability to understand scope, root cause, and affected data. The reporting gap was attributed to inconsistent state breach-notification laws and uneven enforcement; while all states and several US territories require some form of consumer notification for certain PII exposures, only 34 states require breach reporting to state agencies. The ITRC also cited the PowerSchool incident as the largest US cyber incident of the year.
Separately, Blue Cross Blue Shield of Montana (BCBSMT) disclosed that up to 462,000 members may have been affected by a “cyber incident” at third-party vendor Conduent, and the matter is now trending toward litigation over whether the Montana State Auditor has authority to investigate under a new state breach-reporting law effective Oct. 1, 2025. BCBSMT argues the incident pre-dated the law’s effective date and that its notification to the auditor was a courtesy, while reporting also noted the apparent absence (as of publication) of a corresponding entry from BCBSMT or Conduent on the US HHS public HIPAA breach portal. A separate blog post about a purported “16 billion leaked credentials” compilation describes an aggregated infostealer-driven credential corpus rather than a single breach and does not materially relate to the US breach-notification transparency and enforcement issues described above.
Timeline
Jan 30, 2026
ITRC says 70% of breach notices lacked key details
The same report found that about 70% of breach notices omitted important incident information, attributing the transparency gap to inconsistent state laws, implementation, and enforcement.
Jan 30, 2026
ITRC reports record 3,322 U.S. data breaches in 2025
The Identity Theft Resource Center's 2025 Data Breach Report found that the United States recorded 3,322 data breaches in 2025, the highest annual total on record.
Jan 30, 2026
BCBSMT sues to challenge auditor's breach investigation
Blue Cross Blue Shield of Montana filed suit in Helena state district court, arguing that the Montana State Auditor lacks authority to investigate the breach and that the inquiry is unlawful.
Jan 30, 2026
Montana State Auditor opens investigation into BCBSMT breach
After the incident was reported to the Montana State Auditor’s office, the office opened an investigation into the Blue Cross Blue Shield of Montana data breach and related reporting obligations.
Jan 30, 2026
Conduent cyber incident exposes BCBSMT member data
A cyber incident affecting third-party vendor Conduent exposed data tied to Blue Cross Blue Shield of Montana members, with BCBSMT later stating that up to 462,000 members may have been affected.
Oct 1, 2025
Montana breach-reporting law takes effect
A new Montana data breach reporting law became effective, changing state notification requirements and becoming central to later questions about whether Blue Cross Blue Shield of Montana had to report the Conduent-related incident to the state auditor.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
Related Stories
US Healthcare Privacy Lapses and Breach Reporting Trends
**US healthcare organizations reported unusually low numbers of large HIPAA breaches in late 2025**, with 41 incidents affecting 500+ individuals logged for December 2025 in the HHS OCR breach portal. Reporting volumes for September–December averaged ~40.75 large breaches per month versus ~66.5 in the prior four months, and 2025 totals stood at 697 breaches (a reported ~6% decrease from 2024), though the count was expected to rise as additional incidents are added. A key factor cited for the apparent decline was a **43-day US government shutdown** that furloughed most HHS staff and likely created a backlog in posting breach reports to the OCR portal, potentially suppressing late-2025 totals until processing is completed. Separately, a **VA Office of Inspector General** review found a **privacy and security compliance failure** within the Veterans Health Administration’s national cancer testing program tied to a collaborative research effort. The OIG reported that in 2022 a VHA research director created and shared a file containing electronic health record reports and a “significant amount” of **protected health information (PHI)** with non-VHA investigators **without institutional review board approval or de-identification**, and that required **audit logs** for secure ePHI management were missing. The OIG noted delays in reporting and inadequate early mitigation, and issued six recommendations that the VA agreed to implement, including removing PHI from shared materials, clarifying research processes, and improving training.
3 weeks ago
Healthcare Data Breaches and Patient Data Exposure Reports
Multiple organizations reported or were alleged to have suffered **data breaches involving sensitive personal and health information**. Telehealth provider **Call-On-Doc** was allegedly breached in early December, with a hacking-forum listing claiming exfiltration of **1,144,223 patient records** including contact details and highly sensitive visit metadata (e.g., *medical category/condition*, including STD-related entries), though the company had not publicly commented at the time of reporting. Separately, **Laurel Health Centers** (a Federally Qualified Health Center network in Northern Pennsylvania) reported **unauthorized access to its email environment** from July 11–25, 2025; emails and attachments may have been viewed or copied, potentially exposing a wide range of PHI/PII (including SSNs, insurance/Medicare data, diagnostic/treatment information, and some financial data). Laurel stated it took time to confirm the threat actor was fully removed, completed mailbox review by Dec. 30, 2025, and then began notifying affected individuals and offering credit monitoring. Outside healthcare delivery, the **Civil Service Employees Association (CSEA)** labor union reported a May intrusion (May 3–31) resulting in theft of data for **47,000+ members**, including names and **Social Security numbers**, and said it took systems offline, reset passwords, and implemented additional security controls; it reported no evidence of misuse but advised vigilance for identity theft. A separate HIPAA Journal item summarized academic research on **insider risk**—finding many students would hypothetically sell patient data for money—which is not tied to a specific breach incident but underscores the broader threat environment for healthcare data.
1 months ago
Regulatory Reporting Highlights Rising GDPR Enforcement and U.S. Healthcare Breach Disclosures
European privacy regulators issued roughly **€1.2B in GDPR fines in 2025** and received an average of **443 personal data breach notifications per day** (a reported 22% increase year over year), according to DLA Piper’s GDPR Fines and Data Breach Survey as cited by DataBreaches.net. The reporting indicates sustained enforcement since GDPR’s introduction, with cumulative penalties reaching **€7.1B** since 2018, alongside a continued high volume of breach notifications to data protection authorities. In the U.S. healthcare sector, HIPAA Journal reported that **November 2025** showed unusually low counts of large breaches listed on the HHS OCR breach portal (**32 incidents affecting 500+ individuals**), but attributed the apparent decline to reporting delays during the **U.S. government shutdown (Oct 1–Nov 12, 2025)** and a resulting backlog. Separately, Central Maine Healthcare disclosed a breach affecting **~145,000 individuals**, with unauthorized network access occurring between **Mar 19 and Jun 1, 2025** and exposure of data including **names and Social Security numbers** plus clinical/insurance details; notifications began in late December 2025 and credit monitoring was offered.
1 months ago