By Mark Edgeworth (pictured), CEO at Hicomply
Data breaches across the US continued at scale throughout 2025, reinforcing cybersecurity as a board-level business risk rather than a purely technical issue.
While breach volumes remained high, the defining feature of 2025 was the expanding cost, with regulatory exposure, supply-chain disruption and reputational damage compounding direct financial loss.
According to IBM, the average cost of a data breach in 2025 reached $4.45 million globally. However, the U.S. ranked as the most expensive region, driven by higher litigation costs, regulatory enforcement and recovery complexity, with the average breach costing approximately $10.22 million for U.S. businesses.
An annual analysis by the nonprofit Identity Theft Resource Center recorded 3,322 data breaches across the U.S. in 2025, representing a 4 percent increase year-on-year and a 79 percent rise compared with 2020.
Healthcare, financial services, retail and SaaS are among the most exposed sectors, driven by data sensitivity and increasingly strict disclosure expectations.
High-impact U.S. breaches in 2025
Several large-scale incidents in 2025, compiled by Hicomply, a compliance and information security management software provider, highlighted how modern breaches now extend well beyond a single organization.
Third-party and supply-chain breaches
Vulnerabilities in widely used software platforms and managed service providers enabled attackers to compromise thousands of U.S. organizations simultaneously, underscoring the systemic risk created by digital dependencies.
In 2025, a breach affecting technology provider SitusAMC exposed systems connected to multiple U.S. financial institutions, demonstrating how third-party compromises can cascade across regulated sectors.
Healthcare data exposure
U.S. healthcare organizations continued to face ransomware and data-exfiltration attacks in 2025, with millions of patient records exposed and enforcement actions triggered under federal healthcare privacy regulations.
A breach involving TriZetto Provider Solutions was confirmed in 2025 to have impacted more than 700,000 individuals, triggering federal reporting obligations.
Insider and contractor-related breaches
U.S. organizations continued to face elevated risk from insider and contractor-related breaches in 2025, as privileged access, third-party relationships and human error remained key contributors to data exposure.
In 2025, Coinbase disclosed an incident involving unauthorized access by a contractor, resulting in the exposure of customer information including personal and identity verification data. The breach underscored the growing challenge of securing extended workforces and enforcing access controls across outsourced and temporary roles.
Regulatory pressure intensifies
Regulatory scrutiny continued to increase raising expectations and potential penalties for U.S. businesses.
The Securities and Exchange Commission’s enhanced cybersecurity disclosure rules, requiring public companies to report material cybersecurity incidents promptly and to describe risk management and governance practices, continued to influence how U.S. businesses handled breach reporting and investor communications throughout the year.
At the same time, the Federal Trade Commission continued enforcement actions related to inadequate data protection practices, while state privacy laws, including enhanced enforcement under California’s privacy framework, increased exposure for organizations handling U.S. consumer data.
Failure to demonstrate proactive cybersecurity governance increasingly translated into financial penalties, shareholder scrutiny and reputational risk.
Compliance frameworks shaping breach response
For U.S.-based organizations, experts argue that data breach impact is often driven by compliance readiness rather than incident response alone. Public companies remain subject to U.S. Securities and Exchange Commission cybersecurity disclosure requirements, which continue to shape how material incidents are assessed and reported to investors.
Enforcement risk also remains high under the Federal Trade Commission, particularly where organizations cannot demonstrate reasonable security controls or documented governance following a breach.
In practice, U.S. organizations are increasingly expected to evidence structured security frameworks, which can support organisations in their responsiveness. Data breach risk isn’t only about the initial technical exploit. Organizations that can demonstrate robust security frameworks like ISO 27001 or SOC 2 are far better positioned to respond, report and recover with confidence. These frameworks turn compliance from a box-checking exercise into a defensible approach that reduces regulatory exposure and builds trust with customers and partners”.
In 2025, data breaches reinforced a clear reality for U.S. businesses: preparedness, governance and compliance maturity increasingly determine the scale and duration of impact following an incident.
