FOR IMMEDIATE RELEASE
Cognetryx, a private AI platform for regulated industries, today published an original analysis of all 710 large healthcare data breaches reported to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) in 2025. The breaches affected more than 61.5 million people. The analysis surfaces two patterns in the public record that bear directly on a decision many health systems are weighing right now: whether to send patient data to cloud AI services.
Key findings
- More than one in three breaches (35.8%) happened at business associates, the third-party vendors that handle protected health information for providers and health plans. A cloud AI service that processes PHI is a business associate by another name.
- 86% of breaches involved PHI in digital, network-accessible form: 61.5% on network servers and 24.9% in compromised email accounts. That is the same form of data a cloud AI request needs to function.
- The single largest 2025 incident, a 4.7 million-record exposure at Blue Shield of California, involved no hacker at all. It was a configuration mistake that sent member data where it did not belong.
"Cloud AI does not invent this risk. It joins it. The breach record already tells health systems two things: a third of the exposure lives on the third-party side, and the data that leaks is the digital, network-accessible kind. Adding another outside vendor that processes more patient data faster expands the exact surface the public record is warning about."
Keith Kennedy, Founder and CEO of Cognetryx, CISSP
The analysis argues the real question is less about whether a given AI model is trustworthy, and more about whether patient data should be in the form that leaks, sent to a party outside the network. Running AI inside the health system's own environment keeps PHI out of the third-party breach category entirely.
The complete breakdown of the 2025 OCR breach record, with the methodology and the Blue Shield case, is here: What 710 Healthcare Data Breaches Say About Putting Patient Data in Cloud AI.
About Cognetryx
Cognetryx builds private, on-premises AI for regulated industries. The platform deploys inside an organization's own network, indexes its own documents, and serves AI models privately, so sensitive records never leave the environment the organization controls. Cognetryx is led by founder and CEO Keith Kennedy, CISSP, who has spent nearly 20 years building secure infrastructure for regulated industries.
Media contact: [email protected] ยท www.cognetryx.com
Data source: U.S. HHS Office for Civil Rights breach portal, 2025 large-breach reports (500 or more individuals), as compiled in February 2026. Percentages reflect the share of breach incidents.