Several large-scale incidents in 2025, compiled by Hicomply highlighted how modern breaches now extend well beyond a single organization.
Hicomply stated that data breaches across the US continued at scale throughout 2025, reinforcing cybersecurity as a board-level business risk rather than a purely technical issue.
While breach volumes remained high, the defining feature of 2025 was the expanding cost, with regulatory exposure, supply-chain disruption and reputational damage compounding direct financial loss.
According to IBM, the average cost of a data breach in 2025 reached $4.45 million globally.
However, the US ranked as the most expensive region, driven by higher litigation costs, regulatory enforcement and recovery complexity, with the average breach costing approximately $10.22 million for US businesses.
An annual analysis by the non-profit Identity Theft Resource Center recorded 3,322 data breaches across the US in 2025, representing a 4% increase year-on-year and a 79% rise compared with 2020.
Healthcare, financial services, retail and SaaS are among the most exposed sectors, driven by data sensitivity and increasingly strict disclosure expectations.
Vulnerabilities in widely used software platforms and managed service providers enabled attackers to compromise thousands of US organizations simultaneously, underscoring the systemic risk created by digital dependencies.
The company highlighted that in 2025, a breach affecting technology provider SitusAMC exposed systems connected to multiple US financial institutions, demonstrating how third-party compromises can cascade across regulated sectors.
US healthcare organizations continued to face ransomware and data-exfiltration attacks in 2025 with millions of patient records exposed and enforcement actions triggered under federal healthcare privacy regulations.
A breach involving TriZetto Provider Solutions was confirmed in 2025 to have impacted more than 700,000 individuals, triggering federal reporting obligations.
US organizations continued to face elevated risk from insider and contractor-related breaches in 2025, as privileged access, third-party relationships and human error remained key contributors to data exposure.
In 2025, Coinbase disclosed an incident involving unauthorized access by a contractor, resulting in the exposure of customer information including personal and identity verification data.
The breach underscored the growing challenge of securing extended workforces and enforcing access controls across outsourced and temporary roles, Hicomply added.
Regulatory scrutiny continued to increase raising expectations and potential penalties for US businesses.
The Securities and Exchange Commission’s enhanced cybersecurity disclosure rules, requiring public companies to report material cybersecurity incidents promptly and to describe risk management and governance practices, continued to influence how US businesses handled breach reporting and investor communications throughout the year.
At the same time, the Federal Trade Commission continued enforcement actions related to inadequate data protection practices, while state privacy laws, including enhanced enforcement under California’s privacy framework, increased exposure for organizations handling US consumer data.
Hicomply emphasised that failure to demonstrate proactive cybersecurity governance increasingly translated into financial penalties, shareholder scrutiny and reputational risk.
The company added that for US-based organizations, experts argue that data breach impact is often driven by compliance readiness rather than incident response alone.
Public companies remain subject to US Securities and Exchange Commission cybersecurity disclosure requirements, which continue to shape how material incidents are assessed and reported to investors.
Enforcement risk also remains high under the Federal Trade Commission, particularly where organizations cannot demonstrate reasonable security controls or documented governance following a breach.
In practice, US organizations are increasingly expected to evidence structured security frameworks, which Mark Edgeworth, CEO at Hicomply said can support organisations in their responsiveness.
Edgeworth said: “Data breach risk isn’t only about the initial technical exploit.
“Organizations that can demonstrate robust security frameworks like ISO 27001 or SOC 2 are far better positioned to respond, report and recover with confidence.
“These frameworks turn compliance from a box-checking exercise into a defensible approach that reduces regulatory exposure and builds trust with customers and partners,” he concluded.
In 2025, data breaches reinforced a clear reality for US businesses: Preparedness, governance and compliance maturity increasingly determine the scale and duration of impact following an incident.