It is July 31, 2025. A routine compliance filing crosses the US Department of Health and Human Services portal — and in six digits buried in the submission, the full scope of what happened to Change Healthcare becomes undeniable: 192.7 million individuals affected. Not a preliminary estimate. The final count — making it the largest healthcare data breach in recorded history.
That single disclosure capped a month that, according to Google News and documented across cybersecurity outlets including CM-Alliance and HIPAA Journal, marked a critical inflection point across every tier of the threat landscape — from opportunistic credential attacks to Chinese nation-state zero-day exploitation running in parallel.
The Threat: Five Attack Vectors in a Single Month
July 2025 did not produce one headline-grabbing incident — it produced five, each representing a distinct failure mode that security teams encounter every week.
Change Healthcare (192.7 million records). As of July 31, 2025, UnitedHealth's Change Healthcare subsidiary formally notified the HHS Office for Civil Rights that the February 2024 ransomware attack — executed by the ALPHV/BlackCat group — ultimately affected 192.7 million people. UnitedHealth paid approximately $22 million in bitcoin (350 BTC) to the attackers. The full blast radius took 17 months to quantify.
McDonald's recruitment system (64 million records). Perhaps the most preventable breach of the month: McDonald's job applicant database was compromised because the system's access credential was the default password 123456. Personally identifiable information belonging to 64 million job applicants was exposed. No sophisticated zero-day required. No nation-state actor involved. One unchanged default credential.
Chinese state-linked APT groups (400-plus organizations). Starting July 7, 2025, threat actors identified by CM-Alliance as Linen Typhoon (APT27), Violet Typhoon (APT31), and Storm-2603 began exploiting CVE-2025-53770 — a zero-day vulnerability (a security flaw with no available patch at time of exploitation) in Microsoft SharePoint. Over 400 organizations were compromised, including the National Nuclear Security Administration. The entry point was a trusted enterprise collaboration platform; the outcome was persistent access across critical infrastructure.
TransUnion Salesforce breach (4.4 million US customers). On July 28, 2025, TransUnion confirmed that a breach linked to its Salesforce environment exposed names, birth dates, phone numbers, and Social Security numbers for 4.4 million US customers. Threat groups have demonstrated increasingly sophisticated automation in targeting cloud CRM platforms — a pattern that, as AI Shield Daily has flagged regarding AI agent authorization gaps, extends to enterprise systems where access boundaries are loosely defined.
Qantas contact center platform (5.7–6 million customers). Between July 2–9, 2025, Qantas confirmed that a third-party contact center platform exposed customer data including loyalty program numbers and personal details for between 5.7 and 6 million individuals. The supply chain vector — a vendor with broad access to primary customer data — connects this incident to the TransUnion breach and to the pattern Strobes cybersecurity analysis described: social engineering, supply chain weaknesses, and basic security oversights continuing to enable attackers across industries.
Blast Radius: Who Carries the Real Exposure
As of the period covered by GRC Solutions' July 2025 tracking, 29 publicly recorded data breaches occurred that month, affecting 14.9 million data records globally. The HIPAA Journal's July 2025 healthcare data breach report noted that 16 HIPAA-regulated entities reported breaches affecting 10,000 or more individuals — the lowest monthly healthcare breach count since September 2024, with Anne Arundel Dermatology and Radiology Associates of Richmond together accounting for 75.6% of affected healthcare individuals that month.
Chart: Records exposed per breach in July 2025. Change Healthcare's 192.7 million count dominates all other incidents combined.
The broader year-level picture from the Identity Theft Resource Center's 2025 Annual Report counted 3,322 data compromises for the full year — a 5% increase over 2024 — with Financial Services (739 breaches) and Healthcare (534 breaches) as the most targeted sectors. Ransomware attacks globally surged 34–50% in 2025 compared to 2024, with 4,701 confirmed incidents between January and September, though ransom payment rates dropped to historic lows of 23–25%, suggesting organizations are increasingly choosing to absorb recovery costs rather than fund the criminal ecosystem.
For organizations assessing their realistic exposure: the worst case from any of these vectors is not only data exfiltration. It is operational suspension during incident response, regulatory notification costs across multiple jurisdictions, and reputational erosion that compounds over months. Change Healthcare's full victim count took 17 months to surface. Organizations that believed they were out of scope learned otherwise near the end of that period.
The Defense Stack: Three Layers That Close These Gaps
Synthesizing across CM-Alliance, HIPAA Journal, GRC Solutions, and PKWARE's 2025 cybersecurity research, three control layers appear consistently in the gaps across every July incident.
Technology layer. CVE-2025-53770 in SharePoint was exploited as a zero-day — no patch was available when Linen Typhoon and its counterparts began their campaign on July 7, 2025. The compensating control when patches are unavailable is network segmentation (dividing your environment so a breach in one segment cannot propagate freely) combined with least-privilege access (granting accounts only the permissions they specifically require). For credential attacks like the McDonald's breach, automated credential scanning that flags default or vendor-issued passwords before they reach production is the fix — it runs in minutes on any modern identity platform and eliminates the exact failure mode that exposed 64 million records.
Process layer. Qantas and TransUnion both suffered through their vendor ecosystems. Third-party risk management (the formal process of assessing a vendor's security posture before granting access to customer data) is established guidance that is persistently under-resourced. The specific gap: vendors handling primary customer records should be contractually required to meet defined security baselines, with audit rights built into agreements at signing — not retrofitted after a breach has already occurred.
People layer. According to the Verizon Data Breach Report cited in PKWARE's 2025 research, 74% of all breaches began with a social engineering attack (manipulating humans rather than exploiting software). Phishing and social engineering accounted for approximately 46–67% of successful breach entry points across 2025. AI-powered phishing campaigns contributed materially to this ratio — threat actors now generate convincing, targeted lures at a scale and speed that security awareness training developed before 2024 was not designed to counter. Updated data protection training content that specifically addresses AI-generated phishing characteristics is a meaningful upgrade, not a cosmetic refresh.
On the defender side, AI-driven threat detection systems are shortening dwell time (the gap between initial compromise and detection) by correlating signals across endpoints, network flows, and identity logs simultaneously. The tools have improved substantially — but they require properly tuned baselines to distinguish an APT's lateral movement from normal administrative activity.
Ship This Control Today
One control. The McDonald's incident — 64 million records exposed, zero sophisticated techniques required — is the clearest possible argument for where to begin: run a default credential audit across every production system this week.
Inventory all production systems, cloud consoles, database access accounts, third-party integration service accounts, and network devices. Flag any account using a vendor default password, a shared team credential, or a password that has not been rotated since initial deployment. Rotate those immediately and enroll every privileged account in multi-factor authentication (MFA — requiring a second verification step beyond the password alone). This single pass eliminates the exact failure mode that exposed 64 million job applicants' data without the attackers needing to do anything clever.
If credential hygiene is already solid, the next priority is a vendor access review: map every third party with access to customer records, confirm they meet a written security baseline, and verify you hold contractual audit rights. That is the Qantas and TransUnion lesson in one afternoon's work.
Frequently Asked Questions
What was the biggest data breach in July 2025 and who was affected?
As of July 31, 2025, Change Healthcare's formal HHS notification confirmed 192.7 million individuals were affected by the February 2024 ransomware attack — the largest healthcare data breach in recorded history. Given Change Healthcare's role in US healthcare payment processing, anyone who had insurance claims processed over the prior several years may be in scope. Recommended steps: monitor your credit reports, watch for unusual explanation-of-benefits statements from your insurer, and consider placing a credit freeze with all three major bureaus.
How can I protect my business from supply chain cyberattacks like the Qantas and TransUnion breaches?
Both incidents traced back to third-party platforms with access to primary customer data. Key protective controls: require written security attestations from all vendors handling customer PII before granting access; apply least-privilege principles to vendor integrations so they can only reach the data their function requires; build contractual audit rights into vendor agreements at signing; and maintain an incident response plan that explicitly addresses third-party breach notification, since you may learn of a supply chain breach from your vendor rather than from your own detection systems.
What should my organization do in the first 72 hours after discovering a data breach?
Incident response priorities: (1) Contain — isolate affected systems to prevent lateral movement to additional assets; (2) Preserve — do not wipe or reimage systems before forensic imaging, as this destroys evidence needed for root cause analysis and regulatory review; (3) Notify — consult legal counsel immediately on breach notification obligations under HIPAA, applicable state laws, or GDPR; (4) Communicate internally with clear, factual updates to reduce panic-driven mistakes; (5) Document everything timestamped for regulatory filings. Engage a qualified incident response firm if your team lacks breach-specific experience — mishandling the response phase typically costs more than the firm's engagement fee.
In my analysis, July 2025's breach catalog is less a story about unusually sophisticated adversaries than about the persistent gap between security controls organizations know they should have and the ones they actually deploy. A $22 million bitcoin ransom, 192.7 million exposed healthcare records, and 64 million job applicant records lost to a default password all share the same root: security investment that did not match the actual exposure. Threat actors this month ranged from nation-states running zero-day SharePoint campaigns to opportunists trying 123456. The compensating controls — credential hygiene, network segmentation, vendor risk reviews, updated phishing training — are largely the same regardless of who is on the other side of the keyboard. That is the uncomfortable news and the actionable news simultaneously.
Disclaimer: This article is editorial commentary for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific security needs. Research based on publicly available sources current as of June 20, 2026.