OCR Reports to Congress on HIPAA Compliance and Data Breaches in 2024

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has submitted its annual reports to Congress on compliance with the Health Insurance Portability and Accountability Act (HIPAA) and breaches of unsecured protected health information for calendar year 2024.

The reports are a requirement of the Health Information Technology for Economic and Clinical Health (HITECH) Act and provide a snapshot of the state of compliance in healthcare, the actions taken by OCR in response to potential noncompliance, and the extent to which sensitive health information is being exposed or stolen. The reports to Congress are based on the number of data breaches that occurred in each calendar year, not the year in which the data breach was reported. In calendar year 2024, OCR received 742 reports of data breaches affecting 500 or more individuals; however, only 663 reports related to breaches that occurred in 2024.

2023 was a particularly bad year for large healthcare data breaches. In its previous reports to Congress, OCR reported that 732 large data breaches occurred in 2023, a 17% increase from the previous year, with more than 113 million individuals affected. While there was an improvement in 2024 with 9% fewer large data breaches reported, an unprecedented number of individuals were affected by large data breaches, smashing the previous record. Across the 663 reported data breaches, the protected health information of 242,908,056 individuals was exposed or impermissibly disclosed. The massive total was largely due to a single data breach at Change Healthcare, which affected an estimated 192 million individuals. In 2024, OCR received 74,299 reports of data breaches affecting fewer than 500 individuals, although across those incidents, only 340,618 individuals were affected.

OCR investigates all large data breaches and opened investigations into all 663 breaches, plus two smaller data breaches. The vast majority of data breach investigations are resolved through voluntary corrective actions taken by the affected regulated entity or the provision of technical assistance. OCR resolved 785 data breach investigations in 2024, including 12 with resolution agreements, corrective action plans, and monetary settlements or civil monetary penalties. In 2024, OCR collected $7,813,831 in penalties to resolve alleged HIPAA violations uncovered through its investigations of data breaches, plus a further $950,000 penalty stemming from an investigation in response to media reports of a data breach.

Year Data Breaches (Under 500 individuals) Percentage Change

(Under 500 individuals)

 Data Breaches (500+ individuals) Percentage Change (500+ individuals)
2024 74,299 +9% 663 -9%
2023 68,315 +7% 732 +17%
2022 63,966 +15% 626 +3%
2021 63,571 -4% 609 -7%
2020 66,509 +6% 656 +61%
2020 to 2024 12% increase 1% increase

Source: OCR reports to Congress (breaches each calendar year, irrespective of reporting date)

In the 2024 breaches of unsecured protected health information report, OCR explained that there is a continued need for HIPAA-regulated entities to improve compliance. Noncompliance with the HIPAA Rules is often identified. Many data breaches could have been prevented through proactive compliance, rather than addressing security issues after exploitation. Some of the most common areas of noncompliance were the risk analysis, risk management, information system activity review, audit controls, and person or entity authentication standards and implementation specifications of the HIPAA Security Rule.

If a risk analysis is incomplete or not conducted, risks are likely to persist unaddressed and can be exploited by threat actors. Risks also need to be reduced to a reasonable level to make it harder for threat actors to succeed. Access controls can prevent breaches as well as limit the harm caused if a network is breached. OCR’s investigations of data breaches found many instances of scant internal controls limiting lateral movement and excessive privileges for many user accounts, which allowed threat actors to gain access to multiple systems containing ePHI. OCR also commonly found weak authentication practices, such as default passwords and single-factor remote access, rather than multifactor authentication. Improving compliance across these areas would drastically reduce the number of large healthcare data breaches reported each year.

The most common cause of breaches, as has been the case for several years, was hacking/IT incidents, which accounted for 81% of all data breaches and 241,582,022 of the affected individuals (99.45%). The most common location of breached protected health information was network servers. For smaller breaches, the main cause was unauthorized access/disclosure incidents, most commonly involving paper/films.

Penalties to Resolve Alleged HIPAA Violations in Calendar Year 2024

HIPAA-Regulated Entity Penalty Type Penalty Amount Individuals Affected Areas of Alleged HIPAA Noncompliance
Plastic Surgery Associates of South Dakota Settlement $500,000 10,226 Risk analysis; security measures to reduce risks and vulnerabilities; reviews of records of information systems activity; policies and procedures to address security incidents
Providence Medical Institute Civil Monetary Penalty $240,000 85,000 across three ransomware attacks Business associate agreement; policies and procedures to only allow authorized persons or software to access ePHI
Bryan County Ambulance Authority Settlement $90,000 14,273 Risk analysis
Children’s Hospital Colorado Civil Monetary Penalty $548,265 14,210 across two email-related incidents Risk analysis; workforce HIPAA Privacy Rule training.
Gulf Coast Pain Management Consultants Civil Monetary Penalty $1,190,000 34,310 Risk analysis; review of records of activity in information systems; termination of access rights of terminated employees; procedures for establishing/modifying access rights to information systems.
Elgon Information Systems Settlement $80,000 31,248 Risk analysis
Virtual Private Network Solutions Settlement $90,000 At least 6,400 Risk analysis
Northeast Surgical Group Settlement $10,000 15,298 Risk analysis
Solara Medical Supplies Settlement $3,000,000 115,538 across two incidents Risk analysis; breach notification letters to individuals, HHS, and media.
USR Holding Settlement $337,750 2,903 Risk analysis; review of activity in information systems; procedures for creating and maintaining exact retrievable copies of ePHI; prevention of unauthorized access and deletion of ePHI.
Warby Parker Civil Monetary Penalty $1,500,000 More than 197,986 individuals Risk analysis; security measures to reduce risks and vulnerabilities; review of records of activity in information systems.
Health Fitness Settlement $227,816 4,304 Risk analysis
Heritage Valley Health System Settlement $950,000 Undisclosed Risk analysis; contingency plan for emergencies; policies and procedures restricting access to ePHI

In calendar year 2024, OCR received 30,256 new complaints about potential violations of the HIPAA Rules and carried over 2,955 complaints from previous years. Out of those, OCR resolved 28,228 complaints, 17,466 without opening an investigation, and 9,392 were resolved through the provision of technical assistance.

Out of the 1,370 complaint investigations completed by OCR in 2024, around half (48%) required the regulated entity to take corrective action, and in 51% of the investigations, insufficient evidence was found to indicate violations of the HIPAA Rules. Nine complaint investigations were resolved with financial penalties totaling $1,180,781. The most common issues prompting complaints were impermissible uses and disclosures (660 complaints), Right of Access violations (541 complaints), missing general safeguards (481 complaints), lacking HIPAA Security Rule administrative safeguards (147 complaints), and missing or late individual breach notifications (122 complaints).

OCR initiated 730 compliance reviews and completed 797 compliance reviews in 2024 that did not arise from complaints. While OCR is required by the HITECH Act to conduct audits of HIPAA-regulated entities, no audits were initiated in 2024. OCR is also responsible for outreach activities to improve the education of the public with respect to their HIPAA Rights, and HIPAA-regulated entities about large data breach trends. OCR conducted 89 such outreach activities in calendar year 2024.

The report on compliance with the HIPAA Privacy, Security, and Breach Notification Rules shows there was a slight year-over-year decrease in complaints and a small increase in initiated compliance reviews.

Year Complaints received YoY Percentage Change in Complaints Initiated Compliance Reviews (including complaints and breaches) YoY Percentage Change in Initiated Compliance Reviews
2024 30,256 – 2% 797 -3%
2023 30,968 + 2% 773 +14%
2022 30,435 -11% 676 + <1%
2021 34,077 +25% 674 -10%
2020 27,182 -4% 746 +22%
2020 to 2024 +11% +7%

Penalties Arising from Substantiated HIPAA Compliance Complaints in 2024

In total, OCR imposed 22 financial penalties to resolve HIPAA violations in calendar year 2024, 13 in response to reports of data breaches and 9 in response to complaints. In total, OCR collected $9,944,612 in settlements and penalties. Complaints resolved with financial penalties are detailed in the table below. Further information on each fine can be found on our HIPAA Violation Cases page.

HIPAA-Regulated Entity Penalty Type Penalty Amount Individuals Affected Areas of Alleged HIPAA Noncompliance
Essex Residential Care dba Hackensack Meridian Health, West Caldwell Care Center Civil Monetary Penalty $100,000 1 HIPAA Right of Access
American Medical Response Civil Monetary Penalty $115,200 1 HIPAA Right of Access
Cascade Eye and Skin Centers Settlement $250,000

 

 291,000 Risk analysis; monitoring of information systems
Rio Hondo Community Mental Health Center Civil Monetary Penalty $100,000 1 HIPAA Right of Access
Inmediata Health Group Settlement $250,000 1,565,338 Risk analysis; monitoring of information systems
Holy Redeemer Hospital Settlement $35,581 1 HIPAA Right of Access
Gums Dental Care Civil Monetary Penalty $70,000 1 HIPAA Right of Access
South Broward Memorial Hospital District dba Memorial Healthcare System Settlement $60,000 1 HIPAA Right of Access
Oregon Health and Science University Civil Monetary Penalty $200,000 1 HIPAA Right of Access

 

The post OCR Reports to Congress on HIPAA Compliance and Data Breaches in 2024 appeared first on The HIPAA Journal.

Mission Community Hospital Pays $1.55M to Settle Data Breach Lawsuit

Posted by Steve Alder

Deanco Healthcare, LLC, the operator of Mission Community Hospital, an acute care hospital serving patients in the San Fernando Valley in California, has agreed to a settlement to resolve claims stemming from a cyberattack that was discovered by the hospital on May 1, 2023.

According to the forensic investigation, the unauthorized access started the same day, and while the attack was quickly identified and contained, the threat actor exfiltrated files containing patient data such as names, addresses, dates of birth, Social Security numbers, driver’s license numbers, and financial account information. The Ransomhouse ransomware group took responsibility for the attack and claimed to have exfiltrated around 2.5 terabytes of data. The data breach was reported to the HHS’ Office for Civil Rights as affecting 269,547 individuals.

Two class action lawsuits were filed in response to the data breach in the Superior Court of California for the County of Los Angeles, which were consolidated into a single action – Concepcion et al. v. Deanco Healthcare – as they had overlapping claims.  The consolidated lawsuit claimed that the defendant was negligent and should have prevented the cyberattack and data breach. The claims were denied by the defendant, which maintains that there was no wrongdoing and that there is no liability. All parties ultimately agreed to a settlement to avoid the costs of continued litigation and the uncertainty of a trial.

Mission Community Hospital in California has agreed to pay $1.546,409.42 to settle the lawsuit. Class members – individuals who were notified by Mission Community Hospital, Deanco Healthcare, or a Deanco affiliate that they had been affected by the incident – may claim one or more benefits, which will be paid after attorneys’ fees and expenses ($541,243.30 + up to $50,000), settlement administration costs (up to $235,400), and service awards for the class representatives ($2,000 each; $4,000 total) have been paid. Should claims exceed the residual funds, they will be paid pro rata.

Class members are entitled to claim a two-year membership to a medical data monitoring service, and California residents at the time of the data breach may claim a $100 statutory payment. In addition, a claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. A claim may also be submitted for a cash payment, which will be paid pro rata from the residual funds after the above benefits have been paid. The deadline for objection and opting out is July 13, 2026. The deadline for filing a claim is August 12, 2026, and the final approval hearing has been scheduled for September 9, 2026.

The post Mission Community Hospital Pays $1.55M to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.