HIPAA Compliance News

Top of the World Treatment Center Settles Alleged Risk Analysis HIPAA Violation

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its first financial penalty of the year to resolve an alleged violation of the HIPAA Rules. Top of the World Treatment Center, a Milan, Illinois-based addiction treatment provider, has agreed to pay a $103,000 financial penalty to settle an allegation that it violated the risk analysis requirement of the HIPAA Security Rule.

The number of data breaches reported to OCR involving hacking increased by 239% between 2018 and 2023, and hacking incidents have continued to be reported in high numbers since. In an effort to improve healthcare cybersecurity and reduce the number of successful hacking incidents, OCR launched an enforcement initiative targeting noncompliance with a specific requirement of the HIPAA Security Rule – the risk analysis. The risk analysis is one of the most important HIPAA requirements for improving security.

The enforcement initiative is intended to make it harder for hackers to succeed by ensuring that the vulnerabilities they exploit to gain access to healthcare networks are identified and addressed in a timely manner. OCR’s HIPAA compliance audits and data breach investigations consistently uncovered risk analysis failures, including failures to conduct a risk analysis and incomplete risk analyses. If healthcare organizations do not conduct a comprehensive, organization-wide risk analysis to identify all risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI), risks and vulnerabilities will remain and can potentially be exploited by hackers.

Including the latest penalty, OCR has resolved 11 investigations of ePHI breaches with settlements or civil monetary penalties for alleged violations of the risk analysis provision of the HIPAA Security Rule. “In a time where health care providers and other HIPAA-regulated entities are facing unprecedented cybersecurity threats, compliance with the HIPAA Risk Analysis provision is more essential than ever,” said OCR Director Paula M. Stannard. “Covered entities and business associates cannot protect electronic protected health information if they haven’t identified potential risks and vulnerabilities to that health information.”

The incident that prompted OCR’s investigation of Top of the World Treatment Center was a phishing incident. An employee was tricked by a phishing email into disclosing their credentials, which allowed a hacker to access a single business email account for several hours on November 17, 2022. The email account was reviewed and found to contain the ePHI of 1,980 individuals, including their names, Social Security numbers, diagnosis information, treatment information, and health insurance information.

OCR investigated and could not be provided with evidence to confirm that a HIPAA-compliant risk analysis had been conducted prior to the data breach, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A) of the HIPAA Security Rule. Under the current enforcement initiative, financial penalties will be imposed for risk analysis failures. OCR notified Top of the World Treatment Center of its intention to impose a financial penalty to address the alleged violation, and offered to settle the alleged violation informally. Settlements involve a reduced financial penalty, although the HIPAA-regulated entity must adopt a corrective action plan.

Top of the World Treatment Center is required to conduct a comprehensive, organization-wide risk analysis to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Based on the risk analysis, a risk management plan must be developed and implemented to reduce all identified risks and vulnerabilities to a low and acceptable level. After the initial risk analysis, Top of the World Treatment Center must conduct an accurate and thorough risk analysis at least annually, and subject risks to a HIPAA-compliant risk management process.

Further, policies and procedures must be developed, implemented, and maintained to comply with the HIPAA Rules, specifically covering risk analyses, risk management, information system activity reviews, and breach notifications. The new policies must be distributed to the workforce, training materials must be developed (and approved by OCR), and HIPAA training must be provided to the workforce.

The post Top of the World Treatment Center Settles Alleged Risk Analysis HIPAA Violation appeared first on The HIPAA Journal.

March 1, 2026: Small Healthcare Data Breach HIPAA Reporting Deadline

Posted by Steve Alder

Healthcare data breaches discovered in calendar year 2025 that affected fewer than 500 individuals must be reported to the HHS’ Office for Civil Rights by March 1, 2026.

The HIPAA Breach Notification Rule requires data breaches affecting 500 or more individuals to be reported to OCR within 60 days of the discovery of a data breach. Individuals must also be notified within 60 days, and a notice must be submitted to prominent media outlets where the affected individuals are located if 500 or more individuals are affected in a state or jurisdiction.

The breach notification requirements for small breaches are different. The affected individuals must still be notified within 60 days of the discovery of a data breach; however, a media notice is not required. OCR must still be notified about small healthcare data breaches, but HIPAA-regulated entities can delay submitting notifications to OCR. All small healthcare data breaches must be reported to OCR within 60 days of the end of the calendar year when the breach was discovered.

Each small data breach must be reported separately via the OCR data breach portal. HIPAA-regulated entities should not leave uploading data breach reports until the last minute, in case of any technical issues with the data breach portal. Late reporting of breaches puts HIPAA-regulated entities at risk of a financial penalty, and OCR could opt to conduct a compliance investigation to determine if there is broader noncompliance with the HIPAA Rules.

Financial penalties for breach notification failures have been relatively rare since the HIPAA Enforcement Rule was enacted; however, in 2025, noncompliance with the HIPAA Breach Notification Rule was the second most common reason for financial penalty after risk analysis failures. Last year, OCR closed 21 HIPAA cases with settlements or civil monetary penalties, 5 of which included penalties for breach notification failures.

The post March 1, 2026: Small Healthcare Data Breach HIPAA Reporting Deadline appeared first on The HIPAA Journal.

February 16, 2026: Compliance Deadline for Part 2 Final Rule

Posted by Steve Alder

The deadline for compliance with the 42 CFR Part 2 Confidentiality of Substance Use Disorder (SUD) Patient Records (Part 2) Final Rule was February 16, 2026. Entities subject to the Part 2 regulations must ensure compliance with the new requirements, which are now in effect and being actively enforced. The Civil Enforcement Program for Confidentiality of Substance Use Disorder Patient Records was announced by the HHS’ Office for Civil Rights (OCR) on February 13, 2026. In that announcement, OCR confirmed that, from February 16, 2026, OCR will accept complaints alleging violations of the regulation that protects the confidentiality of SUD patient records and alleged breach notification violations.

The final rule was issued by OCR and the Substance Abuse and Mental Health Services Administration (SAMHSA) on February 8, 2024, to better align the Part 2 regulations with the Health Insurance Portability and Accountability Act (HIPAA). The final rule took effect on April 16, 2024, and entities covered by the Part 2 regulations were given 11 months to comply with the new requirements.

Aligning the Part 2 regulations more closely with HIPAA removes barriers to information sharing and should improve care coordination, without eliminating important privacy protections. The final rule expanded patient rights regarding uses and disclosures of SUD records and has made compliance less complex for entities subject to both sets of regulations.

Some of the key new requirements are detailed below:

  • A single patient consent for all future uses and disclosures of SUD records for treatment, payment, and healthcare operations is permitted
  • HIPAA-regulated entities may redisclose SUD records received under that consent in accordance with the HIPAA Privacy Rule
  • Part 2 records no longer need to be segregated
  • SUD records may be disclosed to public health authorities if de-identified in accordance with HIPAA standards
  • Patients may obtain an accounting of disclosures of their SUD records
  • Patients may request restrictions on certain disclosures of their SUD records
  • Patients may file complaints with the HHS about potential Part 2 violations
  • Covered entities must establish a complaints program
  • Restrictions on the use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients, absent patient consent or a court order
  • A safe harbor requires investigative agencies to take steps if they discover they have received Part 2 records without having first obtained the required court order
  • The HIPAA Breach Notification Rule requirements apply to Part 2 records. Entities experiencing a breach of Part 2 records must self-report the data breaches to the HHS and issue individual notifications

A final rule issued under the Biden administration in December 2024HIPAA Privacy Rule to Support Reproductive Health Care Privacy – to prohibit disclosures of reproductive health information related to criminal, civil, or administrative investigations was overturned by a Texas judge last year. The final rule included a section relating to 45 C.F.R. 164.520 (notice of privacy practices – NPP), concerning SUD records, which remains in place. The deadline for updating and distributing NPPs to reflect the heightened protections for SUD records is also February 16, 2026.

The requirements under HIPAA for NPPs are detailed in this post – HIPAA Notice of Privacy Practices. Before the February 16, 2026, deadline, entities subject to the Part 2 regulations must update their NPPs. The NPP must notify individuals about the permitted uses and disclosures of Part 2 records, explain the legal rights of individuals with respect to their Part 2 records, explain the more stringent limits on Part 2 records and how they differ from HIPAA, how the use of SUD records in civil, criminal, administrative, or legislative proceedings against an individual are limited, and notify individuals that the use or disclosure of Part 2 records for treatment, payment, and health care operations generally requires the individual’s written consent.

If SUD records are created or maintained by the entity, the additional elements that must be included in the NPP are explained below:

  • Notice about rights with respect to SUD records – Individuals must receive “adequate notice of the uses and disclosures of such records, and of the individual’s rights and the covered entity’s legal duties with respect to such records.” While HIPAA permits certain uses and disclosures of protected health information without authorization, the rules are different for SUD records. If the HIPAA NPP and the Part 2 NPP are combined, then the NPP must contain all of the required elements under 42 CFR 2.22.
  • Limits on the Use of SUD Records – Covered entities must state the difference between Part 2 and HIPAA. A statement must be included with respect to SUD treatment records to explain that “[SUD Records] received from programs subject to 42 CFR part 2, or testimony relaying the content of such records, shall not be used or disclosed in civil, criminal, administrative, or legislative proceedings against the individual unless based on written consent, or a court order after notice and an opportunity to be heard is provided to the individual or the holder of the record, as provided in 42 CFR part 2. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed.”
  • Notice about other laws that are more restrictive than HIPAA – The permitted uses and disclosures explained in the NPP are limited by laws more restrictive than HIPAA, such as Part 2, and the description of uses and disclosures must reflect the more stringent law. If another law permits or requires disclosures, the description in the NPP about uses and disclosures must include sufficient detail to place the individual on notice of uses and disclosures permitted or required by HIPAA, along with any other applicable law, including Part 2.
  • Notice about redisclosure of Part 2 records – The NPP must contain a statement advising patients about the potential redisclosure of records. If information is disclosed pursuant to the HIPAA Privacy Rule, the records could potentially be redisclosed and will no longer be protected under the HIPAA Privacy Rule.
  • Fundraising – If an entity that creates or maintains Part 2 records intends to use that information for fundraising purposes for the benefit of the covered entity, individuals must be presented with a clear and conspicuous opportunity to choose not to receive fundraising communications.

In August 2025, HHS Secretary Robert F. Kennedy Jr. delegated the authority for enforcing compliance with the Part 2 regulations to OCR. Enforcement of compliance with the Part 2 regulations will follow the same process as enforcement of HIPAA compliance, meaning OCR can enter into resolution agreements, monetary settlements, and corrective action plans with entities subject to the Part 2 regulations and can also impose civil monetary penalties for noncompliance. The financial penalties for noncompliance also align with HIPAA, increasing from $500 for a first offense and $5,000 for subsequent offenses to the current HIPAA penalties, which in 2025, range from $141 to $2.1 million, with criminal penalties also possible. The penalty amounts are subject to annual increases in line with inflation.

The post February 16, 2026: Compliance Deadline for Part 2 Final Rule appeared first on The HIPAA Journal.

2025 Healthcare Data Breach Report

Posted by Steve Alder

More than 700 healthcare data breaches affecting 500 or more individuals are being reported to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) each year. While that unwelcome trend didn’t change in 2025, there was a year-over-year reduction in healthcare data breaches. Based on the current data downloaded from OCR, data breaches have fallen by 4.3% year-over-year.

While that could signal a turn in the tide, it is perhaps a little early to draw such conclusions, as data breaches from 2025 are still being added to the OCR breach portal. When we compiled our 2024 healthcare data breach report in January 2025, 725 large healthcare data breaches were listed on the OCR breach portal. That total increased to 742 data breaches over the following few months. While a similar number of late additions would still mean an annual decrease in data breaches, there was a 43-day shutdown of the federal government in late 2025 due to the failure of Congress to pass appropriations legislation. During that period, no data breaches were added to the OCR breach portal. The late additions in 2026 could therefore be considerably higher than in previous years.

What is clear is that the large annual increases in data breaches between 2018 and 2021 appear to have come to an end, with data breaches plateauing in the 700 to 750 range, which is around two large healthcare data breaches a day – twice the rate in 2018.

Healthcare data breaches 2021-2025

While data breaches are only down slightly, there has been a massive reduction in the number of individuals affected by healthcare data breaches. In 2024, a new record was set for breached healthcare records, with 289,162,330 individuals having their protected health information exposed or impermissibly disclosed in 2024. In 2025, at least 61,556,256 individuals had their protected health information exposed or impermissibly disclosed, a 78.7% percentage decrease from 2024. Even if the 192,700,000 individuals affected by the Change Healthcare ransomware attack in 2024 are discounted entirely, last year’s would still be significantly down year-over-year, largely due to a fall in the number of mega data breaches affecting more than 1 million individuals. In 2024, there were 18 of these mega breaches, but only 9 mega breaches were reported in 2025.  The average data breach size fell from 389,707 individuals (median: 6,702 individuals) in 2024 to 86,699 individuals (median: 4,011 individuals) in 2025.

Individuals affected by healthcare data breaches 2021-2025

The Biggest Healthcare Data Breaches of 2025

The table below shows the top 20 healthcare data breaches of 2025, the biggest of which was a hacking incident at the insurance company Aflac, which affected more than 22.6 million individuals globally and involved unauthorized access to the protected health information of almost 14 million individuals in the United States. While the nature of the attack was not disclosed, the cyberattack is thought to be the work of the Scattered Spider hacking group, a financially-motivated English-speaking hacking group whose members are primarily located in the United States and the United Kingdom.

While most of the top 20 data breaches were hacking incidents, the data breach at Blue Shield of California involved the use of tracking tools on its website, which may have disclosed personal information and, in some cases, protected health information to third parties such as Meta Platforms and Google. The data breach at Serviceaide involved an improperly secured database, which could be freely accessed via the internet without any authentication, and two of the top 20 data breaches of 2025 involved compromised email accounts: Numotion and Onsite Mammography.

The table below could change over the coming few months as many investigations of 2025 healthcare data breaches have not yet concluded. For instance, the data breach at Covenant Health was reported to OCR as affecting just 7,864 individuals, but in January 2025, the Maine Attorney General was informed that 478,188 individuals were affected. The OCR data breach portal has yet to be updated with the new total.  Further, the OCR breach portal currently lists 64 data breaches with totals of 500 or 501 affected individuals – placeholder figures commonly used when data reviews have yet to conclude.

Rank Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach
1 Aflac Incorporated (“Aflac”) GA Health Plan 13,924,906 Hacking incident
2 Yale New Haven Health System CT Healthcare Provider 5,556,702 Hacking incident
3 Episource, LLC CA Business Associate 5,418,866 Hacking incident
4 Blue Shield of California CA Business Associate 4,700,000 PHI disclosure due to website tracking tools
5 DaVita Inc. CO Healthcare Provider 2,689,826 Ransomware attack
6 Anne Arundel Dermatology MD Healthcare Provider 1,905,000 Hacking incident
7 Radiology Associates of Richmond, Inc. VA Healthcare Provider 1,419,091 Hacking incident
8 Southeast Series of Lockton Companies, LLC (Lockton) GA Business Associate 1,124,727 Hacking incident
9 Community Health Center, Inc. CT Healthcare Provider 1,060,936 Hacking incident
10 Frederick Health MD Healthcare Provider 934,326 Ransomware attack
11 McLaren Health Care MI Healthcare Provider 743,131 Ransomware attack
12 Medusind Inc. FL Business Associate 701,475 Hacking incident
13 Kelly & Associates Insurance Group, Inc. MD Business Associate 553,332 Hacking incident
14 Decisely Insurance Services, LLC GA Business Associate 537,603 Hacking incident
15 United Seating and Mobility, LLC d/b/a Numotion TN Healthcare Provider 529,004 Phishing attack
16 Serviceaide, Inc. CA Business Associate 483,126 Database exposed on the internet
17 Goshen Medical Center NC Healthcare Provider 456,385 Hacking incident
18 Ascension Health MO Healthcare Provider 437,329 Hacking incident at a business associate
19 Northwest Radiologists, Inc./Mount Baker Imaging WA Healthcare Provider 362,713 Hacking incident
20 Onsite Mammography MA Business Associate 357,265 Compromised email account

 

2025 Healthcare Data Breaches
Data Breach Size Number of breaches
10,000,000+ 1
1,000,000 – 9,999,999 8
500,000 – 999,999 6
100,000 – 499,000 64
10,000 – 99,999 176
1,000 – 9,999 309
500 – 999 146
Total 710

Average size of healthcare data breaches 2009-2025

Median size of healthcare data breaches 2009-2025

2025 Healthcare Data Breach Causes

Hacking and other IT incidents continue to dominate the breach reports. The majority of these incidents are hacking incidents, as has been the case for many years. There has been a growing trend in recent years of entities suffering data breaches failing to disclose the root cause of the data breach, such as if a hacking incident involved data theft, extortion, malware, or ransomware. The Identity Theft Resource Center reports that this is a problem across all industry sectors, not just healthcare.

Causes of 2025 healthcare data breaches

The problem with the lack of information in breach notices is that individuals are not given sufficient information to make an accurate determination about the level of risk they face. Most ransomware attacks involve data theft and extortion. If the ransom is not paid, the stolen data is leaked on the dark web or sold. According to the cybersecurity firm Black Fog, 96% of ransomware attacks involve data theft, and the ransomware remediation firm Coveware reports that in Q4, 2025, only 20% of ransomware victims paid the ransom. Those figures suggest that 76.8% of ransomware attacks result in data being leaked. If the breach victims are told that ransomware was involved, their data will likely be leaked, and it would be prudent to take steps to prevent data misuse. If they are only told that their data has been exposed, they may incorrectly assume that they do not face a high risk of data misuse and may choose to take no action.

Black Fog reports that ransomware attacks reached record levels in 2025, with 1,174 confirmed attacks across all industry sectors, and healthcare was the worst affected sector, accounting for 22% of attacks. There has also been a growing trend of data theft and extortion, with threat actors skipping file encryption. The PEAR threat group emerged in 2025 and only engages in data theft and extortion. The group claimed many healthcare victims in 2025. Other common IT incidents in 2025 include improperly secured databases, which exposed healthcare data via the internet, and phishing attacks that resulted in unauthorized access to email accounts.

Hacking incidents at HIPAA-regulated entities 2021-2025

Individuals affected by Hacking incidents at HIPAA-regulated entities 2021-2025

Hacking and other IT incidents tend to affect more individuals than other types of breaches. In 2025, these incidents affected an average of 105,623 individuals (median: 5,434 individuals), compared to an average of 9,909 individuals (median: 1,662 individuals) for unauthorized access/disclosure incidents, and an average of 4,402 individuals (median: 1,690 individuals) for loss/theft incidents.

While there were small decreases in hacking/IT incidents, loss/theft incidents, and improper disposal incidents year-over-year, there was a 17.4% increase in unauthorized access/disclosure incidents. These incidents include data theft by malicious insiders and inadvertent data exposures due to carelessness by employees. Staff HIPAA training can go a long way toward reducing these types of breaches. Making all staff members aware of their responsibilities under HIPAA and the consequences of HIPAA violations if they are discovered can help to reduce the risk of these types of breaches.

Unauthorized access/disclosure incidents at HIPAA-regulated entities 2021-2025

Individuals affected by Unauthorized access/disclosure incidents at HIPAA-regulated entities 2021-2025

Regular security awareness training can help to eradicate risky security practices that frequently result in data breaches. It is also important for regulated entities to have the software, policies, and procedures in place to allow them to identify and remediate insider incidents quickly. Loss and theft incidents are becoming far less common due to the shift to cloud storage of PHI, and easier-to-implement and more cost-effective encryption options. While these incidents were once a leading cause of healthcare data breaches, they are now relatively rare.

Loss and theft data breaches at HIPAA regulated entities 2021-2025

individuals affected by Loss and theft data breaches at HIPAA regulated entities 2021-2025

Improper disposal incidents are also something of a rarity. In 2025, there was only one such incident at a HIPAA-regulated entity, although it was a significant data breach, affecting more than 35,000 individuals.

improper disposal data breaches at HIPAA regulated entities 2021-2025

individuals affected by improper disposal data breaches at HIPAA regulated entities 2021-2025

Location of Breached Protected Health Information

A majority of the year’s data breaches involved exposed and stolen protected health information stored on network servers (61.5%), with almost a quarter of data breaches (24.9%) involving compromised email accounts. Physical PHI – paper and films – was compromised in 5.6% of the year’s data breaches, and 4.6% of data breaches involved unauthorized access to electronic medical records.

Location of breached protected health information in 2025

Data Breaches at HIPAA-Regulated Entities

The OCR data breach portal currently lists 523 data breaches at healthcare providers, 56 data breaches at health plans, and two data breaches at healthcare clearinghouses. A further 128 data breaches were reported by business associates of HIPAA-covered entities.

When a data breach occurs at a business associate, it is ultimately the responsibility of each affected covered entity to ensure compliance with the notification requirements of the HIPAA Breach Notification Rule. The covered entity may delegate the responsibility of issuing notifications to the business associate, or the covered entity may choose to issue notifications, or a combination of the two. Some healthcare data breach reports fail to take this into account, resulting in business associate data breaches being undercounted.

The charts below are based on the entity that experienced the data breach, rather than the entity that reported the breach. In 2025, 57.5% of data breaches occurred at healthcare providers, 35.8% at business associates, 6.5% at health plans, and 0.3% at healthcare clearinghouses.

Data breaches at HIPAA-regulated entities in 2025

Individuals affected by data breaches at HIPAA-regulated entities in 2025

Geographical Distribution of Healthcare Data Breaches

Data breaches affecting 500 or more individuals were reported by HIPAA-regulated entities in 49 U.S states, the District of Columbia, and Puerto Rico in 2025. The only state to avoid a large healthcare data breach in 2025 was Vermont.

State/Territory Data Breaches State/Territory Data Breaches
California 69 Kansas 8
Florida 47 Oklahoma 8
Texas 47 Arkansas 7
New York 44 Iowa 7
Ohio 37 Nebraska 7
Pennsylvania 32 South Carolina 7
Michigan 26 Alaska 6
Illinois 25 Alabama 6
Georgia 23 Colorado 6
North Carolina 22 Maine 6
Missouri 20 Utah 5
Indiana 18 Idaho 4
Massachusetts 17 Mississippi 4
Maryland 17 Montana 4
Minnesota 17 New Mexico 4
Tennessee 16 Nevada 4
Virginia 16 Rhode Island 4
Washington 16 West Virginia 4
Wisconsin 16 New Hampshire 3
Arizona 15 Delaware 2
Louisiana 13 Hawaii 2
New Jersey 12 South Dakota 2
Connecticut 11 Wyoming 2
Oregon 10 District of Columbia 1
Kentucky 9 North Dakota 1

While California was the worst-affected state in terms of data breaches, Georgia took top spot for affected individuals.

State/Territory Affected Individuals State/Territory Affected Individuals
Georgia 16,050,351 Minnesota 222,210
California 11,849,467 Iowa 218,559
Connecticut 7,048,122 Wisconsin 199,972
Maryland 3,809,252 Rhode Island 176,500
Florida 3,372,753 Maine 158,054
Colorado 2,708,292 Idaho 154,525
Virginia 1,900,219 South Dakota 132,161
Michigan 1,812,898 Louisiana 114,599
North Carolina 1,484,108 Nebraska 114,313
Texas 1,034,662 South Carolina 97,122
New York 1,032,819 Nevada 90,241
Tennessee 832,230 Alaska 90,073
Pennsylvania 811,816 Oregon 86,813
Missouri 787,413 New Mexico 86,235
Washington 628,651 West Virginia 76,191
Indiana 621,441 New Hampshire 73,816
Ohio 577,751 Mississippi 60,205
Illinois 513,672 Puerto Rico 50,000
Massachusetts 465,095 Utah 42,651
New Jersey 448,143 Oklahoma 38,342
Kansas 438,181 Montana 36,485
Arkansas 261,435 Wyoming 15,883
Arizona 243,894 Delaware 14,635
Kentucky 233,836 Hawaii 8,972
Alabama 228,199 District of Columbia 1,847

HIPAA Violation Penalties in 2025

HIPAA penalties 2009-2025

Last year, OCR almost set a new record for HIPAA enforcement actions, with 21 investigations of complaints and data breaches resolved with settlements or civil monetary penalties. While 2025 saw the second-highest-ever number of HIPAA cases resolved with financial penalties, OCR only collected $8,330,066 in fines, as the majority of penalties were imposed for violations of a single HIPAA provision.

HIPAA Penalties 2017-2025

In 2025, a key focus for OCR was compliance with the risk analysis provision of the HIPAA Security Rule. A comprehensive, organization-wide risk analysis is vital for security. If a risk analysis is not conducted or if it is incomplete, risks are likely to remain unaddressed and may be found and exploited by threat actors. OCR’s compliance audits and data breach investigations have frequently identified risk analysis failures, prompting OCR to launch a risk analysis enforcement initiative.

By focusing on this vital aspect of HIPAA compliance, rather than investigating data breaches more broadly for HIPAA noncompliance, OCR has been able to make significant inroads into addressing its backlog of data breach investigations. The consequence of this approach is that by focusing on violations of a single HIPAA provision, financial penalties are lower.

Area of Noncompliance Number of Enforcement Actions
Risk Analysis 16
Breach notifications 5
Impermissible disclosure of ePHI 4
Recording and monitoring activity in information systems 3
Right of Access 3
Risk management 3
Social media 1
Information access management 1
Procedures to create and maintain retrievable exact copies of ePHI 1

In 2025, 76% of all enforcement actions included a penalty for a risk analysis failure. OCR has also started to look closely at compliance with the Breach Notification Rule, which was the second most common reason for a financial penalty. The HIPAA Breach Notification Rule requires notices to OCR, individuals, and the media within 60 days of the discovery of a data breach. More than one-fifth of enforcement actions included a penalty for breach notification failures.

OCR has confirmed that its enforcement priorities in 2026 will be largely the same as in 2025. OCR will continue with its HIPAA Right of Access and risk analysis enforcement initiatives, with the latter being expanded to include risk management. In addition to demonstrating that risks have been identified, OCR will want to see evidence that the identified risks have been managed and reduced in a timely manner.

OCR HIPAA Settlements in 2025

HIPAA-Regulated Entity Penalty Amount Reason for Penalty
Elgon Information Systems $80,000 Risk analysis failure
Virtual Private Network Solutions $90,000 Risk analysis failure
USR Holdings $337,750 Risk analysis failure; recording activity in information systems; procedures to create and maintain retrievable exact copies of ePHI; impermissible disclosure of 2,903 individuals’ PHI
Solara Medical Supplies $3,000,000 Risk analysis failure; risk management failure; breach notification failure (individuals, media, HHS); impermissible disclosure of the PHI of 114,007 and 1,531 individuals,
South Broward Hospital District (Memorial Health System) $60,000 HIPAA Right of Access failure
Northeast Surgical Group $10,000 Risk analysis failure
Health Fitness Corporation $227,816 Risk analysis failure
Northeast Radiology, P.C. $350,000 Risk analysis failure
Guam Memorial Hospital Authority $25,000 Risk analysis failure
PIH Health $600,000 Risk analysis failure; breach notification failure (media notice, HHS notice); impermissible disclosure of PHI
Comprehensive Neurology, PC $25,000 Risk analysis failure
Vision Upright MRI $5,000 Risk analysis failure; breach notification failure
BayCare Health System $800,000 Information access management failure (minimum necessary standard); risk management failure; lack of information system activity reviews
Comstar, LLC $75,000 Risk analysis failure
Deer Oaks – The Behavioral Health Solution $225,000 Risk analysis failure; impermissible disclosure of ePHI
Syracuse ASC (Specialty Surgery Center of Central New York) $250,000 Risk analysis failure; breach notification failure (OCR, individuals)
BST & Co. CPAs, LLP $175,000 Risk analysis failure
Cadia Healthcare Facilities $182,000 Social media disclosure without authorization; breach notification failure
Concentra Inc. $112,500 HIPAA Right of Access failure

OCR HIPAA Civil Monetary Penalties in 2025

HIPAA-Regulated Entity Penalty Amount Reason for Penalty
Warby Parker $1,500,000 Risk analysis failure; risk management failure; lack of monitoring of activity in information systems containing ePHI.
Oregon Health & Science University $200,000 HIPAA Right of Access failure

State attorneys general also enforce HIPAA compliance and can impose financial penalties, although some state attorneys general impose fines for violations of state data privacy and security rules. In 2025, only one enforcement action was announced by a state attorney general. The New York attorney general imposed a $500,000 financial penalty on Orthopedics NY LLP for cybersecurity failures that led to a data breach affecting 656,086 individuals. The penalty was imposed for violations of New York laws, although the HIPAA Security Rule was undoubtedly also violated.

The post 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.

December 2025 Healthcare Data Breach Report

Posted by Steve Alder

In the final month of 2025, a further 41 healthcare data breaches affecting 500 or more individuals were reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) by HIPAA-regulated entities. December’s total was the joint second-lowest monthly total of the year and the fourth month in a row where data breaches have been reported in unusually low numbers. Over the past four months, an average of 40.75 large data breaches have been reported per month, compared to an average of 66.5 large data breaches per month for the preceding four months. December 2025’s total is the lowest December total since 2019.

Healthcare data breaches in 2025

One possible explanation for the unusually low total is the 43-day government shutdown, due to the failure of Congress to pass appropriations legislation. All but non-essential staff at the HHS were furloughed, during which time no breach reports were added to the OCR breach portal. While data breach reports have now been added to the breach portal for that period, it is possible that OCR has yet to fully clear the backlog, and the totals for September to December may increase over the coming weeks.

December healthcare data breaches 2021-2025

As it stands, there are currently 697 data breaches listed for 2025, a 6% reduction from the 742 large data breaches reported in 2024. The 697 total will almost certainly increase. When we compiled our December 2024 healthcare data breach report on January 20, 2025, 721 large healthcare data breaches were listed. A further 21 were added to the breach portal for 2024 in the following weeks and months.

Individuals affected by healthcare data breaches in 2025

Across the 41 healthcare data breaches currently listed for December 2025, the protected health information of only 345,564 individuals was exposed or impermissibly disclosed. The number of affected individuals in each of the past four months has also been atypically low, with an average of 1,336,061 individuals affected each month. For the preceding four months (May to August), the average monthly total was 8,181,449 individuals. The totals for the past four months will certainly increase, as many data breach investigations are ongoing, and it has yet to be determined how many individuals have been affected.

Individuals affected by December healthcare data breaches 2021-2025

December 2025’s 346,564 affected individuals is the lowest monthly total since December 2017, when 343,260 individuals were affected. Currently, 60,976,942 individuals are known to have been affected by healthcare data breaches in 2025, a 78.9% reduction from 2024, although 2024’s total includes the gargantuan data breach at Change Healthcare, which affected 192,700,000 individuals.

Largest Healthcare Data Breaches Reported in December 2025

Only five data breaches were reported in December that affected 10,000 or more individuals, the largest of which was a hacking incident at the Rochester, NY-based medical supply fulfillment organization, Fieldtex Products. While Fiedtex Products reported a breach affecting 104,071 individuals, in December, a total of four separate breach reports were filed with OCR by Fieldtex Products, affecting a total of 139,009 individuals, plus a further breach report was filed in November, affecting 35,748 individuals. These five incidents are thought to be due to the same hacking incident detected by Fieldtex Products on August 19, 2025.

AllerVie Health, a Texas-based network of allergy and asthma centers, fell victim to a ransomware attack in November 2025, with the hackers found to have had access to its network from October 24, 2025, to November 3, 2025. The Anubis ransomware group claimed responsibility for the attack. Medical Center LLP, doing business as Dublin Medical Center in Georgia, experienced a hacking incident that affected 20,641 individuals, and Variety Care in Oklahoma was affected by a cyberattack on its business associate TriZetto, a provider of administrative services to HIPAA-regulated entities. Variety Care was one of many covered entities affected by the data breach. While the total number of affected individuals has yet to be confirmed, the Trizetto data breach is now known to have affected more than 700,000 individuals.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Fieldtex Products, Inc. NY Business Associate 104,071 Hacking incident
AllerVie Health TX Healthcare Provider 80,521 Ransomware attack (Anubis)
Medical Center, LLP GA Healthcare Provider 32,090 Hacking incident
Fieldtex Products, Inc. NY Business Associate 20,641 Hacking incident
Variety Care OK Healthcare Provider 17,163 Hacking incident at business associate (TriZetto Provider Solutions)

Six data breaches were reported in December 2025, with totals of 500 or 501 affected individuals. These are commonly used ‘placeholder’ estimates when the investigation is still ongoing as the deadline for reporting the data breach to OCR approaches. These totals will almost certainly increase and will be updated when the data breach investigations are concluded.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Associated Radiologists of the Finger Lakes, P.C. NY Business Associate 501 Hacking Incident
Glendale Obstetrics & Gynecology PCA AZ Healthcare Provider 501 Hacking Incident
Reproductive Medicine Associates of Michigan MI Healthcare Provider 501 Hacking incident – Data theft confirmed
Mitchell County Department of Social Services NC Healthcare Provider 501 Ransomware attack – Data theft confirmed
Greater St. Louis Oral & Maxillofacial Surgery PC MO Healthcare Provider 501 Compromised email account in a phishing attack
Madison Healthcare Services MN Healthcare Provider 500 Hacking incident – Worldleaks threat group claimed responsibility

Causes of December 2025 Healthcare Data Breaches

Hacking and other IT incidents accounted for 80.5% of the month’s data breaches, with 33 such incidents reported, affecting 327,095 individuals – 94.4% of the month’s total. The average breach size was 9,912 individuals, and the median breach size was 2,511 individuals. There were 8 unauthorized access/disclosure incidents in December, affecting 19,469 individuals. The average breach size was 2,434 individuals, and the median breach size was 1,469 individuals. No loss, theft, or improper disposal incidents were reported in December.

Causes of December 2025 healthcare data breaches

The most common location of breached protected health information was network servers, followed by six incidents involving compromised email accounts.

Location of breached PHI in December 2025

Where did the Data Breaches Occur?

Healthcare providers were the worst-affected regulated entities in December, reporting 29 of the month’s 41 data breaches (191,900 individuals). Six data breaches were reported by health plans (12,272 individuals) and six by business associates (142,392 individuals). When a data breach occurs at a business associate, it is ultimately the responsibility of each affected covered entity to ensure that breach notifications are sent and OCR is notified. The covered entities may choose to delegate the notification responsibilities to the business associate, although oftentimes, the affected HIPAA-covered entities report the breach. For instance, covered entities affected by the data breach at Trizetto Provider Solutions reported the breach, even though it occurred at their business associate (or subcontractor of their business associate). To better reflect business associates, the charts below show data breach figures based on where the data breach occurred, rather than the entity reporting the data breach.

Data breaches at HIPAA-regulated entities in December 2025

 

Data breaches at HIPAA-regulated entities in December 2025 - individuals affected

Geographic Distribution of Healthcare Data Breaches

California was the worst-affected state in December in terms of data breaches, with nine HIPAA-regulated entities known to have been affected. The high total is due to the data breach at Trizetto Provider Solutions, which was either a business associate of a subcontractor of a business associate of six of the nine affected entities. New York ranked second, but four of its five data breaches were reported by the same entity, Fieldtex Products.

State Data Breaches
California 9
New York 5
Texas 4
Maryland, Michigan, Minnesota, Missouri, Oklahoma, Oregon & Tennessee 2
Arizona, Florida, Georgia, Illinois, Louisiana, Maine, Massachusetts, North Carolina & Ohio 1

While California topped the list for data breaches, New York was the worst state in terms of the number of affected individuals, followed by Texas.

State Individuals Affected
New York 140,320
Texas 85,728
Georgia 32,090
California 31,013
Oklahoma 18,275
Missouri 9,343
Oregon 6,473
Louisiana 4,519
Maryland 4,027
Tennessee 3,138
Illinois 2,511
Massachusetts 1,638
Ohio 1,629
Michigan 1,560
Maine 1,259
Florida 1,036
Minnesota 1,003
Arizona 501
North Carolina 501

HIPAA Enforcement Activity in December 2025

In December, OCR announced one HIPAA enforcement action that involved a financial penalty. Texas-based Concentra, Inc., was investigated after OCR received a complaint from an individual who had not been provided with timely access to his medical and billing records. Concentra agreed to settle the alleged HIPAA Right of Access violation and paid a $112,500 penalty. This was the 54th financial penalty under the HIPAA Right of Access enforcement initiative, which commenced in late 2019 and is ongoing. It has been a busy year of HIPAA enforcement, with OCR resolving 21 HIPAA violation cases with regulated entities in 2025 with a financial penalty. OCR collected $8,330,066 in penalties from those enforcement actions.

State attorneys general also enforce the HIPAA Rules, although 2025 was a quiet year, with only one financial penalty imposed to resolve a data breach investigation. Orthopedics NY LLP (OrthoNY) paid $500,000 to settle alleged cybersecurity failures that led to a breach of the protected health information of more than 656,000 individuals. The New York Attorney General cited violations of HIPAA and state cybersecurity laws.

The post December 2025 Healthcare Data Breach Report appeared first on The HIPAA Journal.

Comstar to Pay State AGs $515,000 to Settle Alleged HIPAA Violations

Posted by Steve Alder

Comstar, a Massachusetts-based ambulance billing and collections company, has been investigated by the Massachusetts Attorney General and found to have violated the Health Insurance Portability and Accountability Act (HIPAA) and the Massachusetts Data Security Regulations. Comstar will pay a $515,000 penalty to resolve the alleged violations.

Comstar was investigated over a March 2022 cyberattack and data breach. A cyber threat actor breached its network, exfiltrated files, and used ransomware to encrypt data on its network. While the attack was detected on March 26, 2022, the ransomware group gained access to its network on March 19, 2026. The forensic investigation confirmed that protected health information (PHI) had been stolen, including names, Social Security numbers, driver’s license numbers, financial information, and medical assessment information. The PHI of 585,621 individuals was compromised in the ransomware attack, including 326,426 Massachusetts residents and 22,829 Connecticut residents.

The Rowley, Massachusetts-based company faced an investigation by the Department of Health and Human Services Office for Civil Rights (OCR), which determined that Comstar failed to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) stored within its systems. The alleged HIPAA violation was resolved with a $75,000 financial penalty and a corrective action plan.

An investigation was also launched by the Massachusetts Attorney General to assess whether Comstar had complied with HIPAA, the Massachusetts Consumer Protection Act, the Massachusetts Data Security Regulations, and the Massachusetts Data Security Law. The Connecticut Attorney General partnered with the Massachusetts Attorney General in the investigation. Massachusetts Attorney General Andrea Campbell alleged that Comstar had violated HIPAA and the Massachusetts Data Security Regulations by failing to maintain an adequate Written Information Security Program (WISP), which should have allowed the company to identify and correct vulnerabilities and inadequacies in its data security program.

The consent judgment was filed in Suffolk Superior Court on January 28, 2026, and awaits approval from the court. If approved, Massachusetts will receive $415,000, and Connecticut will received $100,000. In addition to the financial penalty, Comstar is required to implement additional security measures. An effective WISP must be established and maintained, as well as anti-phishing software, multifactor authentication, an intrusion detection/prevention system, and a security incident and event management platform.

Comstar must also implement and maintain a comprehensive and accurate IT asset inventory, appropriate access controls, password policies requiring strong unique passwords for all accounts, encryption for ePHI at rest and in transit, data loss protection software, a penetration testing program, and security software on all laptop and desktop computers. Comstar must also arrange for third-party annual security assessments to be conducted for the next three years. The Massachusetts and Connecticut Attorneys General require reports to be submitted by the third-party assessor on the findings of each annual security risk assessment.

The post Comstar to Pay State AGs $515,000 to Settle Alleged HIPAA Violations appeared first on The HIPAA Journal.

HHS Applies Inflation Increase to Penalties for HIPAA Violations

Posted by Steve Alder

The HHS’ Office for Civil Rights has increased the penalties for HIPAA violations with immediate effect. As of January 28, 2026, the penalties have been increased in line with inflation, as mandated by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. Annual adjustments to the penalty amounts are necessary to maintain the deterrent effect of financial penalties.

When the HITECH Act was introduced, the penalties for HIPAA violations were set as follows:

  • Tier 1: Minimum fine of $100 per violation up to $50,000
  • Tier 2: Minimum fine of $1,000 per violation up to $50,000
  • Tier 3: Minimum fine of $10,000 per violation up to $50,000
  • Tier 4: Minimum fine of $50,000 per violation up to $1,500,000

The penalties were capped at $1,500,000 for violations of an identical provision in a calendar year, and all penalties are subject to annual increases in line with inflation. OCR, like all other Executive Departments and Agencies, is required to apply annual increases to its penalty amounts. Each year, the Office of Management and Budget (OMB) issues a Memorandum that includes a multiplier for the annual adjustment.

All Executive Departments and Agencies are required to apply the multiplier by the specified date, which for the 2025 increase was January 17 last year. The HHS is often late in applying the annual adjustment to its penalties. The previous adjustment to the penalty amounts was applied on August 8, 2024. While the 2025 adjustment was due to be applied by January 17, 2025, it was not applied until January 28, 2026, more than a year late. OMB has yet to announce the inflation multiplier for 2026.

The new penalty amounts are effective from the date of publication in the Federal Register. If the violation occurred before November 2, 2015, or a penalty was assessed before September 6, 2016, the pre-adjustment civil penalty amounts in effect before September 6, 2016, will apply.

2025 Penalties for HIPAA Violations

Penalty Tier Minimum Penalty Maximum Penalty Annual Penalty Cap
Did Not Know $145 $73,011 $2,190,294
Reasonable Cause $1,461 $73,011 $2,190,294
Willful Neglect (Corrected within 30 days) $14,602 $73,011 $2,190,294
Willful Neglect (Not corrected) $73,011 $2,190,294 $2,190,294

While these are the official penalty amounts, OCR has not rescinded its 2019 Notice of Enforcement Discretion. In 2019, OCR reviewed the text of the HITECH Act and determined there had been a misinterpretation. OCR issued a Notice of Enforcement Discretion, lowering the maximum penalties and annual caps in three of the four penalty tiers. The effective penalties for HIPAA violations, per the Notice of Enforcement Discretion, are detailed in the table below. OCR can rescind the Notice of Enforcement Discretion at any point, but cannot change the penalties detailed in the table above without further rulemaking.

Penalty Tier Minimum Penalty Maximum Penalty Annual Penalty Cap
Did Not Know $145 $36,505.50 $36,505.50
Reasonable Cause $1,461 $73,011 $146,053
Willful Neglect (Corrected within 30 days) $14,602 $73,011 $365,052
Willful Neglect (Not corrected) $73,011 $2,190,294 $2,190,294

Penalties for Violations of the Part 2 Regulations

Violations of the Part 2 regulations are now enforced by OCR, following the update to the Part 2 regulations to align them more closely with HIPAA. While violations are penalized with the same penalty structure as HIPAA, the penalties are not the same. OCR has taken the starting point to be the penalty amounts stipulated by the HITECH Act of 2009, rather than the current penalty amounts for HIPAA violations, which have increased annually in line with inflation since 2009. As such, violations of the Part 2 regulations are penalized less severely than violations of the HIPAA Rules, despite Part 2-covered data being considered more sensitive. Per the recent publication in the Federal Register, the penalties for violations of the Part 2 regulations are as follows.

Penalty Tier Minimum Penalty Maximum Penalty Annual Penalty Cap
Did Not Know $103 $51,299 $1,538,970
Reasonable Cause $1,026 $1,538,970 $1,538,970
Willful Neglect (Corrected within 30 days) $10,260 $1,538,970 $1,538,970
Willful Neglect (Not corrected) $51,299 $1,538,970 $1,538,970

The post HHS Applies Inflation Increase to Penalties for HIPAA Violations appeared first on The HIPAA Journal.

58% of College Students Would Violate HIPAA and Sell Patient Data for the Right Price

Posted by Steve Alder

A recent study exploring insider cybersecurity threats revealed that a majority of college students would be willing to violate the HIPAA Rules and steal and disclose patient data if they were paid to do so, provided the price was right. The amount of money required ranged from less than $10,000 to more than $10 million. The study was conducted by Lawrence Sanders, professor emeritus, University of Buffalo, Department of Management Science and Systems, and colleagues at the School of Management, and builds on a 2020 study that explored the price of healthcare privacy violations.

The 2020 study, published in JMIR Medical Informatics, was conducted on 523 students (average age of 21) who were about to enter the workforce. The respondents were asked to imagine that they had been employed by a hospital, and were given five scenarios in which they were asked if they would illegally obtain and disclose sensitive health information. 46% of respondents admitted that they would violate HIPAA and patient privacy if the price was right. In one of the scenarios, study participants were asked if they would obtain and disclose a politician’s medical records in exchange for $100,000, if the money was needed to pay for an experimental treatment for their mother that insurance wouldn’t cover. 79% of respondents said they would.

The follow-up study, which focused on cybersecurity insiders, was conducted on 500 undergraduate college students in technology-related programs, who represented future IT workers in the healthcare industry. They were asked to imagine they had been employed by a hospital, were being paid between $30,000 and $100,000, and were under financial stress and had been approached and asked to obtain and leak information about a famous patient at the hospital.

They were informed about HIPAA and how the federal law prohibited unauthorized access and disclosure of protected health information, yet 58% said they would violate HIPAA in exchange for payment. The amount of money required was less than $10,000 in some cases, and whether they would be tempted – and the amount required – varied depending on the employee’s salary leveland the perceived probability of being caught. The higher the employee’s salary, the more money was required to violate HIPAA and steal data. Individuals who had an interest in ethical hacking generally required less money to violate HIPAA, as was the case with individuals with an interest in unethical hacking, if they were assured that they would not be caught.

The study highlights the risk of insider data breaches and the importance of training on the HIPAA Privacy Rule requirements and the consequences of HIPAA violations, making it clear to all workers that if violations are discovered, the consequences of HIPAA violations can be severe.

“As cyberattacks and data breaches continue to rise, particularly in health care and other data-intensive sectors, our findings underscore the need for organizations to address the human and economic dimensions of cybersecurity alongside traditional technical controls,” said Professor Sanders. “Promoting awareness and education can discourage people from engaging in cybercrime by highlighting the negative consequences and risks associated with it. Initiatives that promote economic opportunity, social inclusion, cybersecurity literacy and a more secure digital environment are part of the solution.”

The post 58% of College Students Would Violate HIPAA and Sell Patient Data for the Right Price appeared first on The HIPAA Journal.

OCR Advises HIPAA-Regulated Entities to Take Steps to Harden System Security

Posted by Steve Alder

In the first of its 2026 quarterly cybersecurity newsletters, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) urged HIPAA-regulated entities to take steps to harden system security and make it more difficult for hackers to gain access to their networks and sensitive patient and health plan member data.

The HIPAA Security Rule requires HIPAA-regulated entities to ensure the confidentiality, integrity, and availability of electronic protected health information that the regulated entity creates, receives, maintains, or transmits, which must include identifying risks and vulnerabilities to ePHI and taking timely action to reduce those risks and vulnerabilities to a low and acceptable level. OCR Director Paula Stannard has already stated this year that OCR will be looking closely at HIPAA Security Rule compliance. OCR will continue with its risk analysis enforcement initiative, which will evolve to include risk management to ensure that regulated entities are taking prompt action to reduce risks and vulnerabilities to ePHI identified by their risk analyses.

OCR explained in the newsletter that risks can be reduced by creating a set of standardized security controls and settings for different types of electronic information systems, addressing security weaknesses and vulnerabilities, and customizing electronic information systems to reduce the attack surface.

OCR reminded medical device manufacturers that they have an obligation to ensure that their devices include accurate labelling to allow users to take steps to ensure the security of the devices throughout the product lifecycle, and the importance of following Food and Drug Administration (FDA) guidance on security risk management, security architecture, and security testing. Healthcare providers need to read the labelling on their devices carefully and ensure they understand how the devices should be configured to remain safe and effective through the entire product lifecycle.

OCR highlighted three key areas for hardening system security, all of which are vital for HIPAA Security Rule compliance. Threat actors search for known vulnerabilities that can be exploited to gain a foothold in a network, including vulnerabilities in operating systems, software, and device firmware. Whether the device is brand new or has been in use for some time, patches must be applied to fix known vulnerabilities. It may not be possible to patch vulnerabilities as soon as they are discovered; however, other remedial actions should be taken, as recommended by vendors, to reduce the risk of exploitation until patches are released and can be applied. A comprehensive and accurate IT asset inventory should be maintained, and policies and procedures developed and implemented to ensure a good patching cadence for all operating systems, software, and devices.

All organizations should take steps to reduce the attack surface by removing unnecessary software and devices, including software and devices that are no longer used, software features included in operating systems that serve no purpose for the regulated entity, and generic and service accounts created during the installation process. Accounts created during installation may have default passwords, which must be changed. OCR explained that in many of its investigations, accounts have been found for well-known databases, networking software, and anti-malware solutions that still have default passwords that provide privileged access.

Many cyberattacks occur as a result of misconfigurations. HIPAA-regulated entities must ensure security measures are installed, enabled, and properly configured. “Security measures often found in operating systems, as well as some other software, intersect with some of the technical safeguard standards and implementation specifications of the HIPAA Security Rule, such as, for example, access controls, encryption, audit controls, and authentication,” explained OCR. “A regulated entity’s risk analysis and risk management plan can inform its decisions regarding the implementation of these and other security measures.”

As OCR will be scrutinizing risk management and has advised regulated entities of their responsibilities to harden system security, all regulated entities should ensure they take the advice on board. “Defining, creating, and applying system hardening techniques is not a one-and-done exercise,” explained OCR. “Evaluating the ongoing effectiveness of implemented security measures is important to ensure such measures remain effective over time,” and is essential for HIPAA Security Rule compliance.

The post OCR Advises HIPAA-Regulated Entities to Take Steps to Harden System Security appeared first on The HIPAA Journal.