HIPAA Compliance News

OCR Reports to Congress on HIPAA Compliance and Data Breaches in 2024

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has submitted its annual reports to Congress on compliance with the Health Insurance Portability and Accountability Act (HIPAA) and breaches of unsecured protected health information for calendar year 2024.

The reports are a requirement of the Health Information Technology for Economic and Clinical Health (HITECH) Act and provide a snapshot of the state of compliance in healthcare, the actions taken by OCR in response to potential noncompliance, and the extent to which sensitive health information is being exposed or stolen. The reports to Congress are based on the number of data breaches that occurred in each calendar year, not the year in which the data breach was reported. In calendar year 2024, OCR received 742 reports of data breaches affecting 500 or more individuals; however, only 663 reports related to breaches that occurred in 2024.

2023 was a particularly bad year for large healthcare data breaches. In its previous reports to Congress, OCR reported that 732 large data breaches occurred in 2023, a 17% increase from the previous year, with more than 113 million individuals affected. While there was an improvement in 2024 with 9% fewer large data breaches reported, an unprecedented number of individuals were affected by large data breaches, smashing the previous record. Across the 663 reported data breaches, the protected health information of 242,908,056 individuals was exposed or impermissibly disclosed. The massive total was largely due to a single data breach at Change Healthcare, which affected an estimated 192 million individuals. In 2024, OCR received 74,299 reports of data breaches affecting fewer than 500 individuals, although across those incidents, only 340,618 individuals were affected.

OCR investigates all large data breaches and opened investigations into all 663 breaches, plus two smaller data breaches. The vast majority of data breach investigations are resolved through voluntary corrective actions taken by the affected regulated entity or the provision of technical assistance. OCR resolved 785 data breach investigations in 2024, including 12 with resolution agreements, corrective action plans, and monetary settlements or civil monetary penalties. In 2024, OCR collected $7,813,831 in penalties to resolve alleged HIPAA violations uncovered through its investigations of data breaches, plus a further $950,000 penalty stemming from an investigation in response to media reports of a data breach.

Year Data Breaches (Under 500 individuals) Percentage Change

(Under 500 individuals)

 Data Breaches (500+ individuals) Percentage Change (500+ individuals)
2024 74,299 +9% 663 -9%
2023 68,315 +7% 732 +17%
2022 63,966 +15% 626 +3%
2021 63,571 -4% 609 -7%
2020 66,509 +6% 656 +61%
2020 to 2024 12% increase 1% increase

Source: OCR reports to Congress (breaches each calendar year, irrespective of reporting date)

In the 2024 breaches of unsecured protected health information report, OCR explained that there is a continued need for HIPAA-regulated entities to improve compliance. Noncompliance with the HIPAA Rules is often identified. Many data breaches could have been prevented through proactive compliance, rather than addressing security issues after exploitation. Some of the most common areas of noncompliance were the risk analysis, risk management, information system activity review, audit controls, and person or entity authentication standards and implementation specifications of the HIPAA Security Rule.

If a risk analysis is incomplete or not conducted, risks are likely to persist unaddressed and can be exploited by threat actors. Risks also need to be reduced to a reasonable level to make it harder for threat actors to succeed. Access controls can prevent breaches as well as limit the harm caused if a network is breached. OCR’s investigations of data breaches found many instances of scant internal controls limiting lateral movement and excessive privileges for many user accounts, which allowed threat actors to gain access to multiple systems containing ePHI. OCR also commonly found weak authentication practices, such as default passwords and single-factor remote access, rather than multifactor authentication. Improving compliance across these areas would drastically reduce the number of large healthcare data breaches reported each year.

The most common cause of breaches, as has been the case for several years, was hacking/IT incidents, which accounted for 81% of all data breaches and 241,582,022 of the affected individuals (99.45%). The most common location of breached protected health information was network servers. For smaller breaches, the main cause was unauthorized access/disclosure incidents, most commonly involving paper/films.

Penalties to Resolve Alleged HIPAA Violations in Calendar Year 2024

HIPAA-Regulated Entity Penalty Type Penalty Amount Individuals Affected Areas of Alleged HIPAA Noncompliance
Plastic Surgery Associates of South Dakota Settlement $500,000 10,226 Risk analysis; security measures to reduce risks and vulnerabilities; reviews of records of information systems activity; policies and procedures to address security incidents
Providence Medical Institute Civil Monetary Penalty $240,000 85,000 across three ransomware attacks Business associate agreement; policies and procedures to only allow authorized persons or software to access ePHI
Bryan County Ambulance Authority Settlement $90,000 14,273 Risk analysis
Children’s Hospital Colorado Civil Monetary Penalty $548,265 14,210 across two email-related incidents Risk analysis; workforce HIPAA Privacy Rule training.
Gulf Coast Pain Management Consultants Civil Monetary Penalty $1,190,000 34,310 Risk analysis; review of records of activity in information systems; termination of access rights of terminated employees; procedures for establishing/modifying access rights to information systems.
Elgon Information Systems Settlement $80,000 31,248 Risk analysis
Virtual Private Network Solutions Settlement $90,000 At least 6,400 Risk analysis
Northeast Surgical Group Settlement $10,000 15,298 Risk analysis
Solara Medical Supplies Settlement $3,000,000 115,538 across two incidents Risk analysis; breach notification letters to individuals, HHS, and media.
USR Holding Settlement $337,750 2,903 Risk analysis; review of activity in information systems; procedures for creating and maintaining exact retrievable copies of ePHI; prevention of unauthorized access and deletion of ePHI.
Warby Parker Civil Monetary Penalty $1,500,000 More than 197,986 individuals Risk analysis; security measures to reduce risks and vulnerabilities; review of records of activity in information systems.
Health Fitness Settlement $227,816 4,304 Risk analysis
Heritage Valley Health System Settlement $950,000 Undisclosed Risk analysis; contingency plan for emergencies; policies and procedures restricting access to ePHI

In calendar year 2024, OCR received 30,256 new complaints about potential violations of the HIPAA Rules and carried over 2,955 complaints from previous years. Out of those, OCR resolved 28,228 complaints, 17,466 without opening an investigation, and 9,392 were resolved through the provision of technical assistance.

Out of the 1,370 complaint investigations completed by OCR in 2024, around half (48%) required the regulated entity to take corrective action, and in 51% of the investigations, insufficient evidence was found to indicate violations of the HIPAA Rules. Nine complaint investigations were resolved with financial penalties totaling $1,180,781. The most common issues prompting complaints were impermissible uses and disclosures (660 complaints), Right of Access violations (541 complaints), missing general safeguards (481 complaints), lacking HIPAA Security Rule administrative safeguards (147 complaints), and missing or late individual breach notifications (122 complaints).

OCR initiated 730 compliance reviews and completed 797 compliance reviews in 2024 that did not arise from complaints. While OCR is required by the HITECH Act to conduct audits of HIPAA-regulated entities, no audits were initiated in 2024. OCR is also responsible for outreach activities to improve the education of the public with respect to their HIPAA Rights, and HIPAA-regulated entities about large data breach trends. OCR conducted 89 such outreach activities in calendar year 2024.

The report on compliance with the HIPAA Privacy, Security, and Breach Notification Rules shows there was a slight year-over-year decrease in complaints and a small increase in initiated compliance reviews.

Year Complaints received YoY Percentage Change in Complaints Initiated Compliance Reviews (including complaints and breaches) YoY Percentage Change in Initiated Compliance Reviews
2024 30,256 – 2% 797 -3%
2023 30,968 + 2% 773 +14%
2022 30,435 -11% 676 + <1%
2021 34,077 +25% 674 -10%
2020 27,182 -4% 746 +22%
2020 to 2024 +11% +7%

Penalties Arising from Substantiated HIPAA Compliance Complaints in 2024

In total, OCR imposed 22 financial penalties to resolve HIPAA violations in calendar year 2024, 13 in response to reports of data breaches and 9 in response to complaints. In total, OCR collected $9,944,612 in settlements and penalties. Complaints resolved with financial penalties are detailed in the table below. Further information on each fine can be found on our HIPAA Violation Cases page.

HIPAA-Regulated Entity Penalty Type Penalty Amount Individuals Affected Areas of Alleged HIPAA Noncompliance
Essex Residential Care dba Hackensack Meridian Health, West Caldwell Care Center Civil Monetary Penalty $100,000 1 HIPAA Right of Access
American Medical Response Civil Monetary Penalty $115,200 1 HIPAA Right of Access
Cascade Eye and Skin Centers Settlement $250,000

 

 291,000 Risk analysis; monitoring of information systems
Rio Hondo Community Mental Health Center Civil Monetary Penalty $100,000 1 HIPAA Right of Access
Inmediata Health Group Settlement $250,000 1,565,338 Risk analysis; monitoring of information systems
Holy Redeemer Hospital Settlement $35,581 1 HIPAA Right of Access
Gums Dental Care Civil Monetary Penalty $70,000 1 HIPAA Right of Access
South Broward Memorial Hospital District dba Memorial Healthcare System Settlement $60,000 1 HIPAA Right of Access
Oregon Health and Science University Civil Monetary Penalty $200,000 1 HIPAA Right of Access

 

The post OCR Reports to Congress on HIPAA Compliance and Data Breaches in 2024 appeared first on The HIPAA Journal.

HHS Announces Restructuring of Office for Civil Rights

Posted by Steve Alder

The U.S. Department of Health and Human Services (HHS) has announced it is restructuring its Office for Civil Rights (OCR), which will split into three divisions, each with specific responsibilities. HHS has recreated the Conscience and Religious Freedom Division (CRFD), which was established in January 2018 under the first Trump administration and operated until March 2023, when it was disbanded by the Biden administration. The Civil Rights Division has also been reestablished, following the amalgamation of both into the Policy Division under the Biden administration.

CRFD is tasked with raising awareness of religious freedom laws and ensuring religious liberty, combating antisemitism and anti-Christian bias, and enforcing conscience protections. OCR enforces civil rights laws, including those that prohibit discrimination on the basis of race, color, national origin, sex, disability, age, or membership in patriotic youth organizations. These responsibilities will be handled by the Civil Rights Division, which will focus on addressing race-based discrimination in a color-blind manner and restoring biological truth.

The Trump administration has focused on these areas during the second term, after being deprioritized under the Biden administration. “This reorganization… strengthens the Office for Civil Rights’ ability to defend religious liberty, enforce conscience protections, and combat unlawful discrimination,” said HHS Secretary Robert F. Kennedy, Jr. “Under President Trump’s leadership, HHS will defend these rights with clarity, accountability, and resolve.”

The Health Information Privacy, Data, and Cybersecurity Division makes up the trifecta and is tasked with handling HIPAA enforcement, including investigations of breaches of unsecured protected health information and health information privacy complaints, both of which have soared in recent years. This enforcement division will continue to support centralized intake and field office execution.

Early in the latest term, there was a major reduction in HHS staffing as the Department of Government Efficiency (DOGE) targeted the department. HHS lost around 20,000 staff members through a combination of eliminated positions, early retirements, and voluntary redundancies. Several field offices were also closed. OCR has been struggling to operate with a limited budget, an increasing workload, and a smaller workforce than in previous years. OCR currently has 116 full-time staff, and while the fiscal year budget would see the department’s workforce increased to 144 full-time staff members, that is significantly fewer than in the early 2020s. It is slightly reassuring that the HHS has confirmed that the restructuring will not involve any further reductions in OCR’s workforce.

Where OCR’s resources will be focused remains to be seen. Large healthcare data breaches increased in 2025, and the complaint volume continues to grow, which is stretching OCR’s resources for health information privacy investigations further still. Healthcare data breaches continue to occur in high numbers; however, the speed at which data breach reports are verified and added to its data breach portal has slowed considerably. OCR had to contend with a lengthy government shutdown last year, with all but essential work coming to a grinding halt. Even accounting for this disruption, the pace has slowed, suggesting health information privacy investigations are a lower priority than under the current administration.

OCR is still working on an update to the HIPAA Privacy Rule, a Notice of Proposed Rulemaking (NPRM) for which was issued by OCR during President Trump’s first term, and an update to the HIPAA Security Rule, the NPRM for which was published in the Federal Register in January 2025 by OCR under the Biden administration. OCR set a provisional timetable for a May 2026 release of a final rule for the HIPAA Security Rule update. OCR has remained tight-lipped about when these regulatory changes will be finalized. They may be delayed if resources are diverted to the CRFD and Civil Rights Divisions.

“This reorganization reinstitutes a structure that rightly prioritizes civil rights and conscience and religious freedom alongside health information privacy and security,” said HHS Office for Civil Rights Director Paula M. Stannard. “All three areas are deserving of subject-matter expertise and distinct senior executive leadership for OCR to best serve the American people.” In the announcement about the restructuring, OCR said it will publish further information in the Federal Register later this month.

The post HHS Announces Restructuring of Office for Civil Rights appeared first on The HIPAA Journal.

OCR Reports to Congress on HIPAA Compliance and Data Breaches in 2023

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has submitted a pair of reports to Congress on the state of compliance with the Health Insurance Portability and Accountability (HIPAA) Privacy, Security, and Breach Notification Rules, and breaches of unsecured protected health information for calendar year 2023, as required by Section 13424(a) of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

OCR maintains a data breach portal, through which HIPAA-regulated entities must submit their reports of breaches of unsecured protected health information, and a web page through which individuals may submit a health information privacy complaint. There has been a general trend of increasing data breaches and complaints, which is placing greater pressure on OCR’s limited resources; however, OCR made progress in decreasing the backlog of complaint and data breach investigations in 2023.

The reports show data breaches affecting fewer than 500 individuals increased by 7% year-over-year, data breaches affecting 500 or more individuals increased by 17% year-over-year, complaints were up 2%, and there was a 14% increase in compliance reviews initiated by OCR. In total, OCR resolved 14 investigations in calendar year 2023 with settlements totalling $7,735,000. While that is 4 penalties fewer than in 2022, the total penalty amount increased by $6,932,500 year-over-year. OCR also conducted 182 outreach activities to improve public education about HIPAA rights and to advise regulated entities about compliance and trends in large data breaches reported to OCR.

Healthcare Data Breaches in 2023

In calendar year 2023, OCR received 732 reports of data breaches affecting 500 or more individuals. Across those data breaches, 113,173,613 individuals had their protected health information exposed, stolen, or impermissibly disclosed. The largest healthcare data breach of the year – HCA Healthcare – affected 11,270,000 individuals. The average data breach size in 2023 was 154,609 individuals.

Summary of Data Breaches Affecting 500 or More Individuals

HIPAA breaches affecting 500 or more individuals 2019-2023

OCR has five classifications for healthcare data breaches, and the majority of large healthcare data breaches fell into the hacking/IT incident category. Hacking and IT incidents accounted for 81% of the year’s data breaches and 96% of breached records.

Cause of Breach Number of Incidents Individuals Affected Largest Data Breach
Hacking/IT Incident 590 108,725,761 11,270,000 individuals
Unauthorized Access/Disclosure 120 4,359,037 3,179,835 individuals
Theft 14 69,893 34,016 individuals
Loss 4 16,247 13,184 individuals
Improper Disposal 4 2,675 1,005 individuals

Summary of Data Breaches Affecting Fewer Than 500 Individuals

HIPAA breaches fewer than 500 individuals 2019-2023

OCR received 68,315 reports of data breaches affecting fewer than 500 individuals in calendar year 2023. Smaller HIPAA breaches vastly outnumber large data breaches, but they typically affect only a few individuals. Across those HIPAA breaches, the protected health information of 269,290 individuals was exposed, stolen, or impermissibly disclosed, with an average breach size of fewer than 4 individuals.  The vast majority of smaller breaches were due to human error – employee mistakes and a lack of understanding about HIPAA requirements. The most common causes were misdirected communications (fax, email, mailing) and impermissibly accessing the medical records of co-workers, friends, family members, and other individuals.

Cause of Breach Number of Incidents Individuals Affected Percentage of Breaches
Unauthorized Access/Disclosure 64,231 178,031 66%
Loss 2,414 10,186 4%
Hacking/IT Incident 753 61,021 1%
Theft 714 15,742 1%
Improper Disposal 203 4,310 <1%

2023 Settlements to Resolve Alleged HIPAA Violations

OCR settled 14 investigations with financial penalties and corrective action plans in 2023. No civil monetary penalties were imposed.

HIPAA Regulated Entity Affected Individuals Settlement Amount
Montefiore Medical Center 12,517 $4,750,000
LA Care Health Plan 1,498 $1,300,000
Lafourche Medical Group 34,862 $480,000
MedEvolve Inc. 230,572 $350,000
Yakima Valley Memorial Hospital 415 $240,000
Optum Medical Care 1 $160,000
Doctors’ Management Services 206,695 $100,000
St. Joseph’s Medical Center 3 $80,000
UnitedHealthcare 1 $80,000
iHealth Solutions (Advantum Health) 267 $75,000
Green Ridge Behavioral Health 14,000 $40,000
Phoenix Healthcare (dba Green Country Care Center) 1 $35,000
Manasa Health Center, LLC 4 $30,000
David Mente, MA, LPC 1 $15,000

Keen readers of the HIPAA Journal may notice a discrepancy between these figures and those on pages such as our data breach statistics page, as the HIPAA Journal reports on the year the penalty was announced rather than the year it was agreed.

In 2023, OCR imposed financial penalties to resolve HIPAA failures in 11 areas. The most commonly identified HIPAA failure resulting in a financial penalty was the failure to conduct a risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information, and the failure to review records of activity in information systems containing protected health information.

Area of HIPAA Noncompliance Cases
Risk Analysis 7
Review records of information system activity 5
HIPAA Right of Access 4
Impermissible Use or Disclosure of PHI 3
Risk Management 2
HIPAA Security Rule Policies and Procedures 2
Mechanisms for Recording/Examining Activity in Information Systems 2
Business Associate Agreements 1
HIPAA Privacy Rule Policies and Procedures 1
Security Measures to Reduce Risks/Vulnerabilities 1
Periodic Technical and Nontechnical Evaluations 1

HIPAA Complaints and Compliance Reviews in 2023

OCR investigates complaints submitted through the health information privacy complaint web page and initiates compliance reviews if complaints are substantiated. Compliance reviews are also initiated in response to data breaches.

Complaints submitted to OCR about HIPAA violations 2019-2023

Summary of HIPAA Complaints

  • 30,968 new complaints received alleging violations of the HIPAA Rules and the HITECH Act (+553 YOY)
  • 9,680 open complaints carried over from previous years (-10,497 YOY)
  • 38,601 complaints were resolved in calendar year 2023 (+6,351 YOY)
  • 30,464 complaints were resolved before an investigation was initiated (-2,357 YOY)
  • 6,749 complaints were resolved through technical assistance (+3,867 YOY)
  • 691 complaints were resolved through voluntary corrective action (+131 YOY)
  • 695 complaints had insufficient evidence of HIPAA violations (-9 YOY)
  • 2 complaints resulted in OCR providing technical assistance after an investigation (-13 YOY)
  • 5 complaints were resolved through resolution agreements, corrective action plans, and monetary settlements ($320,000), three more than in 2022, when $2,425,640 was collected in settlements/civil monetary penalties.

Summary of Compliance Reviews

  • 773 compliance reviews initiated to investigate allegations of HIPAA violations not stemming from complaints
  • 732 compliance reviews were due to large data breaches (affecting 500 or more individuals), 9 were in response to smaller breaches, and 32 were initiated for other reasons
  • OCR closed 737 of those compliance reviews in 2023 – 580 cases (79%) through voluntary compliance, 60 cases (8%) through technical assistance, 67 cases (9%) where there was insufficient evidence of a HIPAA violation, and 30 cases (4%) were closed due to a lack of jurisdiction to investigate.
  • OCR resolved nine compliance reviews with resolution agreements and corrective action plans, collecting $7,415,000 in financial penalties.

You can view a summary of the HIPAA reports for 2022 in this post. Click the following links to access the full OCR reports on HIPAA compliance in 2023 (PDF) and 2023 healthcare data breaches (PDF)

The post OCR Reports to Congress on HIPAA Compliance and Data Breaches in 2023 appeared first on The HIPAA Journal.

March 2026 Healthcare Data Breach Report

Posted by Steve Alder

In March 2026, 44 healthcare data breaches affecting 500 or more individuals were reported to the HHS’ Office for Civil Rights (OCR). More than 1.5 million individuals had their personal and protected health information exposed, stolen, or otherwise impermissibly disclosed.

Under the HITECH Act of 2009, OCR is required to publish a summary of large healthcare data breaches – incidents involving the exposure, theft, or impermissible disclosure of the electronic protected health information of 500 or more individuals. OCR checks all breach reports submitted through its data breach portal, then adds the data breaches to the public-facing section of the portal. Typically, there is a delay of up to 2 weeks from the receipt of a breach report to its addition to the breach portal. During the month of March, no data breaches were added to the portal for March. March data breaches started to be added to the portal in mid-April, hence the delay in publication of this breach report. Currently, the OCR breach portal shows 44 reported data breaches affecting 500 or more individuals for March, although there may be further additions over the coming weeks, as OCR finalizes its checks.

Healthcare data breaches in the past 12 months - March 2026

 

Across those 44 incidents, the protected health information of 1,523,376 individuals was exposed, stolen, or otherwise impermissibly disclosed – the lowest monthly total in the past 12 months, and an 81% reduction from February 2026, although those figures may increase as further data breaches are added and data breach investigations are concluded.

Individuals affected by healthcare data breaches in the past 12 months

 

Biggest Healthcare Data Breaches in March 2026

Eleven healthcare data breaches affecting 10,000 or more individuals were reported to OCR in March. The biggest data breach of March 2026 by some distance was reported by the telehealth platform provider OpenLoop Health. OpenLoop Health discovered the hacking incident in January 2026, and the investigation confirmed that a threat actor accessed its systems and exfiltrated patient data. A threat actor – Stuckin2019 – claimed responsibility for the attack and said the records of 1.6 million patients were exfiltrated, although OpenLoop Health reported the incident as affecting 716,000 individuals. While the breach was large and involved personal and health information, Social Security numbers and financial information were not stolen.

North Texas Behavioral Health Authority (NTBHA), a provider of mental health and substance use treatment and services in Texas, experienced a hacking incident that exposed the protected health information of 285,086 individuals. Few details have been published about the nature of the incident, other than hackers breaching its network in October 2025. NTBHA confirmed that protected health information was exposed and may have been stolen.

Saint Anthony Hospital in Chicago reported a breach of its email system. The breach occurred on February 27, 2026, and the threat actor obtained unstructured data from its email system, including names, dates of birth, and Social Security numbers. More than 146,000 individuals had data stolen in the incident. The hacking incident at Defense Health Agency affected almost 100,000 individuals, but the HIPAA Journal has been unable to find any details about the data breach, other than what is shown on the HHS’ Office for Civil Rights breach portal. The portal states that a business associate was involved and that the breach involved unauthorized access to electronic medical records.

Regulated Entity State Covered Entity Type Individuals Affected Cause of Incident
OpenLoop Health, Inc. IA Business Associate 716,000 Hack and extortion incident – data theft confirmed
North Texas Behavioral Health Authority TX Healthcare Provider 285,086 Hacking incident
Saint Anthony Hospital IL Healthcare Provider 146,108 Unauthorized access to the email system
Defense Health Agency VA Health Plan 96,271 Hacking of a third-party electronic medical record system
Exclusive Physicians PLLC MI Healthcare Provider 58,000 Hacking incident
Woodfords Family Services ME Healthcare Provider 38,061 Ransomware attack
MedPeds Associates of Sarasota FL Healthcare Provider 22,017 Ransomware attack
Barrio Comprehensive Family Health Care Center TX Healthcare Provider 19,971 Unauthorized access to the email system
Longevity Health Plan FL Health Plan 15,000 Hacking incident
Cedar Valley Hospice IA Healthcare Provider 10,666 Hacking incident
Good Samaritan Health Center GA Healthcare Provider 10,000 Ransomware attack

Three incidents were reported to OCR using totals of 500 or 501 individuals. These figures are often used as “placeholder” estimates to meet the reporting requirements of the HIPAA Breach Notification Rule when investigations and data reviews are ongoing. These data breaches could turn out to affect substantially more individuals than the breach portal suggests.

Regulated Entity State Covered Entity Type Individuals Affected Type of Breach
Community Health Action of Staten Island NY Healthcare Provider 501 Hacking incident
Securian Financial MN Health Plan 500 Hacking incident at a business associate
Kin Counseling Services PLLC CO Healthcare Provider 500 Hacking incident

Causes of March 2026 Healthcare Data Breaches

As has been the case for many months, the majority of data breaches are hacking/IT incidents, with hacking accounting for most of the reported data breaches. Unauthorized access/disclosure incidents are less common but a regular cause of data breaches, while loss, theft, and improper disposal incidents are now a rarity, typically being reported in extremely low numbers.

Causes of March 2026 healthcare data breaches

In March, 40 of the month’s 44 data breaches were hacking/IT incidents (90.9%), 3 were unauthorized access/disclosure incidents (6.8%), and there was one theft incident (2.3%). Across the 40 hacking incidents, 1,523,376 individuals had their protected health information exposed or stolen – 99.7% of all individuals affected by healthcare data breaches in March. The average breach size was 37,953 individuals (median: 5,080 individuals). The unauthorized access/disclosure incidents affected 4,710 individuals, 0.3% for the month’s affected individuals. The average breach size was 1,570 individuals (Median: 1,283 individuals), and the theft incident affected 538 individuals, 0.04% of the month’s affected individuals.

location of breaches PHI - march 2026

States Affected by March 2026 Healthcare Data Breaches

Data breaches were reported by HIPAA-regulated entities in 23 U.S. states in March, with Florida and Texas the worst-affected states with four breaches per state.

State Data Breaches
Florida & Texas 4
California, Massachusetts, Minnesota & Oklahoma 3
Colorado, Iowa, Illinois, Louisiana, Michigan, New York & Washington 2
Arizona, Georgia, Indiana, Maine, North Carolina, Ohio, Pennsylvania, Tennessee, Virginia & Wisconsin 1

In terms of affected individuals, Iowa topped the list with 726,666 affected individuals, followed by Texas and Illinois.

State Individuals Affected
Iowa 726,666
Texas 309,416
Illinois 152,194
Virginia 96,271
Michigan 60,740
Florida 43,811
Maine 38,061
Louisiana 17,755
California 12,700
Minnesota 10,958
Georgia 10,000
Indiana 8,941
Massachusetts 7,925
Oklahoma 5,777
New York 5,587
Ohio 4,234
Tennessee 3,171
Colorado 2,563
Washington 1,821
North Carolina 1,575
Wisconsin 1,574
Arizona 949
Pennsylvania 687

Data Breaches at HIPAA-Regulated Entities

In March, data breaches were reported by 33 healthcare providers (672,387 affected individuals), 6 health plans (121,639 affected individuals), and 5 business associates (729,350 affected individuals). When a data breach occurs at a business associate, the business associate must notify each affected entity, and then a decision must be made by the covered entity about who reports the data breach. The affected covered entity may choose to issue notifications – they are ultimately responsible for ensuring that notifications are issued – but many delegate that responsibility to the business associate. Taking that into account, the following charts show where the breach occurred rather than the reporting entity. All 6 health plan breaches occurred at business associates, as did half of the data breaches reported by healthcare providers.

Data breaches at HIPAA-regulated entities - March 2026

Individuals affected by data breaches at HIPAA-regulated entities - March 2026

HIPAA Enforcement Activity in March 2026

OCR investigates all large healthcare data breaches to determine if they occurred as a result of HIPAA noncompliance. The OCR breach portal shows that the majority of data breach investigations are closed with no further action taken or with OCR providing technical assistance to address HIPAA noncompliance. OCR currently has two main enforcement initiatives in place, one targeting noncompliance with the HIPAA Right of Access, and one targeting noncompliance with the risk analysis/risk management requirements of the HIPAA Security Rule. Violations of these provisions are likely to result in financial penalties.

OCR announced one enforcement action in March involving a financial penalty, after OCR discovered multiple violations of the HIPAA Rules – A risk analysis failure, breach notification failure, and an impermissible disclosure of the electronic protected health information of 15 million individuals. MMG Fusion, a Maryland-based provider of software solutions to oral healthcare providers, settled the case and paid a $10,000 financial penalty – one of the lowest financial penalties ever imposed by OCR. OCR said that when determining the settlement amount, consideration was given to MMG’s financial position.

The post March 2026 Healthcare Data Breach Report appeared first on The HIPAA Journal.

OCR Fines Four Regulated Entities for HIPAA Violations That Led to Ransomware Attacks

Posted by Steve Alder

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced four financial penalties to resolve potential HIPAA violations discovered during investigations of ransomware-related data breaches. The ransomware attacks resulted in the exposure of the electronic protected health information (ePHI) of 427,000 individuals, and $1,165,000 in financial penalties were imposed to resolve the HIPAA violations. In each case, the HIPAA-regulated entity agreed to pay a lower penalty to settle the alleged violations informally and agreed to adopt a corrective action plan to address the noncompliance issues identified by OCR’s investigators. Including these four settlements, OCR has resolved six investigations with financial penalties in 2026, collecting $1,278,000 in penalties.

Financially motivated cyber actors target the healthcare and public health sector, often using ransomware to encrypt files to prevent access to critical data. Threat actors know that healthcare organizations store large volumes of sensitive data and rely on access to the data to provide healthcare services. Without access to medical records, patient safety is put at risk, so victims are more likely that organziations in other sectors to pay the ransom demands to recover quickly. In addition to encryption, sensitive data is often exfiltrated and used as leverage. If the ransom is not paid, the data is sold or leaked online, putting the affected individuals at risk of identity theft and fraud.

In each of the past five years, more than 700 data breaches affecting 500 or more individuals have been reported to OCR, the majority of which were hacking incidents or ransomware attacks. “Hacking and ransomware are the most frequent type of large breach reported to OCR,” said OCR Director Paula M. Stannard, in an announcement about the HIPAA penalties. “Proactively implementing the HIPAA Security Rule before a breach or an OCR investigation not only is the law but also is a regulated entity’s best opportunity to prevent or mitigate the harmful effects of a successful cyberattack.”

One of the most important requirements of the HIPAA Security Rule is a risk analysis, the purpose of which is to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Those risks and vulnerabilities must then be subjected to risk management processes to eliminate them or reduce them to a low and acceptable level. If a risk analysis is not conducted, is not conducted regularly, or is incomplete, risks and vulnerabilities are likely to remain unknown and unaddressed and can be exploited to gain access to internal networks and ePHI.

OCR has made the risk analysis provision of the HIPAA Security Rule an enforcement priority due to its importance, and that initiative is being extended to include risk management. If a data breach is reported or if a complaint is submitted about an unreported data breach, OCR will investigate and will require evidence to show that a risk analysis has been completed and risks have been managed in a timely manner. In each of the four latest enforcement actions, OCR identified risk analysis failures.

In order to complete a comprehensive and accurate risk analysis, HIPAA-regulated entities must identify all locations within the organization where ePHI is located, including how ePHI enters, flows through, and leaves the organization’s information systems. It is therefore essential to create and maintain an accurate and up-to-date asset inventory on which the risk analysis can be based.

In addition to identifying and managing risks and vulnerabilities, HIPAA-regulated entities must ensure that appropriate cybersecurity measures are implemented, including access controls and authentication to restrict access to ePHI to authorized users only. Audit controls must be implemented to record and examine activity in information systems, and logs of information systems activity need to be regularly monitored. Encryption should be implemented to protect ePHI at rest and in transit, and an incident response plan must be developed, implemented, and maintained to ensure a fast response in the event of a successful intrusion. OCR also reminds regulated entities to ensure that workforce members are provided with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

Assured Imaging Affiliated Covered Entities – $375,000 HIPAA Penalty

The largest financial penalty announced this month resolved potential HIPAA violations identified by OCR during an investigation of a ransomware-related data breach at Assured Imaging Affiliated Covered Entities (Assured Imaging), a medical imaging and screening service provider with corporate headquarters in Arizona and California. The ransomware attack was discovered on May 19, 2020, and involved the theft of ePHI such as names, contact information, dates of birth, diagnosis and conditions, lab results, medications, and treatment information of 244,813 individuals.

Assured Imaging was unable to provide evidence that a risk analysis had ever been completed. OCR determined that there had been an impermissible disclosure of the ePHI of 244,813 individuals, and that Assured Imaging failed to notify the affected individuals within 60 days, as required by the HIPAA Breach Notification Rule. OCR imposed a $375,000 financial penalty to resolve the alleged HIPAA violations, and the settlement agreement includes a comprehensive corrective action plan. Assured Imaging will be monitored for compliance with the corrective action plan for two years.

Regional Women’s Health Group, dba Axia Women’s Health – $320,000 HIPAA Penalty

Regional Women’s Health Group, which does business as Axia Women’s Health and provides women’s healthcare services to patients in New Jersey, Pennsylvania, Ohio, Indiana, and Kentucky, reported a ransomware-related data breach to OCR in December 2020. The ePHI of 37,989 individuals stored in its electronic medical record database was exposed or stolen in the incident, including names, addresses, dates of birth, SSNs, driver’s license numbers, diagnoses or conditions, lab results, and medications.

OCR determined that Axia Women’s Health had failed to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to ePHI and imposed a $320,000 financial penalty. Axia Women’s Health opted to settle the alleged violation informally and agreed to implement a comprehensive corrective action plan and will be monitored for compliance with that plan for two years. In addition to conducting a risk analysis, implementing a risk management plan, and providing training to the workforce, Axia Women’s Health is required to implement a process for evaluating environmental and operational changes that affect the security of ePHI, suggesting OCR found potential noncompliance in this area, in addition to the risk analysis failure.

Star Group, L.P. Health Benefits Plan – $245,000 HIPAA Penalty

Star Group, L.P. Health Benefits Plan (SG Health Plan), the self-funded employee benefits plan of a Connecticut-based energy provider, reported a ransomware attack to OCR in October 2021. The forensic investigation determined that the ransomware group exfiltrated files containing the ePHI of 9,316 of its plan members. Data stolen in the attack included names, addresses, dates of birth, SSNs, and health insurance information, such as member identification numbers, claims data, and benefit selection information.

OCR’s investigation determined that SG Health Plan had failed to conduct an accurate and thorough assessment of the risks and vulnerabilities to ePHI, resulting in an impermissible disclosure of the ePHI of 9,316 individuals. OCR resolved the alleged HIPAA violations with a $245,000 financial penalty, and SG Health Plan agreed to adopt a corrective action plan to address the alleged HIPAA violations. SG Health Plan will be monitored for compliance with the plan for 2 years.

Consociate, Inc., dba Consociate Health – $225,000 HIPAA Penalty

Consociate, Inc., doing business as Consociate Health, a third-party administrator of employee-sponsored benefit programs and business associate of health plans, discovered on January 14, 2021, that data in its information systems had been encrypted in a ransomware attack. The forensic investigation determined that its network had first been compromised 6 months previously as a result of a phishing attack.

The threat actor gained access to a server containing the ePHI of 136,539 individuals, including names, addresses, dates of birth, driver’s license numbers, Social Security numbers, credit card/bank account numbers, and diagnoses or conditions. OCR determined that Consociate Health failed to conduct an accurate and thorough risk analysis and resolved the alleged HIPAA violation with a $225,000 financial penalty. Consociate Health agreed to adopt a corrective action plan to address the alleged HIPAA violation and will be monitored for compliance with the plan for 2 years.

The post OCR Fines Four Regulated Entities for HIPAA Violations That Led to Ransomware Attacks appeared first on The HIPAA Journal.

OPM’s Plan to Collect Federal Employees’ Health Insurance Data Attracts Strong Criticism

Posted by Steve Alder

A proposal to allow the Office of Personnel Management (OPM) to collect the personally identifiable health information of federal employees and their family members has attracted strong criticism due to privacy and security risks, and the potential for HIPAA violations and data misuse.

Per the December 12, 2025, notice about the information collection request (ICR) – Federal Employees Health Benefits (FEHB) and Postal Service Health Benefits (PSHB) Programs Service Use and Cost Data – OPM requires insurance carriers to submit FEHB and PSHB program claims data to OPM. Under the proposal, insurance carriers are required to make monthly submissions of claims-level data, including the protected health information of current and former federal workers and their family members, including personal identifiers. According to OPM, the data will “enable OPM to oversee health benefits programs and ensure they provide competitive, quality, and affordable plans.”  While there are clear benefits to be gained from collecting and analyzing the data, such as lowering costs and improving care quality, the proposal has raised significant privacy and security concerns.

The Trump administration is seeking unprecedented access to workers’ medical information– information protected under the Health Insurance Portability and Accountability Act (HIPAA). The data being sought is not government data; it is protected health information maintained by HIPAA-regulated entities. Information submitted to OPM under the proposal would populate a government database, but OPM has failed to fully explain exactly how that information will be used, maintained, and protected. As such, there are legitimate concerns that the requested data may be used for reasons other than the stated purpose, especially given the Trump administration’s attempts over the past 12 months to obtain personal information from the Social Security Administration and the Internal Revenue Service.

“OPM is collecting service use and cost data from FEHB and PSHB Carriers, including medical claims, pharmacy claims, encounter data, and provider data. This data will enable OPM to oversee health benefits programs and ensure they provide competitive, quality, and affordable plans,” explained OPM in the notice. “OPM requires Carriers to report necessary information and permit audits and examinations to manage the FEHB Program effectively.”

In the notice, OPM explains that under HIPAA, covered entities such as health plans are permitted to disclose protected health information – including service use and cost data – to health oversight agencies, including OPM, for oversight activities authorized under 45 CFR 165.512(d)(1). The notice calls for 65 carriers to make ongoing, monthly submissions of claims-level data and quarterly manufacturer rebate data for federal employees and retirees. The carriers hold data for more than 8 million Americans, including federal workers, mail carriers, retired members of Congress, and their immediate family members.

The use of such broad terms for data categories has set alarm bells ringing. OPM will potentially be provided with a huge volume of sensitive, personally identifiable information, including information about treatments sought and received. Encounter data, for instance, could potentially encompass full medical records and doctors’ notes, information over and above what is necessary for the stated health oversight activities.

De-identified data could potentially be used to achieve the stated purpose, but OPM makes no mention of stripping out personal identifiers. As such, there are legitimate concerns from privacy groups that OPM could create a huge database of highly sensitive information that could easily be misused. For instance, for targeting specific employees based on the healthcare services they sought and received, or assisting the administration with its DEI, gender-affirming care, and reproductive health care initiatives, or any other healthcare services being targeted.

Aside from the potential for data misuse, the proposal will create significant compliance and legal risks for the carriers. OPM states in the notice that the HIPAA Privacy Rule permits disclosures of protected health information for health oversight activities, but requests a broad swathe of protected health information, the provision of which will likely violate the minimum necessary standard.  The minimum necessary standard – 45 CFR 164.502(b), 164.514(d) – applies to data disclosed for health oversight activities. “When using or disclosing protected health information or when requesting protected health information… a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

In its current form, the proposal lacks detailed information about the purpose for the disclosure, and the broad categories of data requested will require carriers to walk a HIPAA compliance tightrope. While the Trump administration may have no intention of enforcing HIPAA compliance regarding the OPM data disclosures, future administrations may take an entirely different view, and the data disclosures will expose carriers to significant legal risk. It is currently unclear how carriers intend to comply with the proposal.

While HIPAA permits disclosures of protected health information for health oversight activities, they are not required disclosures under HIPAA. Carriers may choose to only disclose information that they deem appropriate and necessary, although, without further detail about the exact purposes for the disclosures, it will be difficult to determine what information is appropriate and necessary, and the compliance and administrative burden would be significant.

In addition to concerns about protected health information being provided to the government and how that information will be used, concerns have been raised about OPM’s ability to protect a database of highly sensitive protected health information, given the extent to which government entities are targeted by threat actors, and OPM’s and the Trump administration’s history of safeguarding sensitive data. OPM experienced two massive data breaches in 2015, one involving the personal information of 4.2 million current and former federal employees and another involving the theft of the personal records of more than 22 million Americans. The Chinese government is alleged to have been behind the attacks.

The proposal has attracted significant criticism. The Association of Federal Health Organizations (AFHO) points out that this is not the first time that OPM has sought to establish a healthcare claims data warehouse, having made a similar proposal in 2010. The same HIPAA compliance concerns that were voiced 16 years ago still apply to the latest proposal. AFHO had argued that only de-identified data should be shared; however, today, the sharing of de-identified data with OPM carries significant compliance risks. AFHO is concerned that, given the detailed information OPM already has on enrolees and their family members, there is a risk that de-identified data could be re-identified, and the HIPAA Privacy Rule does not permit the sharing of de-identified data when there is a risk of reidentification. AFHO suggests an agreement between OPM and the CMS to use the CMS edge server system to query data, thereby eliminating the risk of re-identification, or to enter into a contract with the Health Care Cost Institute, which could translate raw data into actionable insights.

Robert H. Shriver, III, Managing Director of Civil Service Strong, a project of Democracy Forward Foundation, voiced strong opposition to ICR. Specifically, due to the failure of OPM to justify the proposed data collection and clearly state exactly how the data will be used, the failure to explain how data will be safeguarded, and the risk of data abuse. “OPM’s ICR is especially concerning given the Trump-Vance Administration’s explicit contempt for federal workers and its pattern of recklessness with highly sensitive data,” wrote Shriver in comments in response to the ICR notice. He said the Trump administration has demonstrated that it cannot be trusted with sensitive data, citing the recent admission by the Trump administration that sensitive Social Security Administration data was sent to unauthorized individuals, shared on nongovernmental servers, and, through DOGE activities in particular, it is “playing fast and loose with government data.”

Jonathan Foley, a former OPM employee who advised on the FEHB program under the Obama and Biden administrations, believes there are valuable benefits to be gained from collecting and analysing personally identifiable data, but warned of the considerable potential for data misuse and the privacy risks. In his comments in response to the notice, Foley said the Trump administration has a poor record of properly handling sensitive information and has attempted to link identifiable data across federal programs and use it for reasons unrelated to the original purpose for which the data was collected. Foley suggests that de-identified data could be collected and maintained by a trusted entity other than OPM, with guardrails preventing federal authorities from demanding direct access to the data from that trusted entity. CVS Health suggests that OPM should convene a stakeholder working group to determine the specific data elements required to support the requested goals and to establish a consistent reporting framework.

Most recently, on April 17, 2026, a group of 16 Democratic members of the House Oversight Committee wrote to OPM Director Scott Kupor and Office of Management and Budget Director Russell Vought, calling for the withdrawal of the proposed plan due to the potential for data misuse, HIPAA violations, and concern that OPM lacks the necessary safeguards to responsibly protect sensitive data. “More than 8 million Americans receive health insurance under the FEHB and PSHB programs, including federal workers, mail carriers, and their immediate family members. They should be able to make medical decisions in consultation with their doctors—not the federal government,” wrote the senators. “We therefore demand that OPM halt all plans to collect private health insurance data and provide a briefing on the decision to enact this policy.” The senators have asked the Directors to explain the decision to obtain such an expansive dataset without any guardrails or protections for employee privacy.

The post OPM’s Plan to Collect Federal Employees’ Health Insurance Data Attracts Strong Criticism appeared first on The HIPAA Journal.

Lawsuit Alleges AI Platform Illegally Recorded Patient-Clinician Conversations

Posted by Steve Alder

A lawsuit has been filed in the U.S. District Court for the Northern District of California against two healthcare organizations over their use of an AI-based tool that records conversations between patients and clinicians and transmits the audio files externally for processing and transcription. The lawsuit names the California nonprofit public benefit corporations Sutter Health and Memorial Healthcare Services as defendants, and alleges that their use of the tool violates the California Invasion of Privacy Act (CIPA), California Confidentiality of Medical Information Act (CMIA), California Unfair Competition Law, Federal Wiretap Act, and constitutes invasion of privacy – intrusion upon seclusion.

The AI-based platform was developed by Abridge AI, Inc., and is described as an “ambient clinical documentation system” which is marketed to health systems as an “enterprise-grade AI” that generates “contextually aware, clinically useful, and billable AI-generated notes, integrated directly into EHR workflows.” When activated on microphone-enabled devices in examination rooms, the tool captures conversations between clinicians and patients and transmits the recorded audio files to an external server, where they are processed and transcribed. AI models are used to generate structured draft clinical notes that can be checked by the clinician and incorporated directly into the electronic medical record system.

Abridge AI’s platform is used by many large health systems and providers, including Johns Hopkins, Mayo Clinic, Mount Sinai Medical Center, UC Health, MemorialCare, Christus Health, Corewell Health, and Reid Health, to name but a few.  The platform is praised by users who report that it significantly decreases clinicians’ cognitive load, allows clinicians to give patients their undivided attention, and increases clinician satisfaction.

The lawsuit – Washington et al v. Sutter Health – was filed by plaintiffs Christina Washington, Dennis Gueretta, and Rebecca Matulic, who visited the defendants in the past six months and disclosed sensitive medical information in their visits. The plaintiffs allege that they had a reasonable expectation that their conversations with the clinicians would remain private and confidential. The plaintiffs allege that at the time of their visits, they were unaware that their conversations with clinicians were being recorded by an artificial intelligence platform and transmitted externally outside the clinical setting and processed by a third-party system.

Information recorded and transmitted by the system included personally identifiable information and health information, including symptoms, diagnoses, prescription information, treatment plans, family medical histories, and mental health information – information classed as protected health information under HIPAA. Under HIPAA, Abridge AI is classed as a business associate, as the company receives protected health information, and HIPAA requires each healthcare provider client to sign a business associate agreement with Abridge AI. As a HIPAA business associate, Abridge AI is bound by the HIPAA Rules, and any protected health information collected, stored, or transmitted by the company must be protected in accordance with the HIPAA Security Rule. There are also strict rules regarding the use and disclosure of protected health information and breach reporting obligations.

Abridge AI is aware of its responsibilities under HIPAA as a business associate and signs business associate agreements with its HIPAA-covered entity clients. Since the information collected, transmitted, and processed by the platform at the direction of its clients is related to healthcare operations, patient consent is not required by HIPAA, provided the healthcare organization has a HIPAA-compliant business associate agreement with Abridge AI. The lawsuit does not allege that HIPAA has been violated but does assert that the interception, recording, and transmission of sensitive communications and health information without patients’ express consent violates the federal Wiretap Act and state consumer privacy laws.

The lawsuit alleges that the defendants used the platform to obtain operational and financial benefits, such as reducing clinicians’ documentation burdens and improving efficiency, but despite obtaining those advantages, they used the platform without first establishing legally compliant consent procedures, authorization protocols, or establishing appropriate safeguards to protect the confidentiality of patients’ confidential medical communications and medical information.

The lawsuit seeks class action certification, a jury trial, and damages for each violation of state law and the Wiretap Act, as well as injunctive relief, including an order from the court for the defendants to implement safeguards, policies, and technical controls to ensure that no medical information is intercepted or processed without first receiving prior consent from patients, and order for the defendant to pay the plaintiffs’ attorneys’ fees, expenses and suit costs.

“We take patient privacy seriously and are committed to protecting the security of our patients’ information. Technology used in our clinical settings is carefully evaluated and implemented in accordance with applicable laws and regulations,” said a spokesperson for Sutter Health.

The post Lawsuit Alleges AI Platform Illegally Recorded Patient-Clinician Conversations appeared first on The HIPAA Journal.

February 2026 Healthcare Data Breach Report

Posted by Steve Alder

In February 2026, 63 data breaches were reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that affected 500 or more individuals, a 14.5% increase from January 2026, and 12.5% more than the average number of February data breaches over the past 5 years.

Healthcare data breaches in the past 12 months - February 2026

Between January 1 and February 28, 2026, 118 data breaches affecting 500 or more individuals have been reported to OCR, involving the protected health information of 9,651,076 individuals. While healthcare data breaches have declined 10.6% year-over-year, the number of individuals affected has increased 44.7%.

February Healthcare data breaches - 2022-2026

Individuals affected by healthcare data breaches in the past 12 months - Feb 2026

Across the 63 data breaches reported in February, the protected health information of at least 8,134,378 individuals was exposed or impermissibly disclosed, a 436% month-over-month increase and 38.9% more than the average number of affected individuals over the past 12 months.

Individuals affected by February healthcare data breaches 2022-2026

Biggest Healthcare Data Breaches in February 2026

The high total in February is due to massive data breaches at two HIPAA-regulated entities in February – TriZetto Provider Solutions, a provider of administrative services to healthcare providers and health plans, and QualDerm Partners, a healthcare management services provider to 158 healthcare practices in 17 states. Both incidents potentially involved unauthorized access to the protected health information of more than 3 million individuals.

TriZetto is a business associate of many HIPAA-covered entities and was a subcontractor used by the healthcare technology and data analytics company OCHIN, a provider of specialized electronic health record software to healthcare providers. OCHIN said the breach impacted around 9% of the patient population of its member network – around 700,000 patients. It is unclear how many healthcare organizations were affected in total by the TRiZetto data breach. The HIPAA Journal has tracked 44 HIPAA-covered entities that have announced that they were affected, although the total is undoubtedly higher. Hackers gained access to the web portal that TriZetto’s clients used to access TriZetto’s systems. The intrusion was detected in October 2025; however, the threat actor had access to its systems for almost a year. It is unclear which threat group was behind the breach, as it was not disclosed by TriZetto, and no group appears to have claimed responsibility for the breach.

The data breach at QualDerm Partners was of a similar scale, affecting more than 3.1 million individuals. The intrusion was detected in December 2025, and the investigation confirmed that hackers had access to its systems between December 23 and December 24, 2025, and exfiltrated protected health information. As with the data breach at TriZetto, the threat actor behind the incident is unknown. While on a much smaller scale, the data breach at ApolloMD Business Services affected many healthcare provider clients. The ransomware group Qilin claimed responsibility for the attack and claimed to have exfiltrated patient data. While the data breach was reported in February, it was detected in May 2025. More individuals were affected by those three data breaches alone than in all data breaches reported to OCR since mid September 2025.

HIPAA-Regulated Entity State Entity Type Individuals Affected Cause of Breach
TriZetto Provider Solutions MO Business Associate 3,433,965 Hacking incident
QualDerm Partners, LLC TN Healthcare Provider 3,117,874 Hacking incident – data theft confirmed
ApolloMD Business Services, LLC GA Business Associate 626,540 Ransomware attack (Qilin)
Vikor Scientific, LLC. SC Healthcare Provider 139,964 Network server hacking incident – OCR provided technical assistance on HIPAA compliance
IPPC Inc., IPPC of New York LLC, and Innovative Pharmacy LLC NJ Healthcare Provider 133,862 Hacking incident – data theft confirmed
Oscar Health NY Health Plan 91,350 Employee emailed ePHI to incorrect recipients – OCR provided technical assistance on HIPAA compliance
National Association on Drug Abuse Problems NY Healthcare Provider 90,000 Hacking incident
Counseling Center of Wayne & Holmes Counties OH Healthcare Provider 83,354 Hacking incident – data theft confirmed
Academic Urology & Urogynecology of Arizona AZ Healthcare Provider 73,281 Hacking incident
Lakeside Pediatrics & Adolescent Medicine, PLLC ID Healthcare Provider 34,154 Hacking incident
Emanuel Medical Center GA Healthcare Provider 28,963 Hacking incident
Advanced Homecare Management, LLC DBA Enhabit Home Health & Hospice TX Healthcare Provider 23,154 Hacking incident at a business associate
Cedar Point Health, LLC CO Healthcare Provider 23,114 Hacking incident
WIRX Pharmacy PA Healthcare Provider 20,047 Hacking incident
Wendy Foster OD KS Healthcare Provider 20,000 Hacking incident
AccentCare TX Healthcare Provider 19,772 Hacking incident at a business associate (Doctor Alliance) involving a web application
Communications Workers of America Local 1180 Security Benefits Fund NY Health Plan 18,550 Unauthorized access to electronic medical records at a business associate
EyeCare Partners, LLC, including The Ophthalmology Group, Ophthalmology Consultants, and Ophthalmology Associates. MO Healthcare Provider 17,110 Unauthorized access to employee email accounts
Manhattan Retirement Foundation d/b/a Meadowlark Hills KS Healthcare Provider 14,442 Ransomware attack (Beast) – data theft confirmed
Jackson Hospital and Clinic AL Healthcare Provider 13,910 Hacking incident at a business associate
Couve Healthcare Consulting, LLC DBA Evergreen Healthcare Group WA Business Associate 11,795 Hacking incident involving its cloud-based electronic medical records
Triad Radiology Associates NC Healthcare Provider 11,011 Unauthorized access to an employee’s email account

Under the HIPAA Breach Notification Rule, data breaches must be reported to OCR within 60 days of the discovery of a data breach. When the number of affected individuals is not known, an estimate should be provided to OCR. Many regulated entities choose to report a breach using a placeholder figure of 500 or 501 individuals in such cases. The breach data for February 2026 includes 7 such data breaches. These figures are usually, but not always, updated when data breach investigations/data reviews are completed.

HIPAA-Regulated Entity State Entity Type Individuals Affected Cause of Breach
AltaMed Health Services Corporation CA Healthcare Provider 501 Ransomware attack
Cedar Valley Services MN Healthcare Provider 501 Hacking incident
Resource Corporation of America TX Business Associate 501 Hacking incident
Carolina Foot & Ankle Associates NC Healthcare Provider 501 Hacking/IT Incident
Marin Cancer Care CA Healthcare Provider 501 Hacking/IT Incident
Issaqueena Pediatric Dentistry PA SC Healthcare Provider 501 Ransomware attack
Alexes Hazen MD, PLLC NY Healthcare Provider 500 Hacking incident

Causes of February 2026 Healthcare Data Breaches

Hacking and other IT incidents continue to be the leading cause of healthcare data breaches, as has been the case for many years. All but 6 of the data breaches in February were hacking/IT incidents, which accounted for 98.6% of all individuals affected in the February 2026 data set. Across the 57 hacking-related data breaches, 8,020,208 individuals were affected. The average breach size was 140,705 individuals, and the median breach size was 2,908 individuals.

Causes of February 2026 healthcare data breaches

The remaining 6 data breaches were unauthorized access/disclosure incidents, which affected 114,170 individuals. The average breach size was 19,028 individuals, and the median breach size was 1,560 individuals. The largest of these incidents affected more than 91,000 individuals and was the result of an employee emailing ePHI to an incorrect recipient. Loss and theft incidents were once one of the biggest causes of healthcare data breaches, but they are now rarely reported. There were no loss or theft incidents in February, nor any improper disposal incidents. The most common location of breached protected health information in February was network servers, followed by email accounts/disclosures.

Locvation of breached protected health information in February 2026

February 2026 Data Breaches at HIPAA Regulated Entities

In February, data breaches involving the protected health information of 500 or more individuals were reported by 49 healthcare providers (3,940,433 individuals), 7 health plans (116,690 individuals), and 7 business associates (4,077,255 individuals). The raw data from the OCR breach portal shows the reporting entity rather than the entity that experienced the breach, as when a data breach occurs at a business associate, it is often the covered entity that reports the breach.

February serves as a good example of how business associate data breaches are often underrepresented in data breach reports.  Recalculating the data based on the entity that experienced the data breach, 25 data breaches occurred at business associates. The data breach at Trizetto Provider Solutions was reported to OCR by Trizetto as affecting more than 3.4 million individuals; however, many of the affected entities reported the breach to OCR themselves. The charts below are based on the entity that experienced the data breach, rather than the entity that reported the data breach, to better reflect data breaches at business associates.

February 20-26 data breaches at HIPAA-regulated entities

Individuals affected by data breaches at HIPAA-regulated entities in February 2026

Geographical Distribution of February 2026 Healthcare Data Breaches

The data breaches reported to OCR in February were quite widely distributed, affecting entities in 32 U.S. states. New York and Texas topped the list with 6 data breaches in each state, with four data breaches reported by entities based in California.

State Breaches
New York & Texas 6
California 4
Georgia, Kansas & Oregon 3
Arkansas, Illinois, Kentucky, Michigan, Missouri, North Carolina, New Jersey, Oklahoma, Pennsylvania, South Carolina, Tennessee & Utah 2
Alabama, Arizona, Colorado, Florida, Idaho, Indiana, Massachusetts, Maryland, Maine, Minnesota, New Hampshire, Ohio, Virginia & Washington 1

In terms of breach severity, Missouri and Tennessee topped the list for affected individuals.

State Individuals Affected State Individuals Affected
Missouri 3,451,075 North Carolina 11,512
Tennessee 3,119,544 Maine 9,300
Georgia 658,003 Kentucky 8,972
New York 210,655 California 6,283
South Carolina 140,465 Arkansas 5,800
New Jersey 134,444 Oregon 4,641
Ohio 83,354 Michigan 4,473
Arizona 73,281 Indiana 3,158
Texas 52,361 Illinois 2,891
Kansas 35,769 Oklahoma 2,275
Idaho 34,154 Virginia 1,544
Pennsylvania 24,647 Florida 1,107
Colorado 23,114 New Hampshire 1,005
Alabama 13,910 Massachusetts 634
Utah 12,085 Maryland 626
Washington 11,795 Minnesota 501

HIPAA Enforcement Activity in February 2026

There were no announcements about HIPAA enforcement actions by the HHS Office for Civil Rights or state attorneys general in February. OCR has confirmed, however, that its risk analysis enforcement initiative has been expanded to cover risk management. When investigating a data breach, OCR will request documentation demonstrating that a comprehensive, organization-wide risk analysis has been conducted and that risks identified by the risk analysis have been managed and reduced to a reasonable and acceptable level in a timely manner.

To help HIPAA-regulated entities manage risks and comply with the requirements of the HIPAA Security Rule, OCR released a video presentation this month. In the video, Nicholas Heesters, OCR’s Senior Advisor for Cybersecurity, explains the HIPAA requirements for risk management, provides examples of violations of the risk management implementation specification of the security management process standard that OCR discovered during its data breach investigations.

About this Report

The HIPAA Journal healthcare data breach reports are based on data breaches reported to the HHS’ Office for Civil Rights, as HIPAA-regulated entities rarely publicly disclose the number of individuals affected by a data breach, and in the case of hacking incidents, attackers’ claims are unreliable. Typically, the data breach reports are published around the 20th of each month for the preceding month; however, OCR has been slow to add data breaches to its data breach portal, hence the delay in publication.

OCR is delaying adding breach reports to the “under investigation” section of its data breach portal. For instance, no data breach reports submitted to OCR in March 2026 were added to the under investigation section of the breach portal in March 2026. As of April 10, 2026, there are only two data breaches listed for March. While the delay could indicate resource pressure at OCR, data breaches have been added to the “Archive” section of the OCR breach portal at a much-accelerated pace, indicating a change of priorities at OCR. OCR appears to be concentrating on investigating data breaches and closing investigations more quickly.

The post February 2026 Healthcare Data Breach Report appeared first on The HIPAA Journal.

OCR Releases Video on HIPAA Security Rule Risk Management Requirements

Posted by Steve Alder

Earlier this year, Paula M. Stannard, Director of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), provided an update on OCR’s enforcement priorities in 2026 and confirmed that OCR’s risk analysis enforcement initiative will continue, and that it will evolve to also target noncompliance with the risk management requirement of the HIPAA Security Rule.

The risk analysis provision – § 164.308(a)(1)(ii)(A) – requires HIPAA-regulated entities to “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity or business associate.” OCR has previously issued guidance on the risk analysis requirement, and has issued a risk assessment tool for small- and medium-sized entities to guide them through the process of comprehensively assessing risks to ePHI.

A risk analysis is one of four required implementation specifications under the security management process of the administrative safeguards, the others being risk management, sanction policy, and information system activity review. The risk management implementation specification requires HIPAA-regulated entities to “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [the Security Standards: General Rules] § 164.306(a).”

Risk management is an essential component of HIPAA Security Rule compliance and cybersecurity preparedness in general. Risk management is a critical step toward defending against cyberattacks, which is why OCR has expanded its enforcement initiative to cover risk management. When OCR investigates a data breach or complaint, the regulated entity will need to demonstrate that it has conducted a comprehensive and accurate risk analysis and has acted on the findings of that analysis to reduce risks and vulnerabilities to a reasonable and appropriate level.

To help HIPAA-regulated entities manage risks and vulnerabilities, OCR has recorded a risk management video. In the video, Nicholas Heesters, OCR’s Senior Advisor for Cybersecurity, explains the HIPAA risk management requirements and provides examples of potential risk management violations identified during OCR’s investigations of data breaches. In December 2025, OCR requested questions from HIPAA-regulated entities on risk management, and has provided answers to a selection of those questions in the video. The video also shares important resources to help HIPAA-regulated entities comply with this important HIPAA Security Rule requirement. You can view the video on OCR’s YouTube channel.

The post OCR Releases Video on HIPAA Security Rule Risk Management Requirements appeared first on The HIPAA Journal.