HIPAA Compliance News

OCR Fines Four Regulated Entities for HIPAA Violations That Led to Ransomware Attacks

Posted April 24, 2026 by Steve Alder

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced four financial penalties to resolve potential HIPAA violations discovered during investigations of ransomware-related data breaches. The ransomware attacks resulted in the exposure of the electronic protected health information (ePHI) of 427,000 individuals, and $1,165,000 in financial penalties were imposed to resolve the HIPAA violations. In each case, the HIPAA-regulated entity agreed to pay a lower penalty to settle the alleged violations informally and agreed to adopt a corrective action plan to address the noncompliance issues identified by OCR’s investigators. Including these four settlements, OCR has resolved six investigations with financial penalties in 2026, collecting $1,278,000 in penalties.

Financially motivated cyber actors target the healthcare and public health sector, often using ransomware to encrypt files to prevent access to critical data. Threat actors know that healthcare organizations store large volumes of sensitive data and rely on access to the data to provide healthcare services. Without access to medical records, patient safety is put at risk, so victims are more likely that organziations in other sectors to pay the ransom demands to recover quickly. In addition to encryption, sensitive data is often exfiltrated and used as leverage. If the ransom is not paid, the data is sold or leaked online, putting the affected individuals at risk of identity theft and fraud.

In each of the past five years, more than 700 data breaches affecting 500 or more individuals have been reported to OCR, the majority of which were hacking incidents or ransomware attacks. “Hacking and ransomware are the most frequent type of large breach reported to OCR,” said OCR Director Paula M. Stannard, in an announcement about the HIPAA penalties. “Proactively implementing the HIPAA Security Rule before a breach or an OCR investigation not only is the law but also is a regulated entity’s best opportunity to prevent or mitigate the harmful effects of a successful cyberattack.”

One of the most important requirements of the HIPAA Security Rule is a risk analysis, the purpose of which is to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Those risks and vulnerabilities must then be subjected to risk management processes to eliminate them or reduce them to a low and acceptable level. If a risk analysis is not conducted, is not conducted regularly, or is incomplete, risks and vulnerabilities are likely to remain unknown and unaddressed and can be exploited to gain access to internal networks and ePHI.

OCR has made the risk analysis provision of the HIPAA Security Rule an enforcement priority due to its importance, and that initiative is being extended to include risk management. If a data breach is reported or if a complaint is submitted about an unreported data breach, OCR will investigate and will require evidence to show that a risk analysis has been completed and risks have been managed in a timely manner. In each of the four latest enforcement actions, OCR identified risk analysis failures.

In order to complete a comprehensive and accurate risk analysis, HIPAA-regulated entities must identify all locations within the organization where ePHI is located, including how ePHI enters, flows through, and leaves the organization’s information systems. It is therefore essential to create and maintain an accurate and up-to-date asset inventory on which the risk analysis can be based.

In addition to identifying and managing risks and vulnerabilities, HIPAA-regulated entities must ensure that appropriate cybersecurity measures are implemented, including access controls and authentication to restrict access to ePHI to authorized users only. Audit controls must be implemented to record and examine activity in information systems, and logs of information systems activity need to be regularly monitored. Encryption should be implemented to protect ePHI at rest and in transit, and an incident response plan must be developed, implemented, and maintained to ensure a fast response in the event of a successful intrusion. OCR also reminds regulated entities to ensure that workforce members are provided with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

Assured Imaging Affiliated Covered Entities – $375,000 HIPAA Penalty

The largest financial penalty announced this month resolved potential HIPAA violations identified by OCR during an investigation of a ransomware-related data breach at Assured Imaging Affiliated Covered Entities (Assured Imaging), a medical imaging and screening service provider with corporate headquarters in Arizona and California. The ransomware attack was discovered on May 19, 2020, and involved the theft of ePHI such as names, contact information, dates of birth, diagnosis and conditions, lab results, medications, and treatment information of 244,813 individuals.

Assured Imaging was unable to provide evidence that a risk analysis had ever been completed. OCR determined that there had been an impermissible disclosure of the ePHI of 244,813 individuals, and that Assured Imaging failed to notify the affected individuals within 60 days, as required by the HIPAA Breach Notification Rule. OCR imposed a $375,000 financial penalty to resolve the alleged HIPAA violations, and the settlement agreement includes a comprehensive corrective action plan. Assured Imaging will be monitored for compliance with the corrective action plan for two years.

Regional Women’s Health Group, dba Axia Women’s Health – $320,000 HIPAA Penalty

Regional Women’s Health Group, which does business as Axia Women’s Health and provides women’s healthcare services to patients in New Jersey, Pennsylvania, Ohio, Indiana, and Kentucky, reported a ransomware-related data breach to OCR in December 2020. The ePHI of 37,989 individuals stored in its electronic medical record database was exposed or stolen in the incident, including names, addresses, dates of birth, SSNs, driver’s license numbers, diagnoses or conditions, lab results, and medications.

OCR determined that Axia Women’s Health had failed to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to ePHI and imposed a $320,000 financial penalty. Axia Women’s Health opted to settle the alleged violation informally and agreed to implement a comprehensive corrective action plan and will be monitored for compliance with that plan for two years. In addition to conducting a risk analysis, implementing a risk management plan, and providing training to the workforce, Axia Women’s Health is required to implement a process for evaluating environmental and operational changes that affect the security of ePHI, suggesting OCR found potential noncompliance in this area, in addition to the risk analysis failure.

Star Group, L.P. Health Benefits Plan – $245,000 HIPAA Penalty

Star Group, L.P. Health Benefits Plan (SG Health Plan), the self-funded employee benefits plan of a Connecticut-based energy provider, reported a ransomware attack to OCR in October 2021. The forensic investigation determined that the ransomware group exfiltrated files containing the ePHI of 9,316 of its plan members. Data stolen in the attack included names, addresses, dates of birth, SSNs, and health insurance information, such as member identification numbers, claims data, and benefit selection information.

OCR’s investigation determined that SG Health Plan had failed to conduct an accurate and thorough assessment of the risks and vulnerabilities to ePHI, resulting in an impermissible disclosure of the ePHI of 9,316 individuals. OCR resolved the alleged HIPAA violations with a $245,000 financial penalty, and SG Health Plan agreed to adopt a corrective action plan to address the alleged HIPAA violations. SG Health Plan will be monitored for compliance with the plan for 2 years.

Consociate, Inc., dba Consociate Health – $225,000 HIPAA Penalty

Consociate, Inc., doing business as Consociate Health, a third-party administrator of employee-sponsored benefit programs and business associate of health plans, discovered on January 14, 2021, that data in its information systems had been encrypted in a ransomware attack. The forensic investigation determined that its network had first been compromised 6 months previously as a result of a phishing attack.

The threat actor gained access to a server containing the ePHI of 136,539 individuals, including names, addresses, dates of birth, driver’s license numbers, Social Security numbers, credit card/bank account numbers, and diagnoses or conditions. OCR determined that Consociate Health failed to conduct an accurate and thorough risk analysis and resolved the alleged HIPAA violation with a $225,000 financial penalty. Consociate Health agreed to adopt a corrective action plan to address the alleged HIPAA violation and will be monitored for compliance with the plan for 2 years.

The post OCR Fines Four Regulated Entities for HIPAA Violations That Led to Ransomware Attacks appeared first on The HIPAA Journal.

OPM’s Plan to Collect Federal Employees’ Health Insurance Data Attracts Strong Criticism

Posted April 22, 2026 by Steve Alder

A proposal to allow the Office of Personnel Management (OPM) to collect the personally identifiable health information of federal employees and their family members has attracted strong criticism due to privacy and security risks, and the potential for HIPAA violations and data misuse.

Per the December 12, 2025, notice about the information collection request (ICR) – Federal Employees Health Benefits (FEHB) and Postal Service Health Benefits (PSHB) Programs Service Use and Cost Data – OPM requires insurance carriers to submit FEHB and PSHB program claims data to OPM. Under the proposal, insurance carriers are required to make monthly submissions of claims-level data, including the protected health information of current and former federal workers and their family members, including personal identifiers. According to OPM, the data will “enable OPM to oversee health benefits programs and ensure they provide competitive, quality, and affordable plans.” While there are clear benefits to be gained from collecting and analyzing the data, such as lowering costs and improving care quality, the proposal has raised significant privacy and security concerns.

The Trump administration is seeking unprecedented access to workers’ medical information– information protected under the Health Insurance Portability and Accountability Act (HIPAA). The data being sought is not government data; it is protected health information maintained by HIPAA-regulated entities. Information submitted to OPM under the proposal would populate a government database, but OPM has failed to fully explain exactly how that information will be used, maintained, and protected. As such, there are legitimate concerns that the requested data may be used for reasons other than the stated purpose, especially given the Trump administration’s attempts over the past 12 months to obtain personal information from the Social Security Administration and the Internal Revenue Service.

“OPM is collecting service use and cost data from FEHB and PSHB Carriers, including medical claims, pharmacy claims, encounter data, and provider data. This data will enable OPM to oversee health benefits programs and ensure they provide competitive, quality, and affordable plans,” explained OPM in the notice. “OPM requires Carriers to report necessary information and permit audits and examinations to manage the FEHB Program effectively.”

In the notice, OPM explains that under HIPAA, covered entities such as health plans are permitted to disclose protected health information – including service use and cost data – to health oversight agencies, including OPM, for oversight activities authorized under 45 CFR 165.512(d)(1). The notice calls for 65 carriers to make ongoing, monthly submissions of claims-level data and quarterly manufacturer rebate data for federal employees and retirees. The carriers hold data for more than 8 million Americans, including federal workers, mail carriers, retired members of Congress, and their immediate family members.

The use of such broad terms for data categories has set alarm bells ringing. OPM will potentially be provided with a huge volume of sensitive, personally identifiable information, including information about treatments sought and received. Encounter data, for instance, could potentially encompass full medical records and doctors’ notes, information over and above what is necessary for the stated health oversight activities.

De-identified data could potentially be used to achieve the stated purpose, but OPM makes no mention of stripping out personal identifiers. As such, there are legitimate concerns from privacy groups that OPM could create a huge database of highly sensitive information that could easily be misused. For instance, for targeting specific employees based on the healthcare services they sought and received, or assisting the administration with its DEI, gender-affirming care, and reproductive health care initiatives, or any other healthcare services being targeted.

Aside from the potential for data misuse, the proposal will create significant compliance and legal risks for the carriers. OPM states in the notice that the HIPAA Privacy Rule permits disclosures of protected health information for health oversight activities, but requests a broad swathe of protected health information, the provision of which will likely violate the minimum necessary standard. The minimum necessary standard – 45 CFR 164.502(b), 164.514(d) – applies to data disclosed for health oversight activities. “When using or disclosing protected health information or when requesting protected health information… a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.”

In its current form, the proposal lacks detailed information about the purpose for the disclosure, and the broad categories of data requested will require carriers to walk a HIPAA compliance tightrope. While the Trump administration may have no intention of enforcing HIPAA compliance regarding the OPM data disclosures, future administrations may take an entirely different view, and the data disclosures will expose carriers to significant legal risk. It is currently unclear how carriers intend to comply with the proposal.

While HIPAA permits disclosures of protected health information for health oversight activities, they are not required disclosures under HIPAA. Carriers may choose to only disclose information that they deem appropriate and necessary, although, without further detail about the exact purposes for the disclosures, it will be difficult to determine what information is appropriate and necessary, and the compliance and administrative burden would be significant.

In addition to concerns about protected health information being provided to the government and how that information will be used, concerns have been raised about OPM’s ability to protect a database of highly sensitive protected health information, given the extent to which government entities are targeted by threat actors, and OPM’s and the Trump administration’s history of safeguarding sensitive data. OPM experienced two massive data breaches in 2015, one involving the personal information of 4.2 million current and former federal employees and another involving the theft of the personal records of more than 22 million Americans. The Chinese government is alleged to have been behind the attacks.

The proposal has attracted significant criticism. The Association of Federal Health Organizations (AFHO) points out that this is not the first time that OPM has sought to establish a healthcare claims data warehouse, having made a similar proposal in 2010. The same HIPAA compliance concerns that were voiced 16 years ago still apply to the latest proposal. AFHO had argued that only de-identified data should be shared; however, today, the sharing of de-identified data with OPM carries significant compliance risks. AFHO is concerned that, given the detailed information OPM already has on enrolees and their family members, there is a risk that de-identified data could be re-identified, and the HIPAA Privacy Rule does not permit the sharing of de-identified data when there is a risk of reidentification. AFHO suggests an agreement between OPM and the CMS to use the CMS edge server system to query data, thereby eliminating the risk of re-identification, or to enter into a contract with the Health Care Cost Institute, which could translate raw data into actionable insights.

Robert H. Shriver, III, Managing Director of Civil Service Strong, a project of Democracy Forward Foundation, voiced strong opposition to ICR. Specifically, due to the failure of OPM to justify the proposed data collection and clearly state exactly how the data will be used, the failure to explain how data will be safeguarded, and the risk of data abuse. “OPM’s ICR is especially concerning given the Trump-Vance Administration’s explicit contempt for federal workers and its pattern of recklessness with highly sensitive data,” wrote Shriver in comments in response to the ICR notice. He said the Trump administration has demonstrated that it cannot be trusted with sensitive data, citing the recent admission by the Trump administration that sensitive Social Security Administration data was sent to unauthorized individuals, shared on nongovernmental servers, and, through DOGE activities in particular, it is “playing fast and loose with government data.”

Jonathan Foley, a former OPM employee who advised on the FEHB program under the Obama and Biden administrations, believes there are valuable benefits to be gained from collecting and analysing personally identifiable data, but warned of the considerable potential for data misuse and the privacy risks. In his comments in response to the notice, Foley said the Trump administration has a poor record of properly handling sensitive information and has attempted to link identifiable data across federal programs and use it for reasons unrelated to the original purpose for which the data was collected. Foley suggests that de-identified data could be collected and maintained by a trusted entity other than OPM, with guardrails preventing federal authorities from demanding direct access to the data from that trusted entity. CVS Health suggests that OPM should convene a stakeholder working group to determine the specific data elements required to support the requested goals and to establish a consistent reporting framework.

Most recently, on April 17, 2026, a group of 16 Democratic members of the House Oversight Committee wrote to OPM Director Scott Kupor and Office of Management and Budget Director Russell Vought, calling for the withdrawal of the proposed plan due to the potential for data misuse, HIPAA violations, and concern that OPM lacks the necessary safeguards to responsibly protect sensitive data. “More than 8 million Americans receive health insurance under the FEHB and PSHB programs, including federal workers, mail carriers, and their immediate family members. They should be able to make medical decisions in consultation with their doctors—not the federal government,” wrote the senators. “We therefore demand that OPM halt all plans to collect private health insurance data and provide a briefing on the decision to enact this policy.” The senators have asked the Directors to explain the decision to obtain such an expansive dataset without any guardrails or protections for employee privacy.

The post OPM’s Plan to Collect Federal Employees’ Health Insurance Data Attracts Strong Criticism appeared first on The HIPAA Journal.

Lawsuit Alleges AI Platform Illegally Recorded Patient-Clinician Conversations

Posted April 14, 2026 by Steve Alder

A lawsuit has been filed in the U.S. District Court for the Northern District of California against two healthcare organizations over their use of an AI-based tool that records conversations between patients and clinicians and transmits the audio files externally for processing and transcription. The lawsuit names the California nonprofit public benefit corporations Sutter Health and Memorial Healthcare Services as defendants, and alleges that their use of the tool violates the California Invasion of Privacy Act (CIPA), California Confidentiality of Medical Information Act (CMIA), California Unfair Competition Law, Federal Wiretap Act, and constitutes invasion of privacy – intrusion upon seclusion.

The AI-based platform was developed by Abridge AI, Inc., and is described as an “ambient clinical documentation system” which is marketed to health systems as an “enterprise-grade AI” that generates “contextually aware, clinically useful, and billable AI-generated notes, integrated directly into EHR workflows.” When activated on microphone-enabled devices in examination rooms, the tool captures conversations between clinicians and patients and transmits the recorded audio files to an external server, where they are processed and transcribed. AI models are used to generate structured draft clinical notes that can be checked by the clinician and incorporated directly into the electronic medical record system.

Abridge AI’s platform is used by many large health systems and providers, including Johns Hopkins, Mayo Clinic, Mount Sinai Medical Center, UC Health, MemorialCare, Christus Health, Corewell Health, and Reid Health, to name but a few. The platform is praised by users who report that it significantly decreases clinicians’ cognitive load, allows clinicians to give patients their undivided attention, and increases clinician satisfaction.

The lawsuit – Washington et al v. Sutter Health – was filed by plaintiffs Christina Washington, Dennis Gueretta, and Rebecca Matulic, who visited the defendants in the past six months and disclosed sensitive medical information in their visits. The plaintiffs allege that they had a reasonable expectation that their conversations with the clinicians would remain private and confidential. The plaintiffs allege that at the time of their visits, they were unaware that their conversations with clinicians were being recorded by an artificial intelligence platform and transmitted externally outside the clinical setting and processed by a third-party system.

Information recorded and transmitted by the system included personally identifiable information and health information, including symptoms, diagnoses, prescription information, treatment plans, family medical histories, and mental health information – information classed as protected health information under HIPAA. Under HIPAA, Abridge AI is classed as a business associate, as the company receives protected health information, and HIPAA requires each healthcare provider client to sign a business associate agreement with Abridge AI. As a HIPAA business associate, Abridge AI is bound by the HIPAA Rules, and any protected health information collected, stored, or transmitted by the company must be protected in accordance with the HIPAA Security Rule. There are also strict rules regarding the use and disclosure of protected health information and breach reporting obligations.

Abridge AI is aware of its responsibilities under HIPAA as a business associate and signs business associate agreements with its HIPAA-covered entity clients. Since the information collected, transmitted, and processed by the platform at the direction of its clients is related to healthcare operations, patient consent is not required by HIPAA, provided the healthcare organization has a HIPAA-compliant business associate agreement with Abridge AI. The lawsuit does not allege that HIPAA has been violated but does assert that the interception, recording, and transmission of sensitive communications and health information without patients’ express consent violates the federal Wiretap Act and state consumer privacy laws.

The lawsuit alleges that the defendants used the platform to obtain operational and financial benefits, such as reducing clinicians’ documentation burdens and improving efficiency, but despite obtaining those advantages, they used the platform without first establishing legally compliant consent procedures, authorization protocols, or establishing appropriate safeguards to protect the confidentiality of patients’ confidential medical communications and medical information.

The lawsuit seeks class action certification, a jury trial, and damages for each violation of state law and the Wiretap Act, as well as injunctive relief, including an order from the court for the defendants to implement safeguards, policies, and technical controls to ensure that no medical information is intercepted or processed without first receiving prior consent from patients, and order for the defendant to pay the plaintiffs’ attorneys’ fees, expenses and suit costs.

“We take patient privacy seriously and are committed to protecting the security of our patients’ information. Technology used in our clinical settings is carefully evaluated and implemented in accordance with applicable laws and regulations,” said a spokesperson for Sutter Health.

The post Lawsuit Alleges AI Platform Illegally Recorded Patient-Clinician Conversations appeared first on The HIPAA Journal.

February 2026 Healthcare Data Breach Report

Posted April 10, 2026 by Steve Alder

In February 2026, 63 data breaches were reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that affected 500 or more individuals, a 14.5% increase from January 2026, and 12.5% more than the average number of February data breaches over the past 5 years.

Healthcare data breaches in the past 12 months - February 2026

Between January 1 and February 28, 2026, 118 data breaches affecting 500 or more individuals have been reported to OCR, involving the protected health information of 9,651,076 individuals. While healthcare data breaches have declined 10.6% year-over-year, the number of individuals affected has increased 44.7%.

February Healthcare data breaches - 2022-2026

Individuals affected by healthcare data breaches in the past 12 months - Feb 2026

Across the 63 data breaches reported in February, the protected health information of at least 8,134,378 individuals was exposed or impermissibly disclosed, a 436% month-over-month increase and 38.9% more than the average number of affected individuals over the past 12 months.

Individuals affected by February healthcare data breaches 2022-2026

Biggest Healthcare Data Breaches in February 2026

The high total in February is due to massive data breaches at two HIPAA-regulated entities in February – TriZetto Provider Solutions, a provider of administrative services to healthcare providers and health plans, and QualDerm Partners, a healthcare management services provider to 158 healthcare practices in 17 states. Both incidents potentially involved unauthorized access to the protected health information of more than 3 million individuals.

TriZetto is a business associate of many HIPAA-covered entities and was a subcontractor used by the healthcare technology and data analytics company OCHIN, a provider of specialized electronic health record software to healthcare providers. OCHIN said the breach impacted around 9% of the patient population of its member network – around 700,000 patients. It is unclear how many healthcare organizations were affected in total by the TRiZetto data breach. The HIPAA Journal has tracked 44 HIPAA-covered entities that have announced that they were affected, although the total is undoubtedly higher. Hackers gained access to the web portal that TriZetto’s clients used to access TriZetto’s systems. The intrusion was detected in October 2025; however, the threat actor had access to its systems for almost a year. It is unclear which threat group was behind the breach, as it was not disclosed by TriZetto, and no group appears to have claimed responsibility for the breach.

The data breach at QualDerm Partners was of a similar scale, affecting more than 3.1 million individuals. The intrusion was detected in December 2025, and the investigation confirmed that hackers had access to its systems between December 23 and December 24, 2025, and exfiltrated protected health information. As with the data breach at TriZetto, the threat actor behind the incident is unknown. While on a much smaller scale, the data breach at ApolloMD Business Services affected many healthcare provider clients. The ransomware group Qilin claimed responsibility for the attack and claimed to have exfiltrated patient data. While the data breach was reported in February, it was detected in May 2025. More individuals were affected by those three data breaches alone than in all data breaches reported to OCR since mid September 2025.

HIPAA-Regulated Entity	State	Entity Type	Individuals Affected	Cause of Breach
TriZetto Provider Solutions	MO	Business Associate	3,433,965	Hacking incident
QualDerm Partners, LLC	TN	Healthcare Provider	3,117,874	Hacking incident – data theft confirmed
ApolloMD Business Services, LLC	GA	Business Associate	626,540	Ransomware attack (Qilin)
Vikor Scientific, LLC.	SC	Healthcare Provider	139,964	Network server hacking incident – OCR provided technical assistance on HIPAA compliance
IPPC Inc., IPPC of New York LLC, and Innovative Pharmacy LLC	NJ	Healthcare Provider	133,862	Hacking incident – data theft confirmed
Oscar Health	NY	Health Plan	91,350	Employee emailed ePHI to incorrect recipients – OCR provided technical assistance on HIPAA compliance
National Association on Drug Abuse Problems	NY	Healthcare Provider	90,000	Hacking incident
Counseling Center of Wayne & Holmes Counties	OH	Healthcare Provider	83,354	Hacking incident – data theft confirmed
Academic Urology & Urogynecology of Arizona	AZ	Healthcare Provider	73,281	Hacking incident
Lakeside Pediatrics & Adolescent Medicine, PLLC	ID	Healthcare Provider	34,154	Hacking incident
Emanuel Medical Center	GA	Healthcare Provider	28,963	Hacking incident
Advanced Homecare Management, LLC DBA Enhabit Home Health & Hospice	TX	Healthcare Provider	23,154	Hacking incident at a business associate
Cedar Point Health, LLC	CO	Healthcare Provider	23,114	Hacking incident
WIRX Pharmacy	PA	Healthcare Provider	20,047	Hacking incident
Wendy Foster OD	KS	Healthcare Provider	20,000	Hacking incident
AccentCare	TX	Healthcare Provider	19,772	Hacking incident at a business associate (Doctor Alliance) involving a web application
Communications Workers of America Local 1180 Security Benefits Fund	NY	Health Plan	18,550	Unauthorized access to electronic medical records at a business associate
EyeCare Partners, LLC, including The Ophthalmology Group, Ophthalmology Consultants, and Ophthalmology Associates.	MO	Healthcare Provider	17,110	Unauthorized access to employee email accounts
Manhattan Retirement Foundation d/b/a Meadowlark Hills	KS	Healthcare Provider	14,442	Ransomware attack (Beast) – data theft confirmed
Jackson Hospital and Clinic	AL	Healthcare Provider	13,910	Hacking incident at a business associate
Couve Healthcare Consulting, LLC DBA Evergreen Healthcare Group	WA	Business Associate	11,795	Hacking incident involving its cloud-based electronic medical records
Triad Radiology Associates	NC	Healthcare Provider	11,011	Unauthorized access to an employee’s email account

Under the HIPAA Breach Notification Rule, data breaches must be reported to OCR within 60 days of the discovery of a data breach. When the number of affected individuals is not known, an estimate should be provided to OCR. Many regulated entities choose to report a breach using a placeholder figure of 500 or 501 individuals in such cases. The breach data for February 2026 includes 7 such data breaches. These figures are usually, but not always, updated when data breach investigations/data reviews are completed.

HIPAA-Regulated Entity	State	Entity Type	Individuals Affected	Cause of Breach
AltaMed Health Services Corporation	CA	Healthcare Provider	501	Ransomware attack
Cedar Valley Services	MN	Healthcare Provider	501	Hacking incident
Resource Corporation of America	TX	Business Associate	501	Hacking incident
Carolina Foot & Ankle Associates	NC	Healthcare Provider	501	Hacking/IT Incident
Marin Cancer Care	CA	Healthcare Provider	501	Hacking/IT Incident
Issaqueena Pediatric Dentistry PA	SC	Healthcare Provider	501	Ransomware attack
Alexes Hazen MD, PLLC	NY	Healthcare Provider	500	Hacking incident

Causes of February 2026 Healthcare Data Breaches

Hacking and other IT incidents continue to be the leading cause of healthcare data breaches, as has been the case for many years. All but 6 of the data breaches in February were hacking/IT incidents, which accounted for 98.6% of all individuals affected in the February 2026 data set. Across the 57 hacking-related data breaches, 8,020,208 individuals were affected. The average breach size was 140,705 individuals, and the median breach size was 2,908 individuals.

Causes of February 2026 healthcare data breaches

The remaining 6 data breaches were unauthorized access/disclosure incidents, which affected 114,170 individuals. The average breach size was 19,028 individuals, and the median breach size was 1,560 individuals. The largest of these incidents affected more than 91,000 individuals and was the result of an employee emailing ePHI to an incorrect recipient. Loss and theft incidents were once one of the biggest causes of healthcare data breaches, but they are now rarely reported. There were no loss or theft incidents in February, nor any improper disposal incidents. The most common location of breached protected health information in February was network servers, followed by email accounts/disclosures.

Locvation of breached protected health information in February 2026

February 2026 Data Breaches at HIPAA Regulated Entities

In February, data breaches involving the protected health information of 500 or more individuals were reported by 49 healthcare providers (3,940,433 individuals), 7 health plans (116,690 individuals), and 7 business associates (4,077,255 individuals). The raw data from the OCR breach portal shows the reporting entity rather than the entity that experienced the breach, as when a data breach occurs at a business associate, it is often the covered entity that reports the breach.

February serves as a good example of how business associate data breaches are often underrepresented in data breach reports. Recalculating the data based on the entity that experienced the data breach, 25 data breaches occurred at business associates. The data breach at Trizetto Provider Solutions was reported to OCR by Trizetto as affecting more than 3.4 million individuals; however, many of the affected entities reported the breach to OCR themselves. The charts below are based on the entity that experienced the data breach, rather than the entity that reported the data breach, to better reflect data breaches at business associates.

February 20-26 data breaches at HIPAA-regulated entities

Individuals affected by data breaches at HIPAA-regulated entities in February 2026

Geographical Distribution of February 2026 Healthcare Data Breaches

The data breaches reported to OCR in February were quite widely distributed, affecting entities in 32 U.S. states. New York and Texas topped the list with 6 data breaches in each state, with four data breaches reported by entities based in California.

State	Breaches
New York & Texas	6
California	4
Georgia, Kansas & Oregon	3
Arkansas, Illinois, Kentucky, Michigan, Missouri, North Carolina, New Jersey, Oklahoma, Pennsylvania, South Carolina, Tennessee & Utah	2
Alabama, Arizona, Colorado, Florida, Idaho, Indiana, Massachusetts, Maryland, Maine, Minnesota, New Hampshire, Ohio, Virginia & Washington	1

In terms of breach severity, Missouri and Tennessee topped the list for affected individuals.

State	Individuals Affected	State	Individuals Affected
Missouri	3,451,075	North Carolina	11,512
Tennessee	3,119,544	Maine	9,300
Georgia	658,003	Kentucky	8,972
New York	210,655	California	6,283
South Carolina	140,465	Arkansas	5,800
New Jersey	134,444	Oregon	4,641
Ohio	83,354	Michigan	4,473
Arizona	73,281	Indiana	3,158
Texas	52,361	Illinois	2,891
Kansas	35,769	Oklahoma	2,275
Idaho	34,154	Virginia	1,544
Pennsylvania	24,647	Florida	1,107
Colorado	23,114	New Hampshire	1,005
Alabama	13,910	Massachusetts	634
Utah	12,085	Maryland	626
Washington	11,795	Minnesota	501

HIPAA Enforcement Activity in February 2026

There were no announcements about HIPAA enforcement actions by the HHS Office for Civil Rights or state attorneys general in February. OCR has confirmed, however, that its risk analysis enforcement initiative has been expanded to cover risk management. When investigating a data breach, OCR will request documentation demonstrating that a comprehensive, organization-wide risk analysis has been conducted and that risks identified by the risk analysis have been managed and reduced to a reasonable and acceptable level in a timely manner.

To help HIPAA-regulated entities manage risks and comply with the requirements of the HIPAA Security Rule, OCR released a video presentation this month. In the video, Nicholas Heesters, OCR’s Senior Advisor for Cybersecurity, explains the HIPAA requirements for risk management, provides examples of violations of the risk management implementation specification of the security management process standard that OCR discovered during its data breach investigations.

About this Report

The HIPAA Journal healthcare data breach reports are based on data breaches reported to the HHS’ Office for Civil Rights, as HIPAA-regulated entities rarely publicly disclose the number of individuals affected by a data breach, and in the case of hacking incidents, attackers’ claims are unreliable. Typically, the data breach reports are published around the 20^th of each month for the preceding month; however, OCR has been slow to add data breaches to its data breach portal, hence the delay in publication.

OCR is delaying adding breach reports to the “under investigation” section of its data breach portal. For instance, no data breach reports submitted to OCR in March 2026 were added to the under investigation section of the breach portal in March 2026. As of April 10, 2026, there are only two data breaches listed for March. While the delay could indicate resource pressure at OCR, data breaches have been added to the “Archive” section of the OCR breach portal at a much-accelerated pace, indicating a change of priorities at OCR. OCR appears to be concentrating on investigating data breaches and closing investigations more quickly.

The post February 2026 Healthcare Data Breach Report appeared first on The HIPAA Journal.

OCR Releases Video on HIPAA Security Rule Risk Management Requirements

Posted April 9, 2026 by Steve Alder

Earlier this year, Paula M. Stannard, Director of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), provided an update on OCR’s enforcement priorities in 2026 and confirmed that OCR’s risk analysis enforcement initiative will continue, and that it will evolve to also target noncompliance with the risk management requirement of the HIPAA Security Rule.

The risk analysis provision – § 164.308(a)(1)(ii)(A) – requires HIPAA-regulated entities to “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity or business associate.” OCR has previously issued guidance on the risk analysis requirement, and has issued a risk assessment tool for small- and medium-sized entities to guide them through the process of comprehensively assessing risks to ePHI.

A risk analysis is one of four required implementation specifications under the security management process of the administrative safeguards, the others being risk management, sanction policy, and information system activity review. The risk management implementation specification requires HIPAA-regulated entities to “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [the Security Standards: General Rules] § 164.306(a).”

Risk management is an essential component of HIPAA Security Rule compliance and cybersecurity preparedness in general. Risk management is a critical step toward defending against cyberattacks, which is why OCR has expanded its enforcement initiative to cover risk management. When OCR investigates a data breach or complaint, the regulated entity will need to demonstrate that it has conducted a comprehensive and accurate risk analysis and has acted on the findings of that analysis to reduce risks and vulnerabilities to a reasonable and appropriate level.

To help HIPAA-regulated entities manage risks and vulnerabilities, OCR has recorded a risk management video. In the video, Nicholas Heesters, OCR’s Senior Advisor for Cybersecurity, explains the HIPAA risk management requirements and provides examples of potential risk management violations identified during OCR’s investigations of data breaches. In December 2025, OCR requested questions from HIPAA-regulated entities on risk management, and has provided answers to a selection of those questions in the video. The video also shares important resources to help HIPAA-regulated entities comply with this important HIPAA Security Rule requirement. You can view the video on OCR’s YouTube channel.

The post OCR Releases Video on HIPAA Security Rule Risk Management Requirements appeared first on The HIPAA Journal.

Trump Administration Proposes 12.5% Cut to HHS Budget for FY 2027

Posted April 7, 2026 by Steve Alder

The HHS’ Office for Civil Rights (OCR) has long been seeking an increase to its budget to support its HIPAA enforcement activities; however, that is looking unlikely as the Trump Administration is seeking to cut funding for the Department of Health and Human Services (HHS) in 2027.

The Trump Administration has proposed $111.1 billion in discretionary funding for fiscal year 2027, a $15.8 billion (12.5%) cut in funding compared to FY 2026. One of the main casualties is the National Institutes of Health (NIH), which faces a $5 billion cut to its budget, plus $5 billion in cuts through consolidations and eliminations of programs across several sub agencies, including the Health Resources and Services Administration (HRSA), Substance Abuse and Mental Health Services Administration (SAMHSA), Centers for Disease Control and Prevention (CDC), and the Office of the Assistant Secretary for Health (OASH).

The Trump Administration is seeking to establish the Administration for a Healthy America (AHA), which, in part, will involve the elimination of programs that the Trump Administration says promote “radicalized DEI ideologies”, including programs that provide funding for youth LGBTQ services. The AHA was proposed last year, although Congress did not include funding to establish the new department in the budget.

While OCR does not appear to be facing any budget cuts, any increase to its budget to support its enforcement of HIPAA and the Part 2 regulations looks increasingly unlikely. OCR is already having to find funds from its existing budget to pay for an expanded workload, as OCR has been given the responsibility of enforcing the Part 2 regulations.

In a press call following the announcement of the Part 2 enforcement program, the OCR Director said the agency has sufficient resources to manage the additional Part 2 enforcement workload in fiscal year 2026, based on the expected volume of complaints and data breaches.

Since OCR started enforcing compliance with the Part 2 regulations in February and updated its data breach portal, there has been a major slowing of the publication of breach summaries on its “HIPAA Wall of Shame,” which had no breach reports added to the “under investigation” section after February 26, 2026, during the whole of March. Whether this is due to a lack of resources or a change in policy is unclear. OCR does appear to be working on closing investigations faster, as data breaches have been added to the archive section at an increased pace.

While the Trump Administration has proposed its budget with extensive funding cuts, it will be down to Congress to pass that budget, and there is likely to be some resistance to the proposed budgetary cuts at HHS, as was the case with the proposed budget for FY 2026. The Trump Administration sought to cut HHS funding last year; however, Congress actually increased the budget for the HHS in 2026.

The post Trump Administration Proposes 12.5% Cut to HHS Budget for FY 2027 appeared first on The HIPAA Journal.

CMS Releases Final Rule Implementing HIPAA Standards for Health Care Claims Attachments

Posted March 24, 2026 by Steve Alder

The U.S. Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) released a final rule on Friday establishing new standards for the electronic transfer of claims documentation, including a new standard for electronic signatures to ensure that claims attachment transactions are secure, authenticated, and compliant with federal regulations.

While electronic health records have been widely adopted by healthcare providers, the healthcare industry is still reliant on outdated methods for transferring attachments to support electronic health care claims. The exchange of health care claims remains a manual process, with the necessary documentation transferred by fax or physical mail. These outdated methods of data transfer result in delays to patient care, increased health care costs, and place a considerable administrative burden on clinicians. The final rule modernizes health care administration, resulting in cost savings, time savings, enhanced security, improved efficiency, and faster care delivery.

“The 1980s called, and they want their fax machines back,” CMS Administrator Dr. Mehmet Oz said. “The futuristic medical breakthroughs we’ve achieved, like augmented reality glasses that give surgeons X-ray vision, shouldn’t have to coexist with administrative systems that often lag decades behind. This new rule will modernize American healthcare by standardizing electronic claims attachments and enabling secure electronic signatures. Because every minute providers save on paperwork is another minute they can spend caring for patients.”

The CMS collaborated with industry stakeholders when developing its proposed rule and received considerable feedback from health plans, healthcare providers, healthcare clearinghouses, technology vendors, patients, and consumers, which shaped the final rule. The final rule was published in the Federal Register on March 24, 2026, and takes effect on May 26, 2026. The new standards apply to all HIPAA-covered entities – health plans, healthcare providers, and healthcare clearinghouses – and compliance with the new standards is required by May 26, 2028. While HIPAA-covered entities have two years to ensure compliance, they are encouraged to read and review the final rule and start implementing the new standards promptly.

The final rule – Administrative Simplification; Adoption of Standards for Health Care Claims Attachments Transactions and Electronic Signatures Final Rule – implements the requirements of the administrative simplification subtitle of HIPAA and the Patient Protection and Affordable Care Act, and establishes the first-ever standards for healthcare claims attachments under HIPAA. The final rule will enable the secure electronic exchange of healthcare claims-related supporting documentation, including medical records, medical images, clinical notes, telemedicine visit documentation, and laboratory results. The new standards are anticipated to save the healthcare sector up to $782 million each year, according to the CMS, and will allow clinicians to spend more time providing care for patients.

The final rule adopts definitions of “attachment information,” “electronic signature,” and “health care claims attachments transaction,” and adopts standards for health care claims transactions and digital signatures used in conjunction with health care claims attachments transactions. The final rule also adopts X12N standards for data exchange and Health Level 7 (HL7) standards for sharing clinical data.

While the proposed rule included electronic transfer standards for prior authorizations, after considering the comments received, the CMS omitted the proposed electronic transfer standards for prior authorizations from the final rule due to conflicts with currently mandated standards for prior authorization. The CMS will continue evaluating other standards for prior authorizations.

The post CMS Releases Final Rule Implementing HIPAA Standards for Health Care Claims Attachments appeared first on The HIPAA Journal.

Final Rule Implementing HIPAA Security Rule Updates Edges Closer

Posted March 20, 2026 by Steve Alder

The HIPAA Security Rule update proposed by OCR in the final days of the Biden administration is only two months away from a final rule, should OCR stick to the proposed timescale for release. OCR has yet to confirm when a final rule will be released or if the proposed rule will actually progress to a final rule.

OCR issued its Notice of Proposed Rulemaking (NPRM) on December 27, 2024, to strengthen cybersecurity protections for electronic protected health information (ePHI). The proposed update, the first significant update to the HIPAA Security Rule in more than two decades, introduced significant new security requirements to ensure the confidentiality, integrity, and availability of ePHI, taking into account changes to business practices and technology since the original rule was enacted.

Several months earlier, in January 2024, OCR published its voluntary Health Care and Public Health Cybersecurity Performance Goals (HPH CPGs) – two sets of voluntary goals (essential and enhanced) that HPH sector organizations were encouraged to adopt to improve resilience to cyber threats, and ensure the fastest possible recovery in the event of a successful cyber incident. Both sets of goals consisted of high impact measures for quickly improving resilience.

The HPH CPGs were the first step in the HHS’s Healthcare Sector Cybersecurity strategy concept paper, published in December 2023. The second step was the provision of incentives to encourage adoption of the HPH CPGs. HHS said at the time that it would work with Congress to establish an upfront investment program to help low-resource healthcare providers adopt the essential goals and an incentives program to encourage the adoption of the enhanced goals. Those programs are key to improving adoption of the HPH CPGs, especially at low-resource hospitals that simply do not have the necessary funds to make significant improvements to cybersecurity.

The voluntary goals were welcomed by HIPAA-regulated entities and industry groups, but they were only a starting point, and OCR explained that the goals would advise future rulemaking. Initially, the measures would be voluntary, but further rulemaking would make some of the cybersecurity requirements mandatory, which was what we saw with the proposed HIPAA Security Rule update.

The HIPAA Security Rule update was poorly received by HIPAA-regulated entities and industry groups and attracted considerable criticism. A coalition of more than 100 hospital systems and provider associations called for the HHS to withdraw the proposed updates to the HIPAA Security Rule, which they said “runs counter to President Trump’s robust deregulatory agenda.”

In its proposed form, the Security Rule update was criticized for placing substantial new financial burdens on HIPAA-regulated entities, and there was an unreasonable timeline for implementation. Instead, the authoring healthcare providers and industry groups called for “a collaborative outreach initiative with our organizations and other regulated entities that are impacted to develop practical and actionable cybersecurity standards for more robust protections of individuals’ health information, without the extreme and unnecessary regulatory burden that health care providers and other stakeholders would face under the crushing and unprecedented provisions of this Proposed Rule.”

During a session at the recent HIMSS conference in Las Vegas, OCR Director Paula M. Stannard said OCR had received more than 4,700 comments in response to the NPRM and is still parsing those comments. Stannard did not confirm whether the proposed Security Rule update will progress to a final rule per OCR’s schedule, nor did she confirm whether the proposed rule will actually progress to a final rule. “After we review the comments, the Trump administration may have a different view on the burdens and benefits of some of the proposed changes,” Stannard said.

Stannard did state that the core requirements of the proposed rule are sound cybersecurity best practices for healthcare organizations. She also acknowledged the criticisms of the proposed rule. Rather than view the requirements of the proposed rule as inflexible and costly to implement, Stannard suggested that viewing things differently, as “there is a high cost of doing nothing.” The proposed changes, if implemented correctly, will improve resilience to cyber threats and reduce the likelihood of costly breaches.

“A successful cyberattack can cost far more in terms of reputation, potentially paying a ransom, remediation of information systems, protection for those whose PHI was accessed, potential civil lawsuits from harm to individuals, and not to mention my investigators coming and knocking on your door and asking for information and talking about penalties,” Stannard said.

It remains to be seen whether the Trump administration will view the benefits of the proposed rule as worth the short term financial and administrative pain of implementation. Based on the feedback received, the proposed rule could be slimmed down to reduce the compliance burden, although doing that would water down the protections. If the final rule is released, OCR could extend the timeframe for compliance to ease the burden on HIPAA-regulated entities, extending the compliance deadline from the standard 180 days following publication in the Federal Register.

Even if the proposed rule does not make it to a final rule, Stannard said there have already been benefits from the proposed rule. “The proposal to modify the Security Rule, I think, helped put a spotlight on information security in the healthcare system and drew attention to the need for better compliance and to take cybersecurity seriously. And that alone is an advantage.”

The post Final Rule Implementing HIPAA Security Rule Updates Edges Closer appeared first on The HIPAA Journal.

Business Associate Settles HIPAA Violations Related to Unreported Breach Affecting 15 Million Individuals

Posted March 5, 2026 by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its second enforcement action of the year to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). MMG Fusion LLC, a Maryland-based company that provides software solutions to oral healthcare providers, has agreed to settle the alleged violations and pay a financial penalty. The case is significant, as it involves an unreported data breach that affected 15 million individuals.

An unauthorized actor gained access to MMG’s internal network on December 21, 2020, and accessed patients’ protected health information, including names, phone numbers, mailing addresses, email addresses, dates of birth, and dates and times of medical appointments. The threat actor exfiltrated data from MMG’s network and subsequently posted that information on the dark web.

A data breach of that magnitude would have attracted considerable media attention; however, it slipped under the radar as the breach was not reported to OCR, and the affected covered entities were not notified about the data breach. OCR’s investigation was launched not in response to a breach report, but a complaint about an unreported data breach. OCR received the complaint on January 6, 2023, and initiated an investigation in March 2023.

OCR determined that MMG had failed to comply with multiple provisions of the HIPAA Rules. Prior to the data breach, MMG had not conducted a comprehensive and accurate risk assessment to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI), as required by the HIPAA Security Rule.

OCR determined that MMG failed to ensure that ePHI was not used or disclosed for reasons not expressly permitted by the HIPAA Privacy Rule, and MMG failed to issue notifications to the affected covered entity clients that there had been a breach of unsecured protected health information, in violation of the HIPAA Breach Notification Rule. Rather than pursue a civil monetary penalty to resolve the alleged HIPAA violations, OCR agreed to a settlement. MMG has agreed to pay a financial penalty of $10,000 to resolve the alleged HIPAA violations and will adopt a comprehensive corrective action plan.

The corrective action plan requires MMG to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to ePHI. An enterprise-wide risk management plan must be developed and implemented to address and mitigate any risks and vulnerabilities identified by the risk analysis. Policies and procedures must be developed to ensure compliance with the HIPAA Rules, and those policies and procedures must be distributed to members of the workforce. MMG must provide training to its workforce and provide OCR with a copy of the training materials used to train its workforce for them to be assessed.

OCR will provide MMG with feedback on the thoroughness and accuracy of its risk assessment, and MMG must incorporate that feedback into its risk assessment and resubmit it to HHS for additional feedback. That process will continue until HHS is satisfied that the risk assessment is comprehensive and accurate. OCR must also be provided with a comprehensive list of all clients affected by the data breach, and once the risk assessment has been approved by OCR, MMG must notify all affected covered entity clients about the data breach, along with the identities of all patients whose ePHI is reasonably believed to have been impacted.

While not stated in the corrective action plan, the requirements of the HIPAA Breach Notification Rule are that each covered entity must determine if breach notifications are required and must ensure that those notifications are issued within 60 days after receiving a breach notice from a business associate. They are permitted to delegate the notification responsibilities to MMG, per the terms of their business associate agreements. The cost of notification for such a colossal data breach would be high, and if that cost is to be borne by MMG, that could explain why the penalty imposed to resolve multiple violations of the HIPAA Rules is so low.

OCR currently has an enforcement initiative targeting noncompliance with the risk analysis provision of the HIPAA Security Rule and the HIPAA Right of Access of the HIPAA Privacy Rule; however, in 2025, the second-most common reason for a financial penalty behind risk analysis failures was breach notification failures. HIPAA covered entities and their business associates must ensure that timely breach notifications are issued to OCR, the affected individuals, and the media, and in the event of a breach at a business associate, that all affected covered entity clients are notified within 60 days of the discovery of a data breach.

“When a breach occurs, business associates must notify affected covered entities without unreasonable delay and within 60 calendar days of discovery,” said OCR Director Paula M. Stannard. “This timeliness is crucial for a covered entity to meet its own breach notification obligations, such as timely notification to HHS and to individuals. As hacking becomes more ubiquitous, HIPAA Security Rule requirements, such as the need to have an accurate and thorough HIPAA risk analysis, are imperative for strengthening cybersecurity before a breach occurs.”

The post Business Associate Settles HIPAA Violations Related to Unreported Breach Affecting 15 Million Individuals appeared first on The HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information