Healthcare Data Breach Statistics & Data (2026)

The healthcare industry is the most breached and most expensive sector in the United States. As of January 31, 2026, 7,419 large healthcare data breaches have been reported to the HHS Office for Civil Rights since mandatory reporting began in October 2009, affecting more than 935 million individuals, per the HHS OCR Breach Portal. The average incident now costs $7.42 million and takes 279 days to identify and contain, per the IBM Cost of a Data Breach Report 2025. Sensitive data — patient records, billing files, insurance data — sits at the center of every one of those incidents.

The numbers below describing healthcare data breaches pull from the HHS OCR breach portal, the IBM Cost of a Data Breach Report 2025, and the Verizon Data Breach Investigations Report 2025. The reporting window covers October 21, 2009 through February 28, 2026.

At a Glance:

• 7,419 large healthcare breaches reported to OCR between October 21, 2009 and January 31, 2026 (HHS OCR Breach Portal)

• More than 935 million individuals have had their PHI exposed or impermissibly disclosed (2026 healthcare data breach statistics tracking)

• 118 breaches of 500 or more individuals reported in the first two months of 2026

• 9,651,076 individuals already affected in 2026 YTD through February 28 (February 2026 OCR breach data)

• $7.42 million average breach cost in 2025 (IBM Cost of a Data Breach Report 2025)

• 279 days average time to identify and contain a breach (IBM)

• 14 consecutive years as the costliest industry for data breaches across the U.S. healthcare sector (IBM)

• $398 per record average cost of an exposed record across the healthcare sector (2026 healthcare data breach statistics citing Veriti)

• 80%+ of large breaches now caused by hacking incidents and IT incidents (2026 OCR portal analysis)

• 44% of all breaches involve ransomware across industries in 2025, up from 32% the year prior (Verizon DBIR 2025)

• 978 investigations under or awaiting OCR investigation as of January 31, 2026 (OCR portal analysis)

2026 Year-to-Date: Where the Numbers Stand

Through February 28, 2026, healthcare organizations have reported 118 healthcare breaches affecting 500 or more individuals to OCR, exposing the PHI of 9,651,076 individuals, per the February 2026 healthcare data breach report. The YTD figure includes late-added January filings, which is why it runs ahead of the simple sum of the two published monthly totals.

The monthly breakdown:

• January 2026: 46 OCR breach filings of 500+ affected individuals

• February 2026: 63 OCR filings, 8,134,378 individuals exposed

The early-2026 pace of new data breaches roughly matches the late-2025 rate of about 47 OCR filings per month between September 2025 and January 2026, per industry analysis of the OCR breach portal. That's a slowdown from the 2023–2024 pace of 60 or more filings per month.

One reason the portal feels light is a reporting backlog. As of January 31, 2026, 978 data breaches are under investigation or awaiting investigation by OCR. A 43-day U.S. federal government shutdown in late 2025 slowed intake at the breach portal and pushed some early-2026 filings behind the scheduled publication date, per 2025 healthcare data breach trends coverage.

Cumulative Healthcare Data Breaches Since 2009

HHS OCR has published every reported breach by healthcare organizations affecting 500 or more individuals on the so-called Wall of Shame since October 21, 2009. In the 16 years and 3 months since then:

• 7,419 large breaches have been reported

• More than 935 million individuals have had PHI exposed or impermissibly disclosed, roughly 2.6 times the U.S. population

The records curve has steepened. Through the end of 2022, the cumulative total sat below 500 million. Two years later, the cumulative total had nearly doubled, driven by the 2024 Change Healthcare ransomware incident.

Table: Healthcare Data Breaches Reported to OCR, 2018–2026 YTD

Sources: HHS OCR Breach Portal; HIPAA Journal; February 2026 breach data.

Two patterns stand out. The data breaches count leveled off around 710 to 746 per year between 2022 and 2025. Records affected did not level off. A single 2024 incident (Change Healthcare, 192.7 million records) flipped the decade-long trend and pushed the 2009–2024 cumulative figure past 846 million individuals, per aggregated OCR portal data. By early 2026, the cumulative total crossed 935 million.

Causes of Healthcare Data Breaches

Hacking incidents now dominate the data breaches landscape. In 2019, hacking accounted for 49% of reported large healthcare breaches across U.S. healthcare organizations. By 2023, the share had risen to 79.7%. Through 2025, hacking sat above 80% of all large data breaches, per healthcare data breach statistics tracking. Healthcare providers, health plans, and their business associates all face the same external attack pattern.

Between January 2018 and September 2023, OCR recorded:

• +239% increase in reported hacking incidents — the dominant breach driver

• +278% increase in reported ransomware-related data breaches

The access vector breakdown for 2025 large breaches:

• Phishing: 16% of access vector

• Stolen credentials and user account compromise: consistently top three

• Exploitation of third-party file-transfer vulnerabilities (MOVEit, GoAnywhere) remains active since 2023

Healthcare workers are the most phishing-susceptible workforce in the U.S. A 2024 KnowBe4 benchmark put healthcare phishing susceptibility at 41.9%, ahead of insurance (39.2%) and retail (36.5%), per Bright Defense. Internal click-through tests consistently show high single-attempt click rates across hospital staff and security teams alike.

The other reportable cause categories:

• Unauthorized access or disclosure. Website tracking pixels, misdirected email, misdirected fax, and paper misrouting. Blue Shield of California's April 2025 breach (4.7 million individuals) came from a Google Analytics misconfiguration that ran for almost three years, per the 2025 largest breaches roundup.

• Insider breaches and access violations. A clinician or administrative user accessing records outside a treatment relationship. These typically affect smaller record counts but trigger Privacy Rule scrutiny and often surface in audit log reviews months after the breach occurred.

• Loss or theft of PHI. Now a small share. Pre-2015, loss and theft of unencrypted devices and paper records drove roughly half of large data breaches. Widespread data encryption and cloud adoption brought that number under 10% by 2022, per longitudinal OCR analysis. Stolen data on lost laptops and USB drives drove the original Wall of Shame era.

• Improper disposal. Paper records, legacy fax logs, and end-of-life storage. The cause category continues to involve paper records sent to a landfill instead of secure shredding. A small but persistent share of annual breach filings, mostly from healthcare organizations cleaning out aged document archives.

What Gets Compromised in a Healthcare Breach

The compromised data in a typical large breach now spans medical data, financial fields, and identity fields together. Most 2025 breach notifications named some combination of: name, address, date of birth, Social Security number, medical record numbers, hospital account numbers, admission diagnoses, dates of service, lab results, prescription records, insurance details, and health insurance information. When ransomware groups exfiltrate the underlying database, financial account information is often pulled in alongside sensitive patient information.

Patient data exposed in this way is sensitive data of the worst kind to lose: it cannot be reissued the way a credit card number can. Once electronic protected health information leaves a covered entity's network, it sits permanently on the criminal market. That permanence is why personal and health information from breaches as old as 2015 still surfaces in identity-theft cases today.

Healthcare Data Breaches by Reporting Entity Type

OCR groups breach reports into four reporting categories. Healthcare providers file the most data breaches by count, while business associates expose the most records per breach — the average business associate breach exceeds the average provider breach by an order of magnitude. In 2023, business associate breaches affected 93 million individuals, compared to 34.9 million for providers, per Sprinto's breakdown of OCR data.

The four categories of healthcare entities each carry different risk profiles. Healthcare providers — hospitals, clinics, physician groups — generate the largest count of filings. Business associates — claims processors, transcription services, IT vendors, third-party administrators — generate the largest individual incidents because one business associate often serves dozens of downstream healthcare organizations. Health plans — insurers, third-party payers — sit in the middle. Healthcare clearinghouses are rare reporters, but the underlying scale, when they breach, is national.

Table: 2024 Healthcare Data Breaches by Reporting Entity Type

Source: Sprinto aggregating HHS OCR Breach Portal filings.

Change Healthcare illustrates why the clearinghouse line matters. Change operated as the clearinghouse behind roughly a third of all U.S. medical claims, plus a business associate of nearly every major payer and provider. One breach at the largest U.S. business associates touched almost every downstream entity, including hundreds of healthcare organizations across providers and health plans. That's why a single 2024 incident pushed the decade-to-date records total past 846 million.

The 10 Largest Healthcare Data Breaches of 2025

Table: Top 10 Breaches of 2025 by Individuals Affected

Source: Largest healthcare data breaches of 2025.

Three patterns show up across 2025's largest incidents:

1. Class action settlements are getting faster and bigger. Yale New Haven Health reached an $18 million class action settlement about seven months after its breach. Additional multimillion-dollar proposed settlements were reported in 2025 at Medusind and other breached entities. The 2024 change healthcare ransomware attack alone has spawned multiple class action lawsuits still working through consolidation in federal court, on top of the underlying OCR investigation.

2. Ransomware group attributions are becoming public. Safepay (Conduent), Interlock (DaVita), Inc Ransom (McLaren Health Care), BlackCat/ALPHV (Change Healthcare 2024), and Scattered Spider (Aflac, per SEC filing) were all named in 2025 disclosures. Episource, an Optum subsidiary that provides risk adjustment services to health plans, sat at #4 on the list and is one example of how a single business associate breach cascades to multiple downstream healthcare networks.

3. Detection lag is still measured in months. The Connecticut FQHC at row 10 of the table above was undetected from October 14, 2024 through January 2, 2025, about 80 days. Anne Arundel Dermatology's window ran from February 14 to May 13, 2025, or 88 days.

The pattern is older than 2025. The December 2022 ransomware attack on Heritage Provider Network and affiliated medical groups — including Regal Medical Group and Lakeside Medical Organization — exposed the records of more than 3.3 million Californians and produced its own multistate class action settlement reported at almost $50 million.

The Largest Healthcare Data Breaches of All Time

Table: Largest Healthcare Data Breaches on the HHS OCR Wall of Shame

Source: 2026 OCR breach portal analysis.

Three of the top 10 data breaches at U.S. healthcare organizations trace back to a single 2015 window (Anthem, Premera, Excellus) involving hacking widely linked to a suspected nation-state actor, and produced the first wave of HIPAA settlements in the $5M to $16M range. Three more entries trace back to a single 2023 third-party file-transfer zero-day (MOVEit) affecting Welltok and downstream health plans.

Cost of a Healthcare Data Breach

Among data breaches across all industries, the average healthcare incident costs $7.42 million in 2025, per the IBM Cost of a Data Breach Report 2025. That's down $2.35 million from the 2024 figure of $9.77 million, largely because the Change Healthcare skew is no longer inside the 2025 sample window. Even after that drop, healthcare breach costs sit well above every other vertical.

Healthcare still holds the top slot. It has been the costliest industry for a data breach for 14 consecutive years (IBM). Healthcare breach costs run roughly $1.3 million higher than financial services and almost $2 million higher than the manufacturing sector. Compared together as the next two most costly verticals, the financial and manufacturing sectors trail healthcare by a wide margin year after year.

Table: Average Data Breach Cost by Industry, 2025

Source: IBM Cost of a Data Breach Report 2025.

Per-record cost in healthcare averages $398 in 2025, per Veriti via 2026 OCR data. That's more than 2.5 times the global cross-industry average. Per-record costs are highest where compromised records contain sensitive patient data combined with insurance fields and identity fields together.

The cost breakdown reported by IBM across the global sample splits roughly as follows: about $1.47 million for detection and escalation, $1.38 million for lost business (downtime, churn, reputational drag), $1.25 million for post-breach response (legal, credit monitoring, remediation), and the remainder split across breach notification, system rebuild, and regulatory fines, per IBM's cost-component analysis. For healthcare environments specifically, the lost-business and detection components run higher than industry baselines because clinical workflows shut down during the response window.

Healthcare breaches take an average of 279 days to identify and contain, according to IBM. That's about five weeks longer than the worldwide 241-day mean (itself a 9-year low). Ransomware-specific incidents run longer still, with some case studies topping 320 days. Detection time is partly a security teams capacity issue (healthcare IT runs leaner than financial services per dollar of revenue) and partly an architectural issue — patient information is spread across electronic medical records, billing systems, lab systems, imaging archives, and a long tail of cloud environments where misconfigurations go unnoticed for months.

Price pass-through is real. Close to half of breached organizations raise prices after a major incident, and roughly one-third raise them by 15% or more, per IBM via 2026 OCR data analysis. Higher breach costs in healthcare ultimately get distributed across patients, plan members, and downstream payers.

As the largest U.S. major data breach in history, the 2024 Change Healthcare incident alone triggered $9 billion in no-interest advance funding from UnitedHealth to providers whose billing and prescription workflows stalled, per Sprinto's coverage citing Reuters.

Ransomware in Healthcare

Ransomware is the single largest breach driver across U.S. healthcare organizations today.

• 44% of all data breaches across industries involved ransomware in 2025, up from 32% the prior year (Verizon DBIR 2025)

• Healthcare faced 1,710 security incidents and 1,542 confirmed breaches in the 2025 DBIR dataset, per DBIR 2025 healthcare coverage citing the Verizon DBIR 2025 Healthcare Snapshot

• 90% of healthcare attacks were financially motivated in 2025 (Verizon DBIR)

• 264% increase in large breaches involving ransomware attacks reported to OCR since 2018, per OCR's own Risk Analysis Initiative announcement

• Hundreds of healthcare ransomware events were tracked by Health-ISAC in 2024, with the figure cited at 458 events in industry aggregations (Cobalt.io's 2025 healthcare roundup)

• 3 of the 4 largest August 2025 breaches were ransomware, per the 2025 largest breaches list

• Average ransom demand in healthcare: around $7 million, with a peak recorded demand in the nine-figure range (Cobalt.io citing Veriti's State of Healthcare Cybersecurity 2025)

• 47% of healthcare ransomware victims paid in 2023 (Bright Defense)

Named ransomware groups behind 2024 and 2025 healthcare incidents include BlackCat/ALPHV (Change Healthcare), Safepay (Conduent), Interlock (DaVita), Inc Ransom (McLaren Health Care), LockBit, BianLian, and Scattered Spider. Several operate under a ransomware-as-a-service model, which means one attack infrastructure can fuel many unrelated breaches.

Care Disruption and Patient Safety

Ransomware-driven data breaches at healthcare organizations don't just expose data. They disrupt care.

• 44% of healthcare ransomware attacks disrupt patient care (Bright Defense)

• Hospital admissions fall 17–25% in the weeks after a ransomware event

• In the three years after a hospital breach, door-to-ECG time rises by about 2.7 minutes on average, and 30-day mortality for acute myocardial infarction rises 0.23 to 0.36 percentage points, per Chen et al., published in Health Services Research (Wiley, 2025) and cited by Sprinto

• 42 to 67 estimated additional Medicare patient deaths are attributable to ransomware-delayed care between 2016 and 2021, per a University of Minnesota School of Public Health analysis (McGlave, Neprash, Nikpay) cited by Bright Defense

Three case studies anchor the care-disruption pattern:

1. Germany 2020. The first documented patient death linked directly to a hospital ransomware attack. University Hospital Düsseldorf diverted an emergency patient to another facility while systems were offline.

2. WannaCry / NHS 2017. £92 million total cost, 19,000 canceled appointments across the UK National Health Service (NAO via Bright Defense).

3. Ireland HSE 2021. The Irish public health service was effectively offline for close to four months after a Conti ransomware attack.

What a Breach Costs the Patient

• ~$13,500. Average out-of-pocket cost for a medical identity theft victim to resolve the fraud, per the Ponemon Institute and Medical Identity Fraud Alliance (study data is now about a decade old, but remains the most frequently cited figure)

• Up to 10x credit card value. Underground market price for a complete medical record versus a single credit card number (multiple Verizon and industry references)

• Permanent exposure. PHI (name, date of birth, Social Security number, medical history, diagnoses, prescriptions) cannot be reissued the way a card number can be reissued

• 45% of notification recipients accept credit monitoring after a breach, up 85% year-over-year in 2024 (Bright Defense)

• Class action settlements push per-patient compensation into the headlines: a five-million-record provider reached an $18 million settlement in 2025, with additional multimillion-dollar proposed settlements at Medusind and other breached entities

Regulatory Response: OCR, FTC, and State Attorneys General

The regulatory surface for a healthcare breach covers three layers. The HIPAA Breach Notification Rule requires covered entities and business associates to report a breach of unsecured protected health information affecting 500 or more individuals to the Department of Health and Human Services and the media within 60 calendar days of discovery, per 45 CFR 164.400–414. Covered entities must also notify affected individuals within the same window. Smaller data breaches are reported annually by March 1 of the following year.

OCR (the HHS Office for Civil Rights) is the federal regulator. State attorneys general can pursue parallel HIPAA actions, and the FTC enforces the parallel Health Breach Notification Rule for health apps and wearables. Penalties range from corrective action plans through six- and seven-figure financial penalties up to civil monetary penalties in the eight-figure range for the largest enforcement actions against major healthcare entities.

Top historical HIPAA settlements remain the benchmarks for tier-scaling. Anthem paid a $16 million OCR settlement in 2018 after the 2015 breach of 78.8 million members, the largest HIPAA settlement on record. Premera Blue Cross paid $6.85 million in 2020. Excellus Health Plan paid $5.1 million in 2021.

HIPAA Right of Access Initiative

Separate from the data breach enforcement track, OCR has been running a HIPAA Right of Access Initiative since 2019 against healthcare providers that fail to give patients timely copies of their medical records. By the end of 2025, the initiative had produced 54 enforcement actions, including settlements with Sharp HealthCare ($70,000 in 2023) and Concentra Health Services ($112,500 in 2025). The Right of Access track typically resolves with smaller financial penalties than data breach cases, but it captures the same population of healthcare orgs — large health systems, mid-size groups, and small medical practices alike — that fall short on basic HIPAA workflows.

OCR Risk Analysis Initiative

In fall 2024, HHS OCR launched the Risk Analysis Initiative, focused specifically on enforcement under the HIPAA Security Rule's risk analysis provision at 45 CFR §164.308(a)(1)(ii)(A). Seven enforcement actions were announced in the initiative's first six months, per Feldesman LLP's tracking.

In the first five months of 2025, OCR entered 10 HIPAA resolution agreements with penalties ranging from $25,000 to $3 million, per NatLawReview's coverage. Each resolution flagged potential HIPAA violations of the Health Insurance Portability and Accountability Act Security Rule — chiefly the absence of a documented risk analysis at the time the breach occurred. Representative 2025 settlements:

• Solara Medical Supplies: $3 million

• BayCare Health System: $800,000

• PIH Health: $600,000

• BST & Co. CPAs: resolution agreement

• Comstar, LLC: resolution agreement

OCR has the authority to escalate to civil monetary penalties when healthcare entities decline to settle. Most resolution agreements end before that point — the regulated entity agrees to a corrective action plan and a financial penalty in lieu of contested civil monetary penalties through an Administrative Law Judge proceeding. Every case in the initiative cites the same root cause: the regulated entity failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic PHI.

FTC Health Breach Notification Rule

For health apps and wearables outside HIPAA's covered-entity perimeter, the Federal Trade Commission enforces its own Health Breach Notification Rule. Recent settlements:

• BetterHelp: $7.8 million

• Cerebral: $7.1 million

• GoodRx: $1.5 million

• Easy Healthcare (Premom): undisclosed

• Monument: undisclosed

State Attorneys General

State AGs now pursue HIPAA violations directly under HITECH Section 13410(e)(1). State-level enforcement on HIPAA violations has accelerated since 2020. Two benchmark 2023 settlements:

• Blackbaud: $49.5 million multistate settlement across 49 states plus DC (2023)

Separately, California's Attorney General and county district attorneys settled a $49 million case with Kaiser Permanente in 2023 for the improper disposal of paper medical records and related hazardous waste. That action is not a HITECH 13410(e)(1) enforcement but sits within the broader regulatory pressure on improper disposal of PHI, per reporting on the California AG settlement.

Healthcare vs Other Industries

The U.S. healthcare industry is both the most targeted and the most expensive sector for a data breach. Healthcare organizations face higher attack frequency and higher per-incident cost than every other vertical. During 2015–2022, industry aggregations placed healthcare near a third of all U.S. data breaches, per Sprinto citing OCR and industry sources. Healthcare accounts for 17% of all ransomware attacks across industries (Veriti) and 15% of all business email compromise incidents (Palo Alto Networks Unit 42), per Cobalt's 2025 roundup.

• Cost: $7.42M healthcare vs $6.08M financial services vs $5.56M manufacturing (IBM)

• Detection: 279 days healthcare vs 241 days global average (IBM)

• Attacker motive: 90% financially motivated in healthcare (Verizon DBIR 2025)

• Top access vector: phishing and stolen credentials, consistent across industries but more effective against healthcare staff at a 41.9% click rate

Frequently Asked Questions

How many healthcare data breaches are there per year?

In 2024, healthcare organizations and their business associates collectively triggered 742 reported breaches affecting 500 or more individuals to OCR. In 2025, the number was 710. Cumulative filings since October 2009 total 7,419, per industry tracking of the HHS OCR breach portal.

How much does a healthcare data breach cost?

$7.42 million on average per incident in 2025, per the IBM Cost of a Data Breach Report 2025. Per the exposed record, the average cost is about $398 (Veriti).

What is the largest healthcare data breach in history?

Change Healthcare in 2024, with 192.7 million affected individuals on record. The attack was a BlackCat/ALPHV ransomware incident against a clearinghouse that processed roughly a third of U.S. medical claims.

What is the most common cause of healthcare data breaches?

Hacking and IT incidents account for more than 80% of reported large healthcare breaches in 2025. Phishing is the top access vector at roughly 16% of breaches, per breach data tracking.

How long does it take to detect a healthcare data breach?

279 days on average to identify and contain, per the IBM Cost of a Data Breach Report 2025. That's about five weeks longer than the 241-day global average.

Are healthcare data breaches getting worse?

Breach count has plateaued in the 710 to 746 per year range since 2022. The breach scale has worsened. 2024 saw more than 289 million individuals affected, a level driven largely by Change Healthcare. 2025 breach count fell 4.3% year-over-year, per the 2025 largest breaches page.

What's the biggest healthcare data breach of 2025?

Conduent Business Services, more than 25 million affected individuals — making it one of the largest single-vendor data breaches in U.S. history. Texas and Oregon Attorney General filings added state-level counts (15.49 million Texas residents and 10.52 million Oregon residents) on top of the underlying OCR filing. Conduent serves hundreds of healthcare organizations as a third-party administrator; data breaches at large business associates like Conduent typically cascade to dozens of downstream healthcare providers and health plans.

What industries have higher breach costs than healthcare?

None. Healthcare has been the costliest industry for a data breach for 14 consecutive years, per IBM. Financial services come second at $6.08 million per incident; manufacturing is third at $5.56 million.

What does a breach cost a patient?

Medical identity theft costs victims about $13,500 on average to resolve, including paying off fraudulent medical bills, restoring credit, and correcting inaccuracies in health records. Unlike credit card numbers, stolen health records cannot be reissued.

Is fax a breach risk in healthcare?

Yes, when fax is analog or legacy T.38 without encryption. Misdirected fax is a recurring cause category for unauthorized disclosure in the OCR breach portal. Unencrypted fax leaves no audit trail and does not satisfy the HIPAA Transmission Security standard at 45 CFR 164.312(e)(1). TLS-encrypted cloud fax with delivery receipts and a signed Business Associate Agreement brings fax transmission within the HIPAA Security Rule envelope.

Conclusion

Three patterns hold across 16 years of healthcare data breaches reporting. First, the breach count plateau. Reported large breaches have settled around 710 to 746 per year since 2022. Second, the records curve is vertical. Business associate incidents and clearinghouse-scale attacks, led by Change Healthcare, pushed the 2009–2026 cumulative past 935 million individuals. Third, hacking and ransomware own the cause column. 80%+ of large data breaches now trace back to external hacking, and ransomware sits inside nearly half of all breaches in 2025, per the Verizon DBIR.

For healthcare organizations still sending protected health information over fax, the transmission channel itself is a compliance line item. Unencrypted fax misroutes show up every year in the OCR portal. Encrypted transport, audit-ready delivery records, and a signed Business Associate Agreement with the fax vendor move fax into compliance with the HIPAA Security Rule.

FaxSIPit runs a HIPAA-compliant cloud fax network purpose-built for healthcare, legal, insurance, finance, and government. FaxSIPit co-created HTTPS faxing in 2008 and shipped the first HTTPS ATA device in 2009. The network runs on a high-capacity, geo-redundant architecture purpose-built for fax transmission, with dedicated infrastructure for reliability and scalable throughput, AES 256-bit encryption at rest with TLS 1.3 in transit, intelligent multi-carrier retry, a signed Business Associate Agreement on every plan from Starter to Enterprise, and delivery records retained up to seven years. For a written read on how an existing fax environment compares against OCR expectations, the fax security posture assessment is free.

For a broader view on why fax reliability matters in regulated industries, the architecture details are in the sibling post.

Sources

1. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

2. https://www.hipaajournal.com/healthcare-data-breach-statistics/

3. https://www.hipaajournal.com/february-2026-healthcare-data-breach-report/

4. https://www.hipaajournal.com/largest-healthcare-data-breaches-of-2025/

5. https://www.hipaajournal.com/average-cost-of-a-healthcare-data-breach-2025/

6. https://www.hipaajournal.com/verizon-dbir-2025/

7. https://www.ibm.com/reports/data-breach

8. https://www.verizon.com/business/resources/reports/dbir/

9. https://www.verizon.com/business/resources/infographics/2025-dbir-healthcare-snapshot.pdf

10. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/solara-ra-cap/index.html

11. https://www.hhs.gov/press-room/hhs-ocr-bst-hipaa-settlement.html

12. https://www.hhs.gov/press-room/hhs-hipaa-comstar-agreement.html

13. https://www.feldesman.com/ocrs-new-security-risk-analysis-initiative-results-in-seven-enforcement-actions-in-first-six-months/

14. https://natlawreview.com/article/hhs-ocr-risk-analysis-enforcement-initiative-continues-under-new-administration

15. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164

16. https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule

17. https://www.brightdefense.com/resources/healthcare-data-breach-statistics/

18. https://www.cobalt.io/blog/healthcare-data-breach-statistics

19. https://sprinto.com/blog/healthcare-data-breach-statistics/

20. https://www.nao.org.uk/reports/investigation-wannacry-cyber-attack-and-the-nhs/

21. https://onlinelibrary.wiley.com/journal/14756773

22. https://www.ponemon.org/

23. https://oag.ca.gov/

24. https://www.hipaajournal.com/january-2026-healthcare-data-breach-report/

25. https://www.hhs.gov/press-room/ocr-settles-with-concentra.html

26. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/sharp/index.html

27. https://www.hipaajournal.com/multiple-lawsuits-regal-medical-group-ransomware/