This analysis was prepared by the FaxSIPit compliance team. FaxSIPit provides HIPAA-compliant cloud fax services. Data sourced from HHS OCR, IBM, and Verizon — all citations linked below.
These HIPAA violation statistics for 2026 are defined by three numbers: 374,322 complaints the HHS Office for Civil Rights has logged since 2003, 7,419 healthcare data breaches reported since 2009, and $2,190,294, the current annual cap on a single-tier civil monetary penalty. Hacking and IT incidents drive nearly every large HIPAA breach in healthcare organizations; ransomware is now a fixture in HIPAA enforcement, and most reported data breaches involve some form of hacking. Healthcare data breaches affect more than 2.5x the US population cumulatively, and HIPAA-covered entities across the healthcare sector face stricter breach notification requirements and more aggressive scrutiny of business associates than at any point in the law's history. Data breaches in healthcare now define the baseline OCR risk picture.
HIPAA breach data and HIPAA violation statistics at a glance:
374,322 HIPAA violations and complaints filed with the Department of Health and Human Services since April 2003, 99% resolved
7,419 large healthcare data breaches (500+ records) reported to the Office for Civil Rights, 2009 through January 2026
935.5 million individuals affected by healthcare data breaches, 2.6x the US population
21 OCR settlements in 2025, second-highest annual total of HIPAA penalties on record
$7.42 million average data breach costs in healthcare (IBM Cost of a Data Breach Report)
80%+ of reported 2025 breaches were hacking or IT incidents driven by cyber attacks
$16 million Anthem data breach settlement remains the largest healthcare data breach fine
OCR Complaint Volume and Enforcement Activity
The HHS Office for Civil Rights has received 374,322 HIPAA complaints since April 2003. 370,578 are resolved, 3,744 remain open, and 46,752 were formally investigated for HIPAA violations. OCR's Numbers at a Glance shows 31,191 closures with required corrective action (67%), 15,561 with no violation (33%), 67,873 resolved through technical assistance, 255,953 not eligible for enforcement, and 1,193+ compliance reviews opened independently. The Office for Civil Rights has made 2,419 criminal referrals to the DOJ, per OCR Enforcement Highlights.
The most common HIPAA violations: impermissible uses and disclosures of protected health information, lack of safeguards for individually identifiable health information, lack of patient access to medical records, lack of administrative safeguards of electronic protected health information, and unauthorized disclosure of more than the minimum necessary patient information. The most commonly cited HIPAA covered entities by type are general hospitals, private practices and physicians, pharmacies, group health plans, and outpatient facilities.
Healthcare Data Breaches by Year (2009 to 2026)
Large healthcare data breaches, those affecting 500 or more individuals, have been reported to OCR since 2009. The cumulative total stands at 7,419 healthcare data breaches through January 31, 2026, with 935,521,931 individuals affected, according to the HIPAA Journal analysis of OCR breach portal data. These data breach statistics make healthcare the most breached vertical in US history.
Year | Reported Breaches (Healthcare) | Individuals Affected | Daily Average |
|---|---|---|---|
2021 | 713 | 45,000,000+ | 123,287 |
2022 | 720 | 51,900,000 | 142,192 |
2023 | 725+ | 168,000,000+ | 460,273 |
2024 | 725* | 289,162,330 | 792,226 |
2025 | ~697 | 61,556,256+ | 168,647 |
2024 was the worst year on record for exposed medical records, driven largely by the Change Healthcare ransomware breach affecting 192.7 million individuals — one of the largest healthcare data breach events ever recorded. The 2025 Healthcare Data Breach Report shows large healthcare data breaches dropped 4.3% year over year, and individuals affected fell 78.7% as the 2025 event approached Change Healthcare's scale. Even so, exposed medical records continue to dominate every other category of breached personal data and account for the bulk of healthcare breaches reported each year. Mega healthcare breaches (1 million+) totaled 18 in 2024 and 9 in 2025. Healthcare data breaches still under OCR investigation as of January 31, 2026: 978. The OCR breach portal is public and provides security teams across healthcare organizations with a live view of healthcare data breach statistics and broader data breach statistics.
Top Causes of HIPAA Breaches and Healthcare Data Breaches
Hacking and IT incidents — broadly, cyberattacks against healthcare systems — now account for the vast majority of reported HIPAA and healthcare data breaches. In 2023, 79.7% of large breaches in the healthcare sector were classified by OCR as hacking or IT incidents. By 2025, that share passed 80%, up from just 49% in 2019. The category grew by 239% between January 2018 and September 2023, and ransomware incidents within it grew by 278% over the same period.
Cyber threats targeting protected health information have become the defining risk for healthcare organizations. Phishing, credential stuffing, and ransomware account for the bulk of reported breaches, and security breaches at hospitals and clinics outpace those in every other industry. HIPAA regulations force every healthcare provider to issue breach notifications to affected individuals within 60 days under the HIPAA Breach Notification Rule. Healthcare providers across hospitals, physician practices, and behavioral health clinics face the same baseline data security obligations under HIPAA regulations; healthcare providers in radiology, pathology, and laboratory testing must protect health data and medical data with the same controls as any other healthcare provider handling PHI. The HIPAA Privacy Rule and HIPAA Breach Notification Rule both apply to every healthcare provider, and most data breaches at smaller healthcare organizations stem from preventable failures.
Other categories have collapsed. Improper disposal incidents are nearly gone — one in all of 2025. Loss and theft of healthcare records run at under one per month. Employee negligence still appears in roughly one in six investigated cases.
Business Associate Agreement failures sit underneath a growing share of OCR's financial penalties. When a vendor mishandles PHI and the covered entity has no signed BAA, OCR treats the gap as a separate violation. Business associates have become the single fastest-growing source of healthcare data breaches: third-party involvement in data breaches doubled from 15% to 30% year over year in 2025. Business associates are now named in roughly one in three reported healthcare data breaches, and many lack the controls healthcare providers require under their own HIPAA compliance standards.
The Verizon 2025 Data Breach Investigations Report analyzed 1,710 healthcare incidents with 1,542 confirmed data breaches: 67% of data breaches involve external threat actors, 30% insiders, 4% partners; 90% are financially motivated, often tied to healthcare fraud; espionage motivation jumped to 16% (up from 1%); third-party involvement in data breaches doubled from 15% to 30% year over year.
The Largest HIPAA Fines and Healthcare Data Breach Settlements
The largest healthcare data breach settlement remains the $16 million OCR resolution with Anthem Inc. in 2018, following the 2015 Anthem data breach that exposed PHI of 78.8 million members. Memorial Hermann Health System and other large systems have faced six- and seven-figure settlements; Anthem still tops the list.
Rank | Entity | Amount | Year | Violation Type |
|---|---|---|---|---|
1 | Anthem Inc. (Anthem data breach) | $16,000,000 | 2018 | Multiple HIPAA Privacy Rule and Security Rule failures |
2 | Premera Blue Cross | $6,850,000 | 2020 | Risk analysis and §164.312 safeguard failures |
3 | Advocate Health Care Network | $5,550,000 | 2016 | Multiple HIPAA violations |
4 | Memorial Healthcare System | $5,500,000 | 2017 | Insufficient ePHI access controls |
5 | Excellus Health Plan | $5,100,000 | 2021 | Multi-year risk analysis failures |
6 | NY-Presbyterian / Columbia | $4,800,000 | 2014 | Failure to conduct risk analysis |
7 | MD Anderson Cancer Center* | $4,348,000 | 2018 | Impermissible disclosure of medical records (CMP) |
8 | Cignet Health (PG County) | $4,300,000 | 2011 | Right of access, noncompliance (CMP) |
9 | Fresenius Medical Care NA | $3,500,000 | 2018 | Multiple compliance failures |
10 | Triple S Management | $3,500,000 | 2015 | Multiple HIPAA violations |
Source: HIPAA Journal, HHS.
*The MD Anderson CMP was later vacated by the Fifth Circuit Court of Appeals.
OCR Financial Penalties by Year
OCR's enforcement tempo against HIPAA-covered entities ticked up in 2025. Annual totals: 21 OCR settlements in 2025 (second-highest on record), 16 in 2024, 13 in 2023, 22 in 2022 (all-time record), 14 in 2021, 19 in 2020, and $28,683,400 collected in 2018 (record dollar year).
The Right of Access Initiative, launched in September 2019, drove a 450% increase between 2019 and 2022 and now accounts for over 50 enforcement actions targeting HIPAA-covered entities that delay patient requests for medical records or laboratory test results. In 2022, 55% of OCR settlements were imposed on small practices. Smaller healthcare providers are most often cited for missing risk assessment documentation, weak HIPAA compliance standards, and gaps in security awareness training, and many report data breaches tied to phishing that bypass minimal staff training. Healthcare providers face the same baseline obligation to issue breach notifications under the HIPAA Breach Notification Rule, and those that miss the 60-day window face additional penalties.
Notable 2025 HIPAA Settlements
OCR published 21 resolution agreements in 2025. The most cited: Solara Medical Supplies ($3,000,000, phishing breach plus HIPAA Breach Notification Rule failures); Warby Parker ($1,500,000 CMP, credential stuffing); BayCare Health System ($800,000); Northeast Radiology ($350,000, 298,532 patients); USR Holdings ($337,750); Health Fitness Corporation ($227,816); Oregon Health & Science University ($200,000 CMP, one of several enforcement actions involving university health sciences programs); BST & Co. CPAs ($175,000, ransomware); and Concentra Inc. ($112,500, OCR's 54th Right of Access action). A separate Oklahoma State University Center for Health Sciences breach in 2022, affecting nearly 280,000 patients, drew a $875,000 settlement. Through April 2026, OCR has also published MMG Fusion, LLC ($10,000, impermissible disclosure of medical records affecting ~15 million individuals) and Top of the World Ranch Treatment Center ($103,000, §164.308 administrative safeguards).
Current HIPAA Civil Monetary Penalty Tiers
Civil monetary penalties for HIPAA violations are set in statute and adjusted annually for inflation under 45 CFR Part 102. Effective January 28, 2026, these tiers govern HIPAA penalties for both privacy and security failures under the HIPAA rules.
Tier | Culpability | Min per Violation | Max per Violation | Annual Cap |
|---|---|---|---|---|
1 | Lack of knowledge | $145 | $73,011 | $2,190,294 |
2 | Reasonable cause | $1,461 | $73,011 | $2,190,294 |
3 | Willful neglect; rectified | $14,602 | $73,011 | $2,190,294 |
4 | Willful neglect; not rectified | $73,011 | $2,190,294 | $2,190,294 |
Source: Federal Register Civil Monetary Penalties Adjustment and 45 CFR Part 102.
OCR's 2019 Notice of Enforcement Discretion applies lower annual caps in practice: $36,505.50 for Tier 1, $146,053 for Tier 2, $365,052 for Tier 3, and the full $2,190,294 for Tier 4. Most OCR settlements fall well below the statutory ceilings.
Criminal HIPAA violations are prosecuted by the DOJ separately and carry prison exposure: up to 1 year for Tier 1, 5 years for Tier 2 (PHI under false pretenses), and 10 years for Tier 3 (intent to sell, transfer, or use for personal gain — often tied to healthcare fraud or stolen healthcare records on dark markets).
State Attorneys General can impose fines up to $25,000 per violation category per calendar year under HITECH Section 13410(e)(1), often pursuing healthcare providers that miss required breach notifications.
The Rising Cost of a Healthcare Data Breach
The IBM Cost of a Data Breach Report puts the healthcare industry's average cost of a data breach at $7.42 million in 2025, down $2.35 million year over year but still above every other industry. Healthcare has held the most expensive sector position for 14 consecutive years, and data breach costs in the sector keep climbing in real terms.
Healthcare's disadvantage is time. Mean time to identify and contain a healthcare breach: 279 days vs 241 days globally. That 38-day gap is five extra weeks of exposure, during which a single medical file often contains enough PHI to enable insurance fraud or identity theft using stolen data.
The Verizon 2025 DBIR healthcare snapshot reports ransomware was present in 44% of confirmed data breaches across industries, up 37% year over year. Median ransom demand dropped to $115,000 (from $150,000); only 36% of victims paid (down from 50%). Stolen healthcare records still command higher prices on illicit markets than nearly any other category, and these data breaches drive most of the costs at affected healthcare organizations.
The Risk Analysis Initiative: OCR's New Enforcement Focus
OCR launched the Risk Analysis Initiative in October 2024. The premise: inadequate risk analysis is involved in roughly 90% of OCR HIPAA Security Rule enforcement actions. OCR now opens standalone investigations into §164.308(a)(1)(ii)(A) compliance — the requirement that every HIPAA covered entity perform an enterprise-wide risk analysis.
The first actions: Oklahoma EMS ($90,000); Elgon Information Systems ($80,000); Virtual Private Network Solutions ($90,000); Northeast Surgical Group ($10,000); USR Holdings ($337,750); Northeast Radiology ($350,000); Guam Memorial Hospital Authority ($25,000). The pattern: small and mid-size covered entities, ransomware trigger, no documented enterprise-wide risk analysis. Every action cites §164.308(a)(1)(ii)(A).
The Risk Analysis Initiative reflects how OCR reads HIPAA violations across the healthcare sector under current HIPAA rules. Cyber threats from ransomware, unauthorized disclosure through misconfigured systems, and unauthorized disclosure due to weak vendor controls all stem from the same root cause. Healthcare breaches in 2025 across hospitals, clinics, and business associates show this pattern.
Healthcare organizations across the healthcare sector face the same enforcement bar regardless of size; those handling large volumes of medical records or patient data must extend the same data security controls and security measures to business associates. More healthcare organizations now publish data breach information and statistics in annual reports, and those that delay required breach notifications face additional enforcement actions under HITECH.
Healthcare data breach statistics show the same root causes — weak vendor oversight, missing risk analysis, underinvested security teams — and the steps to prevent data breaches start there. Most healthcare data breaches trace back to third-party vendors, accounting for a growing share of total breaches across the industry every year.
What This Means for Healthcare Organizations
To prevent data breaches, healthcare organizations need documented controls: encrypted transport (TLS 1.3 in transit, AES 256-bit encryption at rest) for electronic protected health information, configurable retention, full audit trails, a signed Business Associate Agreement with every vendor that touches health data, and regular security awareness training for healthcare staff and employees.
Healthcare organizations that document risk assessments, train staff on the HIPAA Privacy Rule, enforce the HIPAA Breach Notification Rule, and maintain signed agreements with business associates report fewer data and security breaches and lower data breach costs.
Employee negligence still accounts for a share of common HIPAA violations and year-over-year violations, and OCR escalates HIPAA violations involving willful neglect to criminal violation referrals when warranted. Healthcare organizations and other covered entities are investing in data analytics on access logs, multifactor authentication, electronic health records access reviews, and business associate oversight to protect patient information.
FaxSIPit is a HIPAA-compliant cloud fax service built for the healthcare industry. Every fax is encrypted with TLS 1.3 in transit and AES 256-bit at rest; retention is configurable for up to 7 years; audit trails are available through the web portal; and we sign a BAA on Starter and Enterprise plans. Our HIPAA compliance page has the architecture detail, and our fax security posture assessment gives a written read on the gaps OCR would look at first.
Frequently Asked Questions
How common are HIPAA violations?
OCR investigates more than 1,000 cases per year. The agency has received 374,322 complaints since 2003 and required corrective action in 31,191 cases.
What is the largest HIPAA fine ever?
The $16 million OCR resolution agreement with Anthem Inc. in 2018, following the 2015 Anthem data breach that exposed PHI of 78.8 million members.
What is the maximum annual HIPAA fine?
$2,190,294 per violation category for Tier 4. Lower-tier caps range from $36,505.50 to $365,052 under OCR's 2019 Notice of Enforcement Discretion.
Is HIPAA changing in 2026?
Yes. HHS has proposed an update to the HIPAA Security Rule addressing risk analysis, encryption, multifactor authentication, and incident response. Finalization is expected in 2026.
Who investigates HIPAA violations?
The HHS Office for Civil Rights — the enforcement arm of the Department of Health and Human Services Office of the Secretary — leads HIPAA investigations of healthcare organizations. State Attorneys General can pursue HIPAA violations under HITECH Section 13410(e)(1). DOJ prosecutes criminal cases. The human services office for civil rights has made 2,419 DOJ referrals since 2003.
Conclusion
These HIPAA statistics show enforcement in 2026 is concentrated, not broad. OCR files 15 to 22 settlements a year, mostly mid-six-figure resolutions tied to a ransomware event, a missing risk analysis, or a delayed records request.
Hacking accounts for over 80% of healthcare data breaches across healthcare organizations; third-party involvement has doubled; and the Risk Analysis Initiative is the single most active vector for OCR's review of data breaches. IBM puts the average healthcare breach at $7.42 million; healthcare data breaches take 279 days to contain. For healthcare organizations that depend on fax for medical records, claims, or privileged documents, a HIPAA-compliant cloud fax service like FaxSIPit removes one source of exposure.
Our HIPAA-compliant cloud fax runs on a dedicated fax network and powers fax for 300+ channel partners across 40+ countries. The fax security posture assessment is free.
Sources
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/numbers-glance/index.html
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-A/part-102
https://www.hipaajournal.com/healthcare-data-breach-statistics/
https://www.hipaajournal.com/2025-healthcare-data-breach-report/
https://www.verizon.com/business/resources/infographics/2025-dbir-healthcare-snapshot.pdf
