HIPAA Breach and Enforcement Statistics Through Mid-2026

2025 was the worst year on record for large healthcare data breaches — 772 breaches of 500+ records reported to HHS, affecting roughly 139.7 million people. The HHS Office for Civil Rights closed 21 enforcement actions in 2025 for about $8.3 million, and its Risk Analysis Initiative is aimed squarely at the failure small practices most often have: never completing a compliant security risk analysis. There is no small-practice exemption; Right of Access penalties have started as low as $3,500 for a solo dental office.

Large breaches reported to HHS (500+ individuals)

Covered entities must report breaches affecting 500 or more individuals to the HHS Office for Civil Rights, which publishes them on its public breach portal. 2025 set a new record by count, though 2024 remains the worst year by individuals affected because the Change Healthcare ransomware breach alone exposed data on roughly 190 million people.

YearLarge breaches reportedIndividuals affected
2024742≈ 289.2 million (Change Healthcare ≈ 190M of these)
2025772 — worst year on record by count≈ 139.7 million

Source: HIPAA Journal tabulations of the HHS OCR breach portal (hipaajournal.com/healthcare-data-breach-statistics), portal data through May 2026. In 2025, breaches were reported from 49 states plus DC and Puerto Rico.

How healthcare breaches happen

Per the same OCR-portal tabulations for 2025: more than 80% of large breaches were hacking or other IT incidents; network servers were the location of the breached records in 61.5% of breaches and email in 24.9%; and by entity type, healthcare providers accounted for 57.5% of reported breaches, business associates 35.8%, and health plans 6.5%. The average hacking incident affected 105,623 individuals, but the median was 5,434 — most incidents hit small and mid-size organizations, not national systems.

OCR enforcement: 2025–2026

The Office for Civil Rights closed 21 HIPAA enforcement actions (settlements and civil money penalties) in 2025 — its second-highest annual count — collecting about $8.3 million.

Two active enforcement programs matter most for small organizations:

  • The Right of Access initiative (launched September 2019) had produced 54 enforcement actions by May 2025, penalizing providers that failed to give patients timely copies of their records. Penalties have ranged from $3,500 (a solo dental practice) to $240,000 (a hospital system).
  • The Risk Analysis Initiative (launched October 2024) targets entities that never performed the security risk analysis the Security Rule requires — historically the most-cited failure in OCR investigations. By April 2026 OCR had completed 13 Risk Analysis Initiative investigations plus 19 ransomware-breach investigations, with settlements frequently in the $10,000–$375,000 range: amounts calibrated to small and mid-size providers and business associates, not just health systems.

2026 civil penalty tiers

HIPAA civil money penalties are inflation-adjusted annually (45 CFR 102.3). The tiers below are effective January 28, 2026.

Culpability tierPer violationAnnual cap (identical provision)
1 — No knowledge$145 – $73,011$2,190,294
2 — Reasonable cause$1,461 – $73,011$2,190,294
3 — Willful neglect, corrected within 30 days$14,602 – $73,011$2,190,294
4 — Willful neglect, not corrected$73,011 – $2,190,294$2,190,294

Source: HHS annual civil monetary penalty inflation adjustment, Federal Register, January 28, 2026 (federalregister.gov, doc. 2026-01688). OCR’s 2019 notice of enforcement discretion applies lower annual caps in practice for tiers 1–3 ($36,505 / $146,053 / $365,052 as adjusted).

The Security Rule update is still pending

HHS published a proposed overhaul of the HIPAA Security Rule on January 6, 2025 — the first major update since 2013, proposing among other things mandatory multi-factor authentication, encryption and asset inventories. The comment period closed in March 2025 with thousands of comments, and as of July 2026 no final rule has been published. Practices should not wait for it: OCR’s current enforcement initiatives apply the existing Security Rule, and the most-cited failure remains the missing or inadequate risk analysis.

What the numbers mean for a small practice

OCR’s two active initiatives both punish documentation-and-process failures: not doing a compliant risk analysis, and not operating a records-release process. A documented HIPAA program — security and privacy policies, a completed Security Risk Assessment, breach-notification procedures and business-associate agreements — is the baseline OCR asks for first in any investigation. Templates do not make a practice HIPAA compliant (compliance comes from operating the safeguards), but they remove the drafting work for precisely the artifacts these enforcement programs check.

Frequently asked questions

How many HIPAA breaches were reported in 2025?
772 large breaches (500+ individuals) were reported to the HHS Office for Civil Rights in 2025 — the most ever recorded in a single year — affecting roughly 139.7 million people, per HIPAA Journal’s tabulation of the OCR breach portal. More than 80% were hacking or IT incidents.
What are the HIPAA fines in 2026?
Civil penalties effective January 28, 2026 range from $145 to $73,011 per violation for the lowest culpability tier, up to $73,011 to $2,190,294 per violation for uncorrected willful neglect, with a $2,190,294 annual cap per identical provision (45 CFR 102.3).
Does OCR fine small medical and dental practices?
Yes. There is no small-practice exemption. Right of Access penalties have gone as low as $3,500 against a solo dental practice, and the Risk Analysis Initiative launched in October 2024 has produced settlements in the $10,000–$375,000 range against small and mid-size providers and business associates.
What is the OCR Risk Analysis Initiative?
An enforcement program HHS OCR launched in October 2024 targeting HIPAA-regulated entities that never performed the security risk analysis required by 45 CFR §164.308(a)(1)(ii)(A) — historically the most-cited failure in OCR investigations. By April 2026 OCR had completed 13 initiative investigations plus 19 ransomware-breach investigations.
Has the new HIPAA Security Rule been finalized?
No. The proposed rule was published January 6, 2025, its comment period closed in March 2025, and as of July 2026 no final rule has been issued. The existing Security Rule — including the risk-analysis requirement OCR actively enforces — remains fully in force.

Related guides: HIPAA

Toolkits that help

HIPAA Security & Privacy Rules

HIPAA Compliance Toolkit — Medical Practices

18 editable HIPAA policies plus the Security Risk Assessment workbook and audit evidence checklist, written for small medical practices and clinics.

$7930% off · auto-appliedView toolkit
HIPAA Security & Privacy Rules

HIPAA Compliance Toolkit — Dental Practices

18 editable HIPAA policies plus the Security Risk Assessment workbook and audit evidence checklist, written specifically for dental offices.

$7930% off · auto-appliedView toolkit
HIPAA Security & Privacy Rules

HIPAA Compliance Toolkit — Mental Health Practices

18 editable HIPAA policies written for therapists and behavioral-health practices — teletherapy security, psychotherapy-notes handling — plus the Security Risk Assessment workbook and audit evidence checklist.

$7930% off · auto-appliedView toolkit

Related articles

← All articles

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.