HIPAA Breach Notification Trends

Name: HIPAA Breach Notification Trends: HHS OCR Wall of Shame Analysis, Top Causes, and Average Time to Resolution
Creator: FileFlo
Published: 2026-05-07
License: https://creativecommons.org/licenses/by/4.0/

Chad Griffith, Founder & CEO

FileFlo — AI compliance document intelligence for DOT, OSHA, and EPA regulated businesses. LinkedIn · About

Last reviewed May 7, 2026 · By Chad Griffith

The HHS Office for Civil Rights publishes a public 'Breach Reporting Tool' (commonly called the 'Wall of Shame') at ocrportal.hhs.gov listing every reported breach affecting 500 or more individuals. The Wall of Shame is the primary public source of HIPAA breach data and reveals important patterns about which incidents have driven major breaches, which entities are most affected, and what root causes recur most frequently. This analysis aggregates publicly-available OCR data through May 2026 to surface trends in breach volume, causes, affected entity types, and resolution patterns.

Breach Volume Trends (2014-2025)

The HHS OCR Breach Portal began in 2009 and has accumulated over 7,000 reported breaches affecting 500+ individuals as of 2026. Annual breach reporting has trended substantially upward: approximately 270 breaches per year reported in 2014, rising to 700+ per year by 2024-2025. The increase is partially driven by genuinely higher breach incident frequency (especially ransomware) and partially by improved reporting infrastructure under HITECH and Omnibus Rule enforcement.

Cumulative individuals affected by reported breaches: more than 500 million unique individuals through May 2026 (with significant double-counting since one individual may be affected by multiple breaches over time).

Top Breach Causes (Categorized by OCR)

OCR categorizes breaches into five primary types:

Hacking/IT Incident — approximately 80% of breaches and the vast majority of individuals affected in 2024-2025. Subcategories include ransomware, business email compromise, phishing-driven credential theft, and unauthorized network access. The dominance of this category reflects the sustained transition of healthcare entities to electronic health records and the corresponding cybersecurity threat surface.
Unauthorized Access/Disclosure — approximately 12-15% of breaches. Subcategories include workforce member misuse (snooping, identity theft), inadvertent disclosure (mailing PHI to wrong recipient, misdirected fax), and disclosure to unauthorized third parties.
Theft — approximately 3-5% of breaches. Subcategories include stolen laptops, stolen mobile devices, stolen paper records, stolen physical media. Theft has trended downward as encryption adoption has spread (encrypted devices avoid breach notification under 45 CFR 164.404 safe harbor).
Loss — approximately 1-2% of breaches. Lost devices, lost paper records, lost physical media. Like theft, loss has trended downward with encryption.
Improper Disposal — under 1% of breaches but recurring. Improper disposal of paper records, hard drives, electronic media. OCR has issued multiple Resolution Agreements specifically targeting improper disposal practices.

Affected Entity Types

OCR categorizes affected entities into three primary types:

Healthcare Provider — approximately 70% of reported breaches. Includes hospitals, physician practices, dental practices, behavioral health, ambulatory surgery centers, etc.
Health Plan — approximately 15-20% of reported breaches. Includes Medicare Advantage, commercial health insurance, dental insurance, etc.
Healthcare Clearinghouse — under 5% of reported breaches by entity count, though clearinghouse breaches typically affect very large numbers of individuals because clearinghouses aggregate data from many providers.
Business Associate — approximately 25% of breaches involve business associate involvement (often the actual breach occurred at the BA, attributed to both BA and CE).

Largest Reported Breaches (Historical)

The largest reported HIPAA breaches by individuals affected:

Anthem Inc. (2015) — 78.8 million individuals. Hacking/IT incident. Resulted in $16M HHS settlement plus state AG settlements totaling tens of millions.
Premera Blue Cross (2015) — 11 million individuals. Hacking/IT incident. Resulted in $74M class-action settlement.
Excellus BlueCross BlueShield (2015) — 10 million individuals. Hacking/IT incident.
Banner Health (2016) — 3.7 million individuals. Hacking/IT incident.
Newkirk Products (2016) — 3.5 million individuals. Hacking/IT incident affecting healthcare clearinghouse customers.
Numerous large ransomware-related breaches (2020-2024) ranging from 1-5 million individuals each, including major hospital systems and physician practice networks.

Source: HHS OCR Breach Reporting Tool. Settlement amounts from publicly-released OCR Resolution Agreements.

Average Time to OCR Resolution

OCR investigations of breaches affecting 500+ individuals follow a defined process: initial complaint receipt, preliminary review, investigation, resolution agreement or finding of no violation. Typical timelines: smaller breaches (<5,000 individuals affected, no finding of significant deficiencies) often close within 6-12 months. Mid-size breaches (5,000-50,000 individuals) typically take 12-24 months. Large breaches involving systemic deficiencies (Anthem, Premera, Excellus, Banner, etc.) have taken 3-7 years to resolve through OCR settlements.

OCR's published Resolution Agreements (publicly available at hhs.gov) provide significant procedural detail about the entity's deficiencies. Common findings: inadequate Security Risk Analysis, insufficient access controls, lack of encryption, insufficient training, failure to maintain BAAs, and delayed breach notification.

FileFlo Analysis: What This Means for Healthcare Organizations

The breach data shows clear operational patterns that healthcare organizations can address:

Hacking/IT incident dominance: investment in security controls (multi-factor authentication, endpoint protection, network segmentation, security awareness training) directly reduces the largest source of breaches. Risk analysis findings around technical controls correlate with breach incidence.
Encryption safe harbor: per 45 CFR 164.402 and 164.404, encrypted PHI lost or stolen is not a breach if encryption met HHS-specified standards. Encryption of laptops, mobile devices, backup media, and certain transmissions is the highest-leverage control for preventing theft/loss breaches from ever entering breach notification scope.
Business associate exposure: 25% of breaches involve BAs. Comprehensive BAA inventory, periodic BA risk assessment, and BA security questionnaires reduce CE exposure to BA-driven breaches.
Inadequate Security Risk Analysis is the most-cited finding: regular risk analysis updates (at least annually plus event-driven), substantial documentation, threat-vulnerability mapping, and risk management plan updates demonstrate compliance with the foundational HIPAA Security Rule requirement.
Notification timing matters: the 60-day individual notification deadline (45 CFR 164.404), 60-day HHS Secretary notification (164.408), and concurrent media notification for 500+ breaches (164.406) are all separate violations independent of the underlying breach. Late notification has been a separate basis for additional penalties.

Frequently Asked Questions

Is the 'Wall of Shame' a complete list of HIPAA breaches?

No — only breaches affecting 500 or more individuals are listed publicly. Breaches affecting fewer than 500 individuals are reported to HHS Secretary annually (within 60 days after the end of the calendar year) but are not publicly listed. The full breach picture would include: (1) reported 500+ breaches on the public Wall of Shame; (2) reported smaller breaches in the annual aggregate (not publicly itemized); (3) breaches that should have been reported but weren't (an enforcement target for OCR).

How does OCR investigate breaches?

OCR conducts compliance reviews following large breach reports. Investigations typically include: document requests covering the entity's HIPAA program (risk analysis, policies, training, BAAs, breach response procedures); on-site or virtual interviews with key personnel; technical review of the systems and controls involved; review of breach notification documentation. Investigations can take months to years and culminate in either a Resolution Agreement (settlement with corrective action plan and monetary settlement), a corrective action plan only, or a closure with no findings.

What are the largest HIPAA settlements?

Major HHS settlements include Anthem ($16M, 2018), Premera ($6.85M HHS portion, 2020), 23andMe-related cases involving healthcare BAs, and numerous mid-size hospital and health system settlements ranging $500K-$3M. Class-action settlements arising from breaches typically far exceed HHS settlement amounts — Premera's class-action settlement was $74M, Anthem's was $115M.

Where can I research specific HIPAA breaches?

Three primary sources: (1) HHS OCR Breach Portal at ocrportal.hhs.gov/ocr/breach lists all reported 500+ breaches with entity name, breach date, breach type, and individuals affected; (2) HHS OCR News Releases at hhs.gov publish details of significant Resolution Agreements; (3) state attorneys general often investigate breaches affecting their state's residents and publish their own settlement details. Many breaches are covered in trade press (Bleeping Computer, HIPAA Journal, Becker's Hospital Review).

Authoritative sources

← Back to Data Hub