Skip to main content

Healthcare Data Breach and HIPAA Enforcement Statistics for 2026

By Joseph Abear ·
Healthcare Data Breach Statistics

Last updated: July 5, 2026

Healthcare data breach statistics show 2024 was the worst year on record: 725 large breaches were reported to the HHS Office for Civil Rights (OCR), exposing the records of about 289 million people, and a single attack on Change Healthcare accounted for roughly 192.7 million of them. 2025 improved sharply, with reported exposures falling about 79 percent to roughly 61.6 million individuals. Healthcare remains the most expensive industry for breaches for the 14th straight year, at an average of $7.42 million per incident. This page compiles the key healthcare data breach statistics and HIPAA enforcement numbers for 2026, with primary sources listed at the end. You are welcome to cite any figure here with a link to this page.

TL;DR: Quick answer

  • 2024: 725 breaches of 500 or more records reported to OCR, about 289 million individuals affected, the worst year ever recorded.

  • The Change Healthcare ransomware attack (February 2024) is the largest health data breach in history at about 192.7 million people, roughly two thirds of all 2024 exposures.

  • 2025: exposures fell about 79 percent to at least 61.6 million individuals, though 16 breaches still topped one million records each.

  • Healthcare breaches cost an average of $7.42 million in 2025 (IBM), the highest of any industry for 14 consecutive years, and take an average of 279 days to identify and contain.

  • OCR closed 21 enforcement actions in 2025, its second highest annual total. 2026 penalties run from $145 to $73,011 per violation in the lowest tier, with an annual cap of $2,190,294 per provision.

How many healthcare data breaches happen each year?

How Many Breaches Happen Yearly

OCR publishes every reported breach affecting 500 or more people on its public breach portal. The recent totals:

Year

Large breaches reported

Individuals affected

Note

2024

725

~289 million

Record year; third straight year above 700 breaches

2025

700+ (per OCR portal)

~61.6 million

About a 79 percent drop in exposures from 2024

The 2025 decline is less reassuring than it looks. It reflects the absence of another Change Healthcare, not a quiet year: 16 separate 2025 breaches each affected more than one million people. The volume of incidents stayed above 700 for the fourth consecutive year. Attackers have not slowed down. The single points of failure just got smaller.

What are the largest healthcare data breaches of all time?

The Largest Breaches of all time

Organization

Year

Individuals

Cause

Change Healthcare

2024

~192.7 million

Ransomware (BlackCat) at a claims clearinghouse

Anthem

2015

78.8 million

Cyberattack on a health plan

Conduent Business Services

2025

62+ million

Cyberattack at a business services vendor

Kaiser Foundation Health Plan

2024

~13.4 million

Tracking technologies sharing data with advertisers

Ascension Health

2024

~5.6 million

Ransomware (Black Basta) across 142 hospitals

Two patterns stand out. First, the biggest breaches hit Business Associates and intermediaries, not hospitals. Change Healthcare processed claims for a huge share of the country, so one compromise became a national event; we cover that concentration risk in HIPAA compliant hosting for medical billing. Second, not every mega-breach is a hack. Kaiser's 13.4 million came from advertising pixels on its own websites, the exact exposure we map in HIPAA tracking technologies.

What does a healthcare data breach cost?

What A Breach Cost

IBM's Cost of a Data Breach Report puts the average healthcare breach at $7.42 million in 2025, down $2.35 million from the prior year but still the highest of any industry, a position healthcare has held for 14 consecutive years. Healthcare breaches also take the longest to find and fix: an average of 279 days to identify and contain, about five weeks longer than the global average. Those two numbers are related. The longer ePHI sits exposed, the more records leak and the more the cleanup costs. Encryption also changes the math after a loss: properly encrypted data can qualify for the breach notification safe harbor, which is one reason the safeguards in our HIPAA hosting security measures checklist treat it as non-negotiable.

HIPAA enforcement statistics: what OCR actually does

  • 21 enforcement actions in 2025, counting settlements and civil monetary penalties. That is OCR's second highest annual total, up from 16 in 2024.

  • More than 50 cases have been resolved under the Right of Access initiative as of January 2026.

  • The risk analysis enforcement initiative continues in 2026, expanding to cover risk management. The missing or inadequate risk analysis under 45 CFR § 164.308(a)(1)(ii)(A) remains the most commonly cited failure.

The 2026 civil penalty amounts, effective January 28, 2026:

Tier

Culpability

Per violation

Annual cap per provision

1

Unknowing

$145 to $73,011

$2,190,294

2

Reasonable cause

$1,461 to $73,011

$2,190,294

3

Willful neglect, corrected

$14,602 to $73,011

$2,190,294

4

Willful neglect, uncorrected

$73,011 to $2,190,294

$2,190,294

How those tiers get applied, and what recent cases settled for, is covered in our guide to HIPAA violation fines and penalties.

What the numbers mean for infrastructure

Read together, the statistics point at the server room. The record breaches happened where patient data concentrates: clearinghouses, health plans, and vendors running large systems. The costliest failures took the better part of a year to detect, which is an audit logging and monitoring problem. And a 13 million record breach happened through website tracking scripts, not a break-in. That is why HIPAA compliant hosting is less about any single product and more about the basics done consistently: encryption, isolation, logging that someone reads, and a BAA chain with no missing links. We sell managed hosting, so weigh that as a disclosure. The numbers on this page are sourced independently of us either way.

Citing this page

These figures are compiled from the HHS OCR breach portal, HHS enforcement records, the Federal Register, and IBM's annual report, and this page is updated as new totals publish. Journalists, researchers, and bloggers are welcome to cite any statistic here with attribution and a link.

Frequently asked questions

How many healthcare data breaches were there in 2024?

725 breaches of 500 or more records were reported to OCR in 2024, affecting about 289 million people. It was the worst year on record for exposed healthcare records and the third straight year above 700 large breaches.

What is the largest healthcare data breach in history?

The February 2024 ransomware attack on Change Healthcare, which exposed the protected health information of about 192.7 million people. It surpassed the 2015 Anthem breach of 78.8 million, which had held the record for nine years.

How much does a healthcare data breach cost?

An average of $7.42 million per incident in 2025, per IBM's Cost of a Data Breach Report. Healthcare has been the most expensive industry for breaches for 14 consecutive years, and its breaches take an average of 279 days to identify and contain.

How many HIPAA fines were issued in 2025?

OCR closed 21 enforcement actions in 2025 through settlements and civil monetary penalties, its second highest annual total. The Right of Access and risk analysis initiatives continue into 2026.

Did healthcare breaches get better in 2025?

Exposures fell about 79 percent, to at least 61.6 million individuals, mostly because nothing matched Change Healthcare's scale. The number of incidents stayed above 700 for a fourth straight year, and 16 breaches each topped one million records.

Recap: healthcare data breach statistics

To recap, the healthcare data breach statistics for 2026 tell a consistent story. 2024 set the all-time record at 725 large breaches and 289 million exposed records, driven by Change Healthcare's 192.7 million. 2025 fell to about 61.6 million exposures across 700 plus incidents. Breaches cost healthcare more than any other industry, $7.42 million on average, and take 279 days to contain. OCR enforcement is rising, with 21 actions in 2025 and penalties reaching $2,190,294 per provision per year. The exposure lives where data concentrates, which makes infrastructure the first line of defense.

Figures are compiled from the sources below as reported through July 2026 and rounded where noted; totals on the OCR portal change as breaches are reported and updated. This page is general information, not legal advice.

Sources

  • HHS OCR breach portal (all reported breaches of 500+ records): ocrportal.hhs.gov

  • HHS OCR resolution agreements and enforcement: hhs.gov

  • IBM Cost of a Data Breach Report, healthcare industry: ibm.com

  • HIPAA Journal, healthcare data breach statistics (compiled OCR data): hipaajournal.com

  • 45 CFR § 102.3 civil penalty amounts (Federal Register, January 28, 2026): ecfr.gov