Healthcare Data Breach and HIPAA Enforcement Statistics for 2026
Last updated: July 5, 2026
Healthcare data breach statistics show 2024 was the worst year on record: 725 large breaches were reported to the HHS Office for Civil Rights (OCR), exposing the records of about 289 million people, and a single attack on Change Healthcare accounted for roughly 192.7 million of them. 2025 improved sharply, with reported exposures falling about 79 percent to roughly 61.6 million individuals. Healthcare remains the most expensive industry for breaches for the 14th straight year, at an average of $7.42 million per incident. This page compiles the key healthcare data breach statistics and HIPAA enforcement numbers for 2026, with primary sources listed at the end. You are welcome to cite any figure here with a link to this page.
TL;DR: Quick answer
2024: 725 breaches of 500 or more records reported to OCR, about 289 million individuals affected, the worst year ever recorded.
The Change Healthcare ransomware attack (February 2024) is the largest health data breach in history at about 192.7 million people, roughly two thirds of all 2024 exposures.
2025: exposures fell about 79 percent to at least 61.6 million individuals, though 16 breaches still topped one million records each.
Healthcare breaches cost an average of $7.42 million in 2025 (IBM), the highest of any industry for 14 consecutive years, and take an average of 279 days to identify and contain.
OCR closed 21 enforcement actions in 2025, its second highest annual total. 2026 penalties run from $145 to $73,011 per violation in the lowest tier, with an annual cap of $2,190,294 per provision.
How many healthcare data breaches happen each year?

OCR publishes every reported breach affecting 500 or more people on its public breach portal. The recent totals:
Year | Large breaches reported | Individuals affected | Note |
|---|---|---|---|
2024 | 725 | ~289 million | Record year; third straight year above 700 breaches |
2025 | 700+ (per OCR portal) | ~61.6 million | About a 79 percent drop in exposures from 2024 |
The 2025 decline is less reassuring than it looks. It reflects the absence of another Change Healthcare, not a quiet year: 16 separate 2025 breaches each affected more than one million people. The volume of incidents stayed above 700 for the fourth consecutive year. Attackers have not slowed down. The single points of failure just got smaller.
What are the largest healthcare data breaches of all time?

Organization | Year | Individuals | Cause |
|---|---|---|---|
Change Healthcare | 2024 | ~192.7 million | Ransomware (BlackCat) at a claims clearinghouse |
Anthem | 2015 | 78.8 million | Cyberattack on a health plan |
Conduent Business Services | 2025 | 62+ million | Cyberattack at a business services vendor |
Kaiser Foundation Health Plan | 2024 | ~13.4 million | Tracking technologies sharing data with advertisers |
Ascension Health | 2024 | ~5.6 million | Ransomware (Black Basta) across 142 hospitals |
Two patterns stand out. First, the biggest breaches hit Business Associates and intermediaries, not hospitals. Change Healthcare processed claims for a huge share of the country, so one compromise became a national event; we cover that concentration risk in HIPAA compliant hosting for medical billing. Second, not every mega-breach is a hack. Kaiser's 13.4 million came from advertising pixels on its own websites, the exact exposure we map in HIPAA tracking technologies.
What does a healthcare data breach cost?

IBM's Cost of a Data Breach Report puts the average healthcare breach at $7.42 million in 2025, down $2.35 million from the prior year but still the highest of any industry, a position healthcare has held for 14 consecutive years. Healthcare breaches also take the longest to find and fix: an average of 279 days to identify and contain, about five weeks longer than the global average. Those two numbers are related. The longer ePHI sits exposed, the more records leak and the more the cleanup costs. Encryption also changes the math after a loss: properly encrypted data can qualify for the breach notification safe harbor, which is one reason the safeguards in our HIPAA hosting security measures checklist treat it as non-negotiable.
HIPAA enforcement statistics: what OCR actually does
21 enforcement actions in 2025, counting settlements and civil monetary penalties. That is OCR's second highest annual total, up from 16 in 2024.
More than 50 cases have been resolved under the Right of Access initiative as of January 2026.
The risk analysis enforcement initiative continues in 2026, expanding to cover risk management. The missing or inadequate risk analysis under 45 CFR § 164.308(a)(1)(ii)(A) remains the most commonly cited failure.
The 2026 civil penalty amounts, effective January 28, 2026:
Tier | Culpability | Per violation | Annual cap per provision |
|---|---|---|---|
1 | Unknowing | $145 to $73,011 | $2,190,294 |
2 | Reasonable cause | $1,461 to $73,011 | $2,190,294 |
3 | Willful neglect, corrected | $14,602 to $73,011 | $2,190,294 |
4 | Willful neglect, uncorrected | $73,011 to $2,190,294 | $2,190,294 |
How those tiers get applied, and what recent cases settled for, is covered in our guide to HIPAA violation fines and penalties.
What the numbers mean for infrastructure
Read together, the statistics point at the server room. The record breaches happened where patient data concentrates: clearinghouses, health plans, and vendors running large systems. The costliest failures took the better part of a year to detect, which is an audit logging and monitoring problem. And a 13 million record breach happened through website tracking scripts, not a break-in. That is why HIPAA compliant hosting is less about any single product and more about the basics done consistently: encryption, isolation, logging that someone reads, and a BAA chain with no missing links. We sell managed hosting, so weigh that as a disclosure. The numbers on this page are sourced independently of us either way.
Citing this page
These figures are compiled from the HHS OCR breach portal, HHS enforcement records, the Federal Register, and IBM's annual report, and this page is updated as new totals publish. Journalists, researchers, and bloggers are welcome to cite any statistic here with attribution and a link.
Frequently asked questions
How many healthcare data breaches were there in 2024?
725 breaches of 500 or more records were reported to OCR in 2024, affecting about 289 million people. It was the worst year on record for exposed healthcare records and the third straight year above 700 large breaches.
What is the largest healthcare data breach in history?
The February 2024 ransomware attack on Change Healthcare, which exposed the protected health information of about 192.7 million people. It surpassed the 2015 Anthem breach of 78.8 million, which had held the record for nine years.
How much does a healthcare data breach cost?
An average of $7.42 million per incident in 2025, per IBM's Cost of a Data Breach Report. Healthcare has been the most expensive industry for breaches for 14 consecutive years, and its breaches take an average of 279 days to identify and contain.
How many HIPAA fines were issued in 2025?
OCR closed 21 enforcement actions in 2025 through settlements and civil monetary penalties, its second highest annual total. The Right of Access and risk analysis initiatives continue into 2026.
Did healthcare breaches get better in 2025?
Exposures fell about 79 percent, to at least 61.6 million individuals, mostly because nothing matched Change Healthcare's scale. The number of incidents stayed above 700 for a fourth straight year, and 16 breaches each topped one million records.
Recap: healthcare data breach statistics
To recap, the healthcare data breach statistics for 2026 tell a consistent story. 2024 set the all-time record at 725 large breaches and 289 million exposed records, driven by Change Healthcare's 192.7 million. 2025 fell to about 61.6 million exposures across 700 plus incidents. Breaches cost healthcare more than any other industry, $7.42 million on average, and take 279 days to contain. OCR enforcement is rising, with 21 actions in 2025 and penalties reaching $2,190,294 per provision per year. The exposure lives where data concentrates, which makes infrastructure the first line of defense.
Figures are compiled from the sources below as reported through July 2026 and rounded where noted; totals on the OCR portal change as breaches are reported and updated. This page is general information, not legal advice.
Sources
HHS OCR breach portal (all reported breaches of 500+ records): ocrportal.hhs.gov
HHS OCR resolution agreements and enforcement: hhs.gov
IBM Cost of a Data Breach Report, healthcare industry: ibm.com
HIPAA Journal, healthcare data breach statistics (compiled OCR data): hipaajournal.com
45 CFR § 102.3 civil penalty amounts (Federal Register, January 28, 2026): ecfr.gov