Compliance

    HIPAA Breach Report 2026: OCR Data, Ransomware Trends, and What Mid-Market Healthcare Must Do Next

    Jeff SowellApril 19, 2026
    HIPAA Breach Report 2026: OCR Data, Ransomware Trends, and What Mid-Market Healthcare Must Do Next

    The most recent full year of HIPAA breach data on record is the worst ever. According to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) Breach Portal, more than 275 million individuals had their protected health information (PHI) exposed in reportable breaches in 2024 — roughly the equivalent of every adult in the United States. It is the largest annual exposure figure OCR has ever logged, more than double the previous record set in 2023.

    This report analyzes that dataset — the breaches, the attack patterns, the regulator response, and the cost — and translates it into what mid-market healthcare organizations actually need to do in 2026. At BlueRadius, we built our virtual CISO practice around this exact segment: healthcare providers, medical device makers, digital health startups, and the business associates that serve them. The data in this report is what we use to prioritize their programs.

    Key Findings: HIPAA Breaches in 2024

    • 725 large breaches (500 or more records) reported to OCR — a new annual record.
    • 275+ million individuals affected — more than double 2023's figure of ~133 million, itself a record at the time.
    • Hacking and IT incidents account for approximately 80% of breaches and more than 95% of records exposed, per OCR's incident categorization.
    • Ransomware drove the largest breaches of the year, including the Change Healthcare incident (~100 million individuals) and the Ascension attack (~5.6 million).
    • Business associates, not covered entities, were the origin point for a disproportionate share of records exposed — the third-party risk problem has become the dominant risk.
    • Healthcare remains the most expensive industry to suffer a breach: $9.77 million average per incident, per the IBM Cost of a Data Breach Report 2024 — the 14th consecutive year healthcare has held the top spot.

    The takeaway is unambiguous: if you handle PHI and operate in the mid-market, you are now inside a regulatory and threat environment that looks nothing like the one that shaped your original HIPAA program. What follows is what the data actually shows — and what to do about it.

    The 2024 Numbers: A Record-Breaking Year

    OCR's Breach Portal — colloquially known as the "Wall of Shame" — publishes every breach affecting 500 or more individuals, as required under the HITECH Act. The 2024 data tells a clear story: the industry did not just have a bad year. It shifted into a structurally higher-risk regime.

    Between January 1 and December 31, 2024, OCR logged 725 large breaches. Volume alone is only part of the picture — what changed was the shape of the breaches. A handful of mega-incidents, each exposing tens of millions of records, accounted for the majority of the 275M+ total. This is a meaningful departure from prior years, when exposure was more evenly distributed across many mid-sized incidents.

    Year-over-year comparison:

    • 2022: 720 breaches, ~55M individuals affected
    • 2023: 725 breaches, ~133M individuals affected (record at the time)
    • 2024: 725 breaches, ~275M+ individuals affected (new record)

    The breach count is flat. The exposure is vertical. One mega-breach can now rival an entire year of smaller incidents combined — a pattern that fundamentally changes how mid-market healthcare organizations should think about supply chain risk, cyber insurance, and incident response.

    Change Healthcare and the New Era of Mega-Breaches

    The single event that reshaped the 2024 dataset was the Change Healthcare ransomware attack. UnitedHealth Group disclosed in SEC filings and congressional testimony that the ALPHV/BlackCat ransomware operation compromised Change Healthcare in February 2024, ultimately affecting approximately 100 million individuals — roughly one in three Americans.

    The attack was notable not only for its scale but for what it revealed about healthcare's operational interdependence. Change Healthcare processes around 15 billion healthcare transactions annually and sits in the clearinghouse position between providers, payers, and pharmacies. When it went down, pharmacies could not process claims, providers could not bill, and small practices across the country saw their cash flow seize up within weeks. We analyzed the broader lessons in our post on what the Change Healthcare breach tells us about healthcare cybersecurity.

    Other notable 2024 healthcare breaches included:

    • Kaiser Permanente — 13.4 million individuals, related to improperly configured tracking technologies transmitting PHI to third-party advertisers.
    • Ascension Health — 5.6 million individuals, Black Basta ransomware affecting clinical operations across multiple states.
    • Medusind — 360,000+ individuals, a dental benefits administrator whose breach highlighted the business associate risk vector.
    • Concentra Health Services — 3.9 million individuals, via Perry Johnson & Associates, a business associate handling medical transcription.

    The pattern: ransomware, business associates, and healthcare's deep vendor interdependence are combining to produce breaches at a scale the industry has never had to absorb.

    Ransomware is Driving Healthcare's Breach Crisis

    OCR classifies breaches into four categories: hacking/IT incident, unauthorized access/disclosure, theft, and loss. Over the past three years, "hacking/IT incident" has grown from a plurality to a dominant majority — accounting for roughly 80% of breach count and over 95% of records exposed in 2024.

    The driver is ransomware, and not just any ransomware. Healthcare has become the preferred target for specific ransomware-as-a-service groups — ALPHV/BlackCat, Black Basta, LockBit (until its 2024 takedown), and Rhysida, among others — because the combination of high data sensitivity, operational urgency, and cyber insurance coverage produces high payout rates. When a hospital cannot operate, the calculation on paying a ransom becomes very different from a manufacturer's calculation.

    This is why healthcare organizations need active threat operations — not passive monitoring dashboards. Detecting ransomware staging activity in the hours before encryption is the difference between a contained incident and a Wall of Shame entry. For a deeper framework on post-breach response, our executive guide to digital forensics walks through what the first 72 hours actually look like.

    Business Associate Breaches: The Third-Party Problem

    One of the most consequential shifts in the 2024 dataset is the rise of breaches originating at business associates (BAs) rather than covered entities (CEs). HIPAA defines a business associate as any vendor handling PHI on behalf of a covered entity — cloud hosting providers, billing companies, transcription services, analytics firms, benefits administrators, and increasingly, AI and automation vendors.

    When a BA is breached, every CE that used that BA is affected. A single incident at a transcription vendor can expose PHI from hundreds of provider clients. Change Healthcare, which operates as a business associate to an enormous number of covered entities, is the extreme version of this — but the pattern plays out at smaller scales constantly.

    For mid-market healthcare organizations, this means two things:

    1. Your third-party risk program is now your breach risk program. You will almost certainly be notified of a breach in the next 24 months not because of something you did, but because of something one of your BAs did. If you do not have a current inventory of every BA, signed Business Associate Agreements (BAAs) on file, and a tracked risk assessment for each, you are exposed by default.
    2. Breach notification obligations travel downstream. When your BA has an incident, your clock starts. You are still the one required to notify affected individuals and, in larger cases, the media. The BA did the breaching; you do the notifying.

    A formalized BA management process is table stakes in 2026. Our HIPAA compliance checklist details what that program looks like. For mid-market organizations without a dedicated GRC platform, Radius360's guide to automating evidence collection shows how to track BA risk at scale without building a team around it.

    The Cost of a Healthcare Breach: $9.77 Million

    IBM's annual Cost of a Data Breach Report has placed healthcare as the most expensive industry to suffer a breach for 14 consecutive years. The 2024 figure — $9.77 million average per breach — is more than double the cross-industry average of $4.88 million.

    Why is healthcare so expensive?

    • Regulatory cost: OCR investigations, state AG involvement, and potential Corrective Action Plans (CAPs) each carry years of compliance overhead.
    • Notification cost: Individual notification, credit monitoring (typically 12–24 months), and call-center operations for patient inquiries.
    • Litigation cost: Healthcare breach class actions have become an established plaintiff bar. Settlements are in the tens of millions for large breaches; defense costs are material even for small ones.
    • Clinical disruption: When operations are affected, every delayed procedure and diverted ambulance has a quantifiable cost.
    • Detection and containment time: Healthcare's mean time to identify and contain a breach was 277 days in 2024 — longer attack dwell time means more data exfiltrated and more systems to rebuild.

    The cost curve means a single breach can be existential for a mid-market provider. A 200-bed hospital with $300M in revenue does not absorb a $10M breach as a line-item. It absorbs it as a strategic event — often one that delays capital projects, triggers layoffs, or forces consolidation.

    OCR Enforcement: Where Regulators Are Focused

    OCR has also shifted enforcement posture. Settlements in 2023 and 2024 demonstrate the regulator's priorities:

    • Risk analysis failures. OCR has stated publicly that the HIPAA Security Rule requirement for an accurate, thorough, enterprise-wide risk analysis is "the most consistent deficiency" observed in investigations. Multiple 2024 settlements cited this failure as the primary enforcement basis.
    • Ransomware-related settlements. OCR began its "Risk Analysis Enforcement Initiative" specifically to address ransomware-related breaches. The first settlement under this initiative was announced in 2024, with more expected.
    • Right of Access violations. OCR's "Right of Access Initiative" continues to produce small-dollar settlements (typically $15K–$100K) for failure to provide patients timely access to their records. These are volume enforcement: the agency has closed more than 50 such cases.
    • Business associate accountability. OCR has increased direct action against BAs, not only CEs. This is new, and it changes vendor liability calculations across the industry.

    For mid-market organizations, the practical implication is that OCR will ask for your risk analysis documentation first. If it is missing, out of date, or was clearly copy-pasted from a template, the investigation escalates. A current, defensible risk analysis — refreshed at least annually and after every material system change — is the single most important HIPAA compliance artifact. Our regulatory compliance team conducts these regularly as part of program buildouts.

    Where Mid-Market Healthcare Organizations Are Most Exposed

    The headline breaches grab attention, but the mid-market risk profile is specific. From our work with healthcare clients — hospitals, specialty practices, digital health platforms, medical device companies, and biotech — five exposure patterns dominate:

    1. Unpatched legacy systems in clinical environments. Medical devices, EHR modules, and imaging systems often run operating systems that cannot be patched on a standard IT cycle. These are the easiest targets for ransomware staging.
    2. Shared administrative credentials. Nursing stations, shared workstations, and shift-based access patterns frequently default to shared accounts. The OCR investigations consistently cite inadequate access controls.
    3. Unmanaged business associates. The average mid-market provider has 100–300+ BAAs on file. How many are tracked, current, and matched to an actual risk assessment? For most organizations, the answer is: far fewer than exist.
    4. Tracking pixels and third-party scripts. Kaiser's 13M-individual breach was caused by exactly this. OCR guidance in 2024 made explicit that tracking technologies transmitting PHI to third parties without authorization are HIPAA violations. Most health system websites still have them.
    5. Security program ownership gaps. Many mid-market healthcare organizations lack a dedicated CISO. IT manages HIPAA compliance alongside every other operational demand. Without senior security leadership, the program exists on paper but not in practice. This is precisely what a virtual CISO engagement is designed to fix.

    What Mid-Market Healthcare Must Do in 2026

    The data points to a clear action list. None of these are new concepts — HIPAA has required most of them for over a decade — but the enforcement environment and breach scale have made each one materially more urgent.

    1. Refresh your enterprise risk analysis. Not a gap assessment. Not a checklist. A documented, HIPAA Security Rule-compliant risk analysis covering every system that creates, receives, maintains, or transmits ePHI. Update it annually.
    2. Build a real business associate inventory. Every BA. Every BAA. Every risk assessment. Every breach notification clause. A living document, owned by one person, with a review cadence.
    3. Deploy 24/7 detection and response. Ransomware operations stage for hours to days before encryption. Without eyes on the environment during nights and weekends — when most attacks execute — your detection window is exactly zero. This is what managed security services exist to solve.
    4. Test your incident response plan. Not tabletop — live drill. Simulate a ransomware scenario with your clinical operations team in the room. Discover the gaps before the real event. Our framework is in our post on effective data breach incident response planning.
    5. Eliminate tracking pixel PHI transmission. Audit your patient-facing websites. Any tracking technology transmitting URLs, form data, or authenticated session data to third parties while PHI is in scope is a breach in waiting. Remove or gate it.
    6. Establish senior security leadership. Whether through a full-time CISO, a vCISO arrangement, or an advisory model — someone at the executive level needs decision authority, budget, and accountability for the security program. OCR asks about this in investigations. Boards ask about it in risk reviews. Cyber insurers ask about it in renewals.
    7. Formalize board-level security reporting. Quarterly at minimum. Include breach data, BA risk status, IR test outcomes, and program metrics. For a mid-market approach, Radius360's guide to scaling compliance programs covers the reporting cadence.
    8. Align to a defined framework. HIPAA is a floor, not a program. NIST Cybersecurity Framework 2.0, HITRUST CSF, or the HHS Cybersecurity Performance Goals (CPGs) give your program the structure HIPAA alone does not. See Radius360's NIST CSF 2.0 implementation guide for a practical starting point.

    How to Build HIPAA Resilience Without Enterprise Budgets

    None of the 2024 mega-breaches happened because the affected organizations couldn't afford security. They happened because the complexity outran the program. Mid-market healthcare organizations have the opposite problem: limited budget, leaner teams, the same threat environment.

    Three moves consistently close that gap:

    • Virtual CISO leadership. A senior security practitioner working on your program part-time is more effective than an in-house IT manager trying to cover security alongside everything else. The vCISO model gives you enterprise-grade judgment at mid-market cost.
    • A compliance platform that handles the evidence layer. Manual evidence collection — screenshots, spreadsheets, email chains — is where programs fail audits and miss breach indicators. Radius360 is purpose-built for this: automated evidence collection, cross-framework mapping (HIPAA + NIST + SOC 2 + HITRUST), board-ready reporting, and integration with the security tools you already run.
    • Managed threat operations. 24/7 detection, response, and remediation without hiring a 24/7 team. This is the single biggest operational shift a mid-market healthcare organization can make — and the one with the most direct impact on breach risk.

    If you're not sure where your HIPAA program stands today, we offer a free cybersecurity assessment that benchmarks your current state against the OCR risk analysis standard and the 2024 breach patterns described above. It takes 30 minutes, and you walk away with a specific gap list.

    Conclusion: The 2026 HIPAA Environment

    The 2024 data is not an anomaly. It is the new baseline. Breach scale is structurally higher, ransomware is structurally more targeted at healthcare, business associate risk is structurally larger, and OCR enforcement is structurally more active. A program designed for the 2020 environment will not hold in the 2026 environment.

    The good news: the playbook is not mysterious. The data tells you exactly where to focus — risk analysis, BA management, 24/7 detection, board reporting, senior leadership. Organizations that execute on those fundamentals, with the discipline to keep them current, are the ones that stay off next year's Wall of Shame.

    If you want to discuss what the data means specifically for your organization — your vendor stack, your clinical operations, your compliance posture — schedule a conversation with our team. We do this work every day with healthcare organizations your size.

    Sources and Further Reading

    hipaahealthcare cybersecuritybreach reportransomwareocrbusiness associatesmid-market healthcare

    Related services

    Regulatory ComplianceThreat OperationsManaged Security

    Related on Radius360

    Take the Next Step

    Ready to Strengthen Your Security Posture?

    BlueRadius Cyber delivers Fortune 500-grade protection for mid-market companies — virtual CISO leadership, 24/7 managed security, and compliance programs that actually close deals. Let's talk.

    Schedule Your Free Assessment Explore vCISO Services
    Take the 5-minute self-assessment →Read the CISO Playbook →