HIPAA OCR: 725 Breaches, 275M Records
Updated for 2026
HHS Office for Civil Rights (OCR) counted 725 healthcare data breaches in 2024. Those breaches hit 275 million patient records. That total is the highest ever logged in a single year.
The average cost per healthcare breach reached $10.22 million in 2025. IBM's Cost of a Data Breach Report puts the number there. The cost covers civil fines, legal fees, patient notices, credit monitoring, and lost trust.
2025 and 2026 are key years for covered entities and their business associates. A proposed HIPAA Security Rule update from March 2025 would add the biggest set of technical rules since 2003.
What Caused 725 Breaches in 2024
The OCR portal groups 2024 failures into four types.
Hacking and IT incidents caused 74% of reported breaches. Ransomware, server attacks, and email fraud are the top types. Attackers now aim at whole networks. One attack can pull records from an entire EHR system at once.
Unauthorized access and disclosure caused 18% of breaches. Bad access controls, insider misuse, and wrong-recipient errors all count here.
Third-party incidents made up 35% of 2024 breaches. The failure started at a business associate — not the covered entity. Change Healthcare (a UnitedHealth Group unit) alone exposed over 190 million patient records. That is the largest US health data breach on record.
Theft or loss of portable media caused 8% of breaches. Laptops, USB drives, and paper records lost or stolen without encryption.
The 18 PHI Types Under Safe Harbor
HIPAA's Safe Harbor method (45 CFR §164.514(b)) requires removal of all 18 types of patient data. Most teams know the list. The hard part is detection at scale.
- Names — patients, family members, employers
- Geographic data — any area smaller than a state
- Dates — admission, discharge, birth, death (year may stay)
- Phone numbers
- Fax numbers
- Email addresses
- Social security numbers
- Medical record numbers (format varies by EHR system)
- Health plan member numbers
- Account numbers
- Certificate and license numbers — medical, DEA, state
- Vehicle IDs — VINs and plate numbers
- Device IDs — serial numbers and unique device codes
- Web URLs
- IP addresses
- Biometric data — fingerprints and voice prints
- Full-face photos and similar images
- Any other unique ID, code, or trait
Type 18 is the hardest to catch. Any code that ties a record to a specific patient must go — even without a set pattern.
For a step-by-step guide on scrubbing all 18 types from clinical records, see HIPAA Safe Harbor de-identification for healthcare research.
Five New Rules in the Proposed Security Update
The proposed HIPAA Security Rule update (March 2025) adds five duties.
Annual encryption audits. Covered entities must confirm that all patient data at rest uses AES-256 or equal. Key management must meet written standards.
Written de-identification procedures. Any patient data used in research, AI training, or analytics needs written steps. A policy note is not enough. Technical records with proof of validation are required.
Business associate security checks. Business associates must pass specific technical checks before they go live. Contracts used to handle this with no technical detail.
Multi-factor authentication (MFA). All staff with access to electronic patient data must use MFA. Legacy systems are not exempt.
Incident response testing. Annual drills and technical tests are required. Teams must keep records of the results.
Lessons from Change Healthcare
The Change Healthcare breach (February 2024) showed what systemic risk looks like. Change Healthcare handled 15 billion transactions per year. It linked providers, payers, and pharmacies as a clearinghouse.
The breach started with one remote access account. That account had no MFA. Attackers moved through the network for nine days. Then they launched ransomware.
The lesson is clear. A business associate with wide access to health transactions is a risk to every partner it touches. The old framework was not built for providers handling a third of all US health transactions.
The proposed rule's MFA, network segmentation, and business associate checks all trace back to this event.
For PHI removal from hospital-specific record formats, see HIPAA MRN detection and hospital-specific patterns. For zero-knowledge design that keeps patient data off the network, see HIPAA-compliant cloud PHI and zero-knowledge design.