Medcurity Logo
Login

HIPAA Enforcement & Breach Trends Through Mid-2026: A Medcurity Analysis of HHS OCR Public Data

Every HIPAA vendor on the market recycles the same enforcement statistics. For this report, Medcurity went directly to the primary sources: every resolution agreement HHS Office for Civil Rights (OCR) has published on its enforcement page through June 5, 2026, and the most-recently-reported breaches from the HHS OCR Breach Portal — the public “Wall of Shame” required by the HITECH Breach Notification Rule. This report is written for healthcare compliance officers, small and mid-sized practice administrators, CISOs, and any covered entity or business associate trying to understand where HIPAA risk actually sits halfway through 2026. Three findings stand out: hacking now drives roughly nine out of ten reported breaches, the median breach is getting smaller (not larger), and one root cause shows up in nearly every recent Security Rule settlement.

Headline findings

How we analyzed the data

We pulled two HHS OCR data sets on June 5, 2026: the public Resolution Agreements index (153 enforcement actions from 2008 through March 2026) and the HHS OCR Breach Notification Portal (the “Wall of Shame” of breaches affecting 500 or more individuals). We categorized each resolution agreement by sector, penalty amount where stated in the OCR press-release title, and violation type. We cross-referenced enforcement activity with the Breach Portal’s submission data to identify breach causes, covered-entity types, and concentration patterns. Two limitations are worth naming up front. First, the Breach Portal lags real-time activity by roughly four to five months — breaches submitted between mid-January and June 2026 had not yet appeared on the public view at the time of pull. Second, OCR includes penalty amounts in press-release titles for only about 60% of agreements; the remainder require per-agreement document review to surface the dollar figure. All directional findings in this report are computed from the visible data; we have flagged stats that are not computable from public sources as omitted.

Resolution agreement trends — what HHS has been settling

OCR’s enforcement docket in 2025 leaned heavily on cybersecurity. Of the eighteen 2025 resolution agreements posted on the HHS index, at least nine specifically cite ransomware in the press-release title — and OCR numbered them publicly. The January 7, 2025 VPN Solutions and Elgon Information Systems settlements are labeled by HHS as its 9th and 8th ransomware investigations, respectively. The April 23, 2025 PIH Health Care Network settlement ($600,000) called out a phishing-attack breach. The January 14, 2025 Solara Medical Supplies settlement ($3,000,000) was the largest stated 2025 figure and likewise involved phishing. The February 20, 2025 Warby Parker action ($1,500,000) was notable for two reasons: it was a Civil Money Penalty rather than a voluntary settlement, and the covered entity is a consumer-recognizable retail eyewear brand — confirming OCR will litigate to CMP rather than negotiate when it believes the evidence is strong.

The sector mix tells the small-and-mid-sized story plainly. Across the full 153-agreement Resolution Agreements page, hospitals and health systems account for roughly 31 actions; specialty practices and clinics for roughly 25; business associates for at least nine; dental practices for seven; behavioral or mental health providers for six; and health plans, pharmacies, ambulance services, nursing facilities, and government entities for the balance. The 2024 docket reinforces the small-practice exposure. Gulf Coast Pain Consultants was hit with a $1.19 million CMP on December 3, 2024 for Security Rule violations. Gums Dental Care paid $70,000 on October 17, 2024 for failing to provide timely access to records. Providence Medical Institute settled for $240,000 on October 3, 2024 for ransomware. Several 2024 ransomware settlements (October 31, 2024 actions for $90,000 and $500,000; September 26, 2024 for $250,000) were posted without entity names — a pattern that has continued into 2025.

The Right of Access Initiative has not slowed. The March 6, 2025 OHSU CMP ($200,000) and the January 15, 2025 Memorial Healthcare System settlement both addressed timely-access failures. OCR has now publicly counted more than twenty Right of Access enforcement actions across the lifetime of the initiative.

One pattern is consistent across nearly every recent Security Rule action: OCR cites “failure to conduct an accurate and thorough risk analysis” as a root finding. This appears in the Gulf Coast Pain CMP, in Solara, in Warby Parker, in the 2024 ransomware-series settlements, and in older marquee actions including Anthem ($16M, 2018), Athens Orthopedic ($1.5M, 2020), and Fresenius Medical Care (2018). It is the single most repeated root-cause finding in the OCR enforcement record.

Breach Portal trends — what is actually causing healthcare breaches in 2026

The H1 comparison from the HHS Breach Portal makes the cause story unambiguous. H1 2025 saw approximately 419 reports of breaches affecting 500 or more individuals, with 43.1 million individuals affected and a 79% hacking/IT-incident share. H1 2026, through June 5, was tracking at 283 reports, 20.5 million individuals affected, and an 87% hacking/IT-incident share. Pro-rated for the missing 25 days of June, the H1 2026 report volume is running roughly 22% below H1 2025 — but the cause concentration tightened: physical-world breaches (theft, loss, improper disposal) effectively vanished, accounting for two of 283 reports. The Security Rule, and the risk-analysis mandate that sits at its core, is now where roughly nine of ten reported breaches are decided.

The location-of-information data narrows it further. In the trailing-quarter snapshot of 100 most-recent reports, network servers were the breach site in 69 of 100 incidents and accounted for approximately 2.43 million of 2.70 million individuals affected — close to 90% of all victims. Email was the breach site in 15 of 100 reports and accounted for roughly 8% of individuals affected. The takeaway: while phishing dominates the press cycle, server-side compromise is where the volume lives.

The mega-breach board for H1 2026 is led by business associates and large providers: TriZetto Provider Solutions (3,433,965 individuals, MO, hacking, 02/06/2026), QualDerm Partners (3,117,874, TN, hacking, 02/22/2026), Nacogdoches Memorial Hospital (2,507,073, TX, hacking, 03/30/2026), Navia Benefit Solutions (2,151,330, WA, hacking, 03/18/2026), and NYC Health and Hospitals Corporation (1,800,000, NY, hacking, 03/24/2026). Notably, Erie Family Health Centers — a federally qualified health center in Illinois — reported a 570,000-individual breach during the window, putting community health centers on the 2026 mega-breach board for the first time in recent memory.

The size-distribution story is the one most reports overlook. The median 2026 breach affected 2,451 individuals, down from 4,078 in H1 2025 — a roughly 40% decline. That places the typical breached organization in the range of a three-to-five-provider specialty practice, a dental group, a behavioral health clinic, or a county-level public health department. The “we are too small to be a target” theory is no longer statistically supported by HHS’s own data.

The pattern small healthcare practices should watch for

Three patterns repeat across the 2025-2026 data that are directly relevant to small and mid-sized covered entities.

Ransomware-by-way-of-vendor is the dominant vector. In a single 24-hour window on October 24, 2025, five separate U.S. urology and oncology practices in different states reported HIPAA breaches to HHS OCR — all Hacking/IT Incidents, all on network servers. That cluster pattern is consistent with a shared electronic-health-record or billing-vendor compromise rippling through a sub-specialty. One business associate, Fieldtex Products in New York, appears five times in the most-recent 100 breach reports, for a cumulative 378,434 individuals affected across separate covered-entity clients. The supply-chain risk is concrete.

Business associate inadequacy is the most consistent systemic gap. Business associates are 22% of recent incidents but 33% of individuals affected — meaning the average BA breach affects roughly twice as many individuals as the average healthcare-provider breach. The covered entity remains responsible for patient notification and reputational fallout regardless of which party suffered the underlying incident. OCR has now publicly settled with multiple business associates (Comstar in May 2025, BST & Co. CPAs in August 2025, MMG Fusion in March 2026), confirming that BAs are no longer a regulatory blind spot.

The Risk Analysis Initiative is serialized, not ad hoc. Every Security Rule resolution agreement in the recent record cites the same root deficiency: failure to conduct an accurate and thorough risk analysis covering all locations of electronic protected health information. This is the most repeated phrase in the OCR enforcement vocabulary, and it is the deficiency small healthcare practices most often under-resource. A documented annual security risk analysis that follows OCR’s stated methodology — identifying threats, vulnerabilities, likelihood, and impact, with controls mapped to findings — is the single piece of evidence that most reliably distinguishes settled cases from closed-without-action cases.

What this means for 2026 compliance budgets

The math for a small practice is simple but underdiscussed. The IBM Cost of a Data Breach Report 2024 placed the global average cost of a healthcare-sector data breach at $9.77 million, with healthcare the most expensive industry for the fourteenth consecutive year (Source: IBM Security, Cost of a Data Breach Report 2024). For a small or mid-sized practice that figure scales down but does not disappear: breach notification costs, forensic investigation, legal counsel, OCR cooperation, and lost patient trust are fixed costs that hit any covered entity regardless of size. The MMG Fusion settlement is instructive — $10,000 in monetary penalties, but a three-year corrective action plan with HHS monitoring of successor entities, plus the original covered entities still owing patient notification.

Proactive risk-analysis investment is measured in single-digit thousands of dollars per year for a small practice using a healthcare-specialized platform. The asymmetry is stark and well-documented. A documented annual security risk analysis is the single piece of evidence OCR asks for first in an investigation. The recent OCR statement attached to the Risk Analysis Initiative — that “proactively implementing the HIPAA Security Rule before a breach occurs is a regulated entity’s best opportunity” to limit liability — is not vendor marketing; it is the regulator’s own framing. The honest read of the 2026 enforcement record is that the cost of being unprepared has not changed, while the cost of preparation continues to drop as healthcare-native tooling matures.

Methodology and source data

Source data: HHS OCR Resolution Agreements index at hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements (page last reviewed March 5, 2026; pulled June 5, 2026) and HHS OCR Breach Notification Portal at ocrportal.hhs.gov/ocr/breach/breach_report.jsf (pulled June 5, 2026). Resolution agreement counts include all entries on the HHS index page. Breach Portal counts cover the 100 most-recently-posted reports for trailing-quarter analysis; H1 2025 versus H1 2026 figures are derived from full-portal pulls of the “Under Investigation” and “Archive” tabs. Counts exclude breaches affecting fewer than 500 individuals (not published by HHS). The next quarterly update to this analysis will pull post-October 2026 to capture the next OCR posting cycle. This report is published by Medcurity and is free to cite with attribution to “Medcurity analysis of HHS OCR public data, June 2026.”

Frequently asked questions

Where does this enforcement data come from?
The data in this report is pulled directly from two public HHS Office for Civil Rights sources: the Resolution Agreements page at hhs.gov, which lists every HIPAA enforcement settlement and Civil Money Penalty, and the HHS Breach Notification Portal, which lists every reported breach affecting 500 or more individuals as required by the HITECH Breach Notification Rule. Both are public-domain sources.

How often does HHS publish new resolution agreements?
OCR publishes resolution agreements on a rolling basis throughout the year as cases are settled or adjudicated. Looking at 2024 and 2025, OCR averaged roughly fifteen to twenty announced actions per year, with clusters around quarterly enforcement initiatives such as the Risk Analysis Initiative and the Right of Access Initiative.

What is the largest stated HHS HIPAA penalty in 2025 so far?
The largest stated 2025 resolution agreement is the Solara Medical Supplies settlement at $3,000,000 (phishing attack, January 14, 2025). The largest 2025 Civil Money Penalty stated in a press-release title is Warby Parker at $1,500,000 (cybersecurity hacking, February 20, 2025).

Which sector is most exposed to HIPAA enforcement in 2026?
OCR’s 2025 and 2026 enforcement docket disproportionately affects small to mid-sized specialty practices, business associates, behavioral health providers, and dental practices. Hospitals and large health systems still appear, but the volume of small-organization actions reflects OCR’s stated emphasis on ransomware investigations and Risk Analysis findings.

How can a small healthcare practice prepare for an HHS investigation?
The most consistent finding in recent Security Rule settlements is failure to conduct an accurate and thorough risk analysis. Small practices should maintain a documented annual security risk analysis covering all locations of electronic protected health information, retain corrective-action evidence for identified vulnerabilities, maintain a current business associate agreement inventory, and document workforce training. To start a 2026 risk analysis, schedule a conversation with Medcurity.

This analysis is published by Medcurity, a healthcare-specialized HIPAA risk analysis and compliance platform. All data is drawn from public HHS OCR sources and is free to cite with attribution.

For switching guidance from a competing platform, read our Compliancy Group to Medcurity migration guide.

For a vertical-specific application of these enforcement themes, see our HIPAA SRA guide for Illinois Community Health Centers.

For the 2026 vendor comparison, see our 2026 HIPAA SRA Software Landscape, and for budgeting, our 2026 HIPAA SRA cost analysis.