Healthcare breach trends and HIPAA enforcement priorities amid rising ransomware and third‑party risk
Reporting on healthcare security trends indicates breach incidents increased sharply between 2024 and 2025, even as the total number of compromised patient records declined, suggesting attackers are increasingly prioritizing operational disruption over mass data theft. Drivers cited include ransomware, third‑party/vendor exposure, and expanding “shadow AI” usage; the same reporting highlights low confidence in vendor risk assessments and in rapid detection/containment/recovery capabilities, reinforcing the need for improved visibility across overlapping technology stacks and more resilient security programs.
Separately, the U.S. HHS Office for Civil Rights (OCR) stated it will continue HIPAA privacy/security enforcement despite federal office closures, and outlined 2026 priorities that include: continuing the HIPAA Right of Access initiative, expanding Security Rule risk analysis work into risk management, and emphasizing enforcement actions tied to hacking and ransomware (described as the leading driver of large breaches reported to OCR). OCR also noted preparation for a new enforcement program related to confidentiality of substance use disorder treatment records under 42 C.F.R. Part 2, with breach reports and complaints expected to begin in February 2026.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
OCR prepares February 2026 launch of Part 2 enforcement intake
OCR said it is preparing to receive reports and complaints starting in February 2026 for a new enforcement program covering confidentiality of substance use disorder treatment records under 42 C.F.R. Part 2. This marks the upcoming operational start of intake for that enforcement area.
OCR identifies four enforcement priorities for 2026
HHS OCR highlighted four current priorities for 2026: continuing the HIPAA Right of Access Enforcement Initiative, expanding the Security Rule Risk Analysis Initiative into risk management, emphasizing hacking and ransomware enforcement actions, and preparing a new enforcement program for 42 C.F.R. Part 2 confidentiality requirements. The priorities were described publicly in comments reported on January 15, 2026.
OCR says it continues HIPAA enforcement amid office closure concerns
In response to questions about how the closure of six HHS regional offices might affect HIPAA breach investigations, the HHS Office for Civil Rights said it continues its enforcement mission and investigations under its statutory and regulatory authorities. OCR did not directly answer whether staffing changes would reduce the number of breaches investigated.
Healthcare breaches doubled between 2024 and 2025
A Fortified Health Security report cited by Cybersecurity Dive found that the number of healthcare-sector data breaches doubled from 2024 to 2025, although the total number of compromised patient records declined significantly. The report attributed the rise to ransomware, third-party/vendor risk, and growing shadow AI use.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Regulatory Reporting and Healthcare Data Breaches Highlight Rising Compliance Pressure
European regulators issued about **€1.2B in GDPR fines in 2025** and received an average of **443 personal data breach notifications per day**, according to DLA Piper’s GDPR Fines and Data Breach Survey. The report attributes the sustained reporting surge to multiple factors—geopolitical instability, repeated cyber incidents, and commoditized attack tooling—while warning that organizations are also contending with overlapping and faster disclosure expectations under newer regimes such as **NIS2** and **DORA**, increasing operational and management-level accountability pressure. In the US healthcare sector, HHS **OCR** used its 2026 quarterly cybersecurity newsletter to urge **HIPAA-regulated entities** to harden systems, standardize security controls, reduce attack surface, and strengthen **risk analysis and risk management**, signaling continued enforcement focus on Security Rule compliance. Separately, OCR breach-portal reporting showed **unusually low counts** of large healthcare breaches in October–November 2025 that likely reflect a **government shutdown backlog** rather than a true decline, while individual incidents continued to surface—**Central Maine Healthcare** reported unauthorized network access from **March–June 2025** affecting up to **145,000** individuals, with exposed data including **names and Social Security numbers** plus treatment/insurance-related information and credit monitoring offered to impacted patients.
Mar 21, 2026
US Healthcare Privacy Lapses and Breach Reporting Trends
**US healthcare organizations reported unusually low numbers of large HIPAA breaches in late 2025**, with 41 incidents affecting 500+ individuals logged for December 2025 in the HHS OCR breach portal. Reporting volumes for September–December averaged ~40.75 large breaches per month versus ~66.5 in the prior four months, and 2025 totals stood at 697 breaches (a reported ~6% decrease from 2024), though the count was expected to rise as additional incidents are added. A key factor cited for the apparent decline was a **43-day US government shutdown** that furloughed most HHS staff and likely created a backlog in posting breach reports to the OCR portal, potentially suppressing late-2025 totals until processing is completed. Separately, a **VA Office of Inspector General** review found a **privacy and security compliance failure** within the Veterans Health Administration’s national cancer testing program tied to a collaborative research effort. The OIG reported that in 2022 a VHA research director created and shared a file containing electronic health record reports and a “significant amount” of **protected health information (PHI)** with non-VHA investigators **without institutional review board approval or de-identification**, and that required **audit logs** for secure ePHI management were missing. The OIG noted delays in reporting and inadequate early mitigation, and issued six recommendations that the VA agreed to implement, including removing PHI from shared materials, clarifying research processes, and improving training.
Apr 10, 2026
2025 Data Breach Trends in Healthcare and Education Sectors
Reporting on 2025 breach activity indicates **incident volumes largely plateaued** while impact varied by sector. In U.S. healthcare, HHS OCR portal data shows large breaches (affecting 500+ individuals) remained in the **~700–750 per year** range, with an apparent **4.3% year-over-year decline** in 2025 that may change as late reports are added; a late-2025 **federal government shutdown** is cited as a factor that could delay postings and inflate later totals. Despite relatively stable breach counts, the number of affected individuals dropped sharply year over year, from a record **289,162,330** in 2024 to at least **61,556,256** in 2025 (a reported **78% reduction**). In education, a Comparitech roundup cited in sector reporting attributes **251 claimed ransomware attacks** against schools and universities globally in 2025 (vs. 247 in 2024), with **94 confirmed** by victim organizations; while attack counts were steady, known exposed records across confirmed incidents rose to **3.9 million** (up **27%** from 3.1 million). Drivers highlighted include **third-party software vulnerabilities** and a small number of large higher-education breaches. Separately, general guidance for healthcare organizations reiterates **HIPAA Breach Notification Rule** obligations (45 CFR §§ 164.400–414), including notification timelines (no later than **60 days** after discovery) and escalation requirements for larger incidents (e.g., **500+** affected individuals).
Apr 30, 2026