Regulatory Reporting and Healthcare Data Breaches Highlight Rising Compliance Pressure
European regulators issued about €1.2B in GDPR fines in 2025 and received an average of 443 personal data breach notifications per day, according to DLA Piper’s GDPR Fines and Data Breach Survey. The report attributes the sustained reporting surge to multiple factors—geopolitical instability, repeated cyber incidents, and commoditized attack tooling—while warning that organizations are also contending with overlapping and faster disclosure expectations under newer regimes such as NIS2 and DORA, increasing operational and management-level accountability pressure.
In the US healthcare sector, HHS OCR used its 2026 quarterly cybersecurity newsletter to urge HIPAA-regulated entities to harden systems, standardize security controls, reduce attack surface, and strengthen risk analysis and risk management, signaling continued enforcement focus on Security Rule compliance. Separately, OCR breach-portal reporting showed unusually low counts of large healthcare breaches in October–November 2025 that likely reflect a government shutdown backlog rather than a true decline, while individual incidents continued to surface—Central Maine Healthcare reported unauthorized network access from March–June 2025 affecting up to 145,000 individuals, with exposed data including names and Social Security numbers plus treatment/insurance-related information and credit monitoring offered to impacted patients.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
HHS OCR urges HIPAA entities to harden system security
In its first quarterly cybersecurity newsletter of 2026, the HHS Office for Civil Rights advised HIPAA-regulated entities to strengthen system hardening to protect ePHI. OCR said it would continue its risk analysis enforcement initiative, expand scrutiny to risk management, and emphasized patching, attack-surface reduction, and correcting misconfigurations.
European GDPR fines reach €1.2 billion in 2025
A DLA Piper survey found that total GDPR fines across Europe in 2025 rose to about €1.2 billion. The report also noted enforcement remained heavily concentrated, with Ireland's regulator responsible for more than half of all fines since 2018.
European breach notifications exceed 400 per day
From 28 January 2025 onward, European data protection authorities received an average of 443 personal data breach notifications per day. The DLA Piper survey says this was a 22 percent year-over-year increase and the first time daily reports exceeded 400 since GDPR began.
TikTok fined €530 million for unlawful data transfers
Ireland's Data Protection Commission issued TikTok a €530 million GDPR fine for unlawful international data transfers. The survey identifies it as the largest single GDPR fine issued in 2025.
Meta receives record €1.2 billion GDPR fine
Meta was hit with a €1.2 billion GDPR sanction, which the report says remains the largest single GDPR fine on record. The article describes this as having occurred two years before 2025.
GDPR takes effect across Europe
The EU General Data Protection Regulation began applying in May 2018, establishing the breach-notification and enforcement regime referenced in the reports. Since then, cumulative GDPR fines have grown to €7.1 billion.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Regulatory Reporting Highlights Rising GDPR Enforcement and U.S. Healthcare Breach Disclosures
European privacy regulators issued roughly **€1.2B in GDPR fines in 2025** and received an average of **443 personal data breach notifications per day** (a reported 22% increase year over year), according to DLA Piper’s GDPR Fines and Data Breach Survey as cited by DataBreaches.net. The reporting indicates sustained enforcement since GDPR’s introduction, with cumulative penalties reaching **€7.1B** since 2018, alongside a continued high volume of breach notifications to data protection authorities. In the U.S. healthcare sector, HIPAA Journal reported that **November 2025** showed unusually low counts of large breaches listed on the HHS OCR breach portal (**32 incidents affecting 500+ individuals**), but attributed the apparent decline to reporting delays during the **U.S. government shutdown (Oct 1–Nov 12, 2025)** and a resulting backlog. Separately, Central Maine Healthcare disclosed a breach affecting **~145,000 individuals**, with unauthorized network access occurring between **Mar 19 and Jun 1, 2025** and exposure of data including **names and Social Security numbers** plus clinical/insurance details; notifications began in late December 2025 and credit monitoring was offered.
Mar 21, 2026
Rising Regulatory and Governance Pressure on Data Protection and Cybersecurity
European regulators issued roughly **€1.2B** in **GDPR** fines in 2025 and received an average of **443 personal data breach notifications per day**, signaling increased enforcement and reporting volume alongside overlapping disclosure regimes such as **NIS2** and **DORA**. Ireland remained a leading enforcement authority, including a **€530M** fine against **TikTok**, while large technology firms continued to account for most of the largest penalties; cumulative GDPR penalties since 2018 were reported at **€7.1B**. In the U.S., an **HHS Office of Inspector General** management challenges report highlighted persistent federal healthcare cybersecurity gaps, including inconsistent governance and controls across HHS divisions and heavy dependence on contractors and grantees to implement security measures—conditions that complicate prevention and response as ransomware and other attacks continue to target healthcare. Separately, an academic study on insider risk reported that **58%** of surveyed college students in technology-related programs said they would violate **HIPAA** and disclose patient data for sufficient payment, underscoring the human/insider threat dimension that can drive breach risk and downstream regulatory exposure.
Mar 21, 2026
Healthcare breach trends and HIPAA enforcement priorities amid rising ransomware and third‑party risk
Reporting on healthcare security trends indicates **breach incidents increased sharply between 2024 and 2025**, even as the total number of compromised patient records declined, suggesting attackers are increasingly prioritizing **operational disruption** over mass data theft. Drivers cited include **ransomware**, **third‑party/vendor exposure**, and expanding “shadow AI” usage; the same reporting highlights low confidence in vendor risk assessments and in rapid detection/containment/recovery capabilities, reinforcing the need for improved visibility across overlapping technology stacks and more resilient security programs. Separately, the U.S. **HHS Office for Civil Rights (OCR)** stated it will continue HIPAA privacy/security enforcement despite federal office closures, and outlined 2026 priorities that include: continuing the **HIPAA Right of Access** initiative, expanding **Security Rule risk analysis** work into risk management, and emphasizing enforcement actions tied to **hacking and ransomware** (described as the leading driver of large breaches reported to OCR). OCR also noted preparation for a new enforcement program related to confidentiality of substance use disorder treatment records under **42 C.F.R. Part 2**, with breach reports and complaints expected to begin in February 2026.
Mar 21, 2026