If you handle patient data, these numbers should keep you up at night — or motivate you to get your compliance program in order. Every statistic below is sourced from the U.S. Department of Health & Human Services (HHS), the Office for Civil Rights (OCR), or OCR’s official breach portal.
We update this page as new data becomes available. Bookmark it.
The Big Picture: OCR Enforcement Since 2003
Since the HIPAA Privacy Rule took effect in April 2003, OCR has received over 374,000 complaints and resolved more than 370,000 of them — a 99% resolution rate. More than 1,193 compliance reviews have been initiated, and 2,419 cases have been referred to the Department of Justice for potential criminal prosecution.
The cumulative total of HIPAA enforcement settlements and civil money penalties through 2024: $144,878,972 across 152 cases.
That is nearly $145 million in penalties — and that only counts federal OCR enforcement, not state attorney general actions.
Source: HHS OCR Numbers at a Glance, HHS OCR Enforcement Highlights
OCR Enforcement Actions & Fines by Year
| Year | Enforcement Actions | Total Fines & Settlements |
|---|---|---|
| 2018 | 11 | $28.7 million |
| 2019 | — | $12.3 million |
| 2020 | 19 | $13.6 million |
| 2021 | 14 | $6.0 million |
| 2024 | 22 | $9.9 million |
| 2025 (through May) | 16 | $8.3 million |
2018 was a record-setting year — $28.7 million in a single year, driven by the Anthem settlement alone ($16 million). Enforcement dipped in 2021-2022 as OCR shifted focus to Right of Access cases with smaller individual penalties, but 2024-2025 show a clear return to aggressive enforcement.
The maximum penalty per violation category was raised to $2,190,294 as of January 2026 (annual inflation adjustment).
Source: HHS OCR Enforcement Results by Year, HHS OCR Enforcement Highlights
Largest HIPAA Fines in History
| Rank | Organization | Fine | Year |
|---|---|---|---|
| 1 | Anthem Inc. | $16,000,000 | 2018 |
| 2 | Premera Blue Cross | $6,850,000 | 2020 |
| 3 | Advocate Health Care Network | $5,550,000 | 2016 |
| 4 | Excellus Health Plan | $5,100,000 | 2021 |
| 5 | New York-Presbyterian / Columbia University | $4,800,000 | 2014 |
| 6 | Montefiore Medical Center | $4,750,000 | 2024 |
| 7 | Cottage Health | $3,000,000 | 2018 |
| 8 | Memorial Hermann Health System | $2,400,000 | 2017 |
| 9 | CHSPSC (Community Health Systems) | $2,300,000 | 2020 |
Notice a pattern: most of these are large health systems and insurers. But that does not mean small practices are safe — OCR’s Right of Access Initiative targets organizations of every size, with penalties starting as low as $3,500.
Source: HHS OCR Resolution Agreements
Healthcare Data Breaches: The Trend Is Getting Worse
Large breaches (affecting 500+ individuals) reported to HHS:
| Year | Large Breaches Reported | Individuals Affected |
|---|---|---|
| 2018 | 371 | — |
| 2019 | 505 | — |
| 2022 | 626 | ~57 million |
| 2023 | 747 | ~168 million |
| 2024 | 721 | ~276 million |
2024 set the record for individuals affected — 276 million breached records in a single year, a 64% increase over 2023. The Change Healthcare breach alone accounted for approximately 190 million individuals, making it the largest healthcare data breach in history.
The number of large breaches has roughly doubled since 2018 (371 to 721), and the number of individuals affected has grown exponentially as single breaches now impact tens of millions of records at once.
Source: HHS OCR Breach Portal, HIPAA Journal Healthcare Data Breach Statistics
How Breaches Happen: Hacking Now Dominates
The cause of healthcare data breaches has shifted dramatically:
- 2019: Hacking/IT incidents accounted for 49% of all large breaches
- 2023: That number jumped to ~80%
- 2024: Hacking accounted for 80% of breaches and 93% of all breached records
Ransomware is the primary driver. From 2018 to 2023, hacking-related breaches increased by 239%, and ransomware attacks specifically increased by 278%.
The remaining breach causes in 2024:
- Unauthorized access/disclosure: 114 incidents (16 million records)
- Loss/theft of devices: 18 incidents (continuing a long-term decline as encryption becomes standard)
- Improper disposal: ~10,300 individuals affected
The takeaway: if your practice is not treating cybersecurity as a compliance priority, you are ignoring the source of 80% of breaches.
Source: HIPAA Journal 2024 Healthcare Data Breach Report, HHS Breach Report to Congress 2022
Most Common HIPAA Violations
OCR’s cumulative enforcement data shows these as the most frequently reported violation categories:
- Impermissible uses and disclosures of protected health information
- Lack of safeguards to protect PHI
- Lack of patient access to their own health records
- Lack of administrative safeguards for electronic PHI
- Use or disclosure of more than the minimum necessary PHI
In terms of what actually triggers financial penalties, failure to conduct a comprehensive risk analysis has been the single most common violation in 2023-2025 enforcement actions. OCR launched a dedicated Risk Analysis Enforcement Initiative in 2024 to specifically target this requirement.
Source: HHS OCR Enforcement Highlights
The Right of Access Initiative: Small Practices Are Not Exempt
OCR’s Right of Access Initiative, launched in 2019, specifically targets organizations that fail to provide patients timely access to their medical records.
Key numbers:
- 54 financial penalties imposed through December 2025
- Fine range: $3,500 to $200,000 per case
- Targets organizations of all sizes, including solo practitioners and small practices
This initiative has produced more individual enforcement actions than any other OCR program. The message is clear: denying, delaying, or overcharging for patient record access is one of the fastest ways to draw OCR’s attention.
Source: HHS OCR Right of Access Enforcement
OCR Complaints: Volume Keeps Rising
OCR complaint volume has been climbing steadily:
- 2022: 30,435 new complaints received
- 2018-2022 trend: 17% increase in complaints over the five-year period
- Cumulative since 2003: Over 374,000 complaints received
- Cases resolved with corrective action or technical assistance: Over 31,000
OCR investigates every complaint that meets jurisdictional requirements. Even if a complaint does not result in a financial penalty, it can trigger a corrective action plan that requires your practice to implement specific compliance measures under OCR oversight — often for 2-3 years.
Source: HHS OCR Numbers at a Glance, HHS Annual Report to Congress on HIPAA Compliance 2022
2024-2026 Enforcement Trends
What is changing right now:
- Risk Analysis Enforcement Initiative launched in 2024 — 9 penalties in its first year, with OCR Director confirming expansion into risk management enforcement in 2026
- Right of Access Initiative continues with 54 total penalties and no signs of slowing
- Penalty cap raised to $2,190,294 per violation category (January 2026 inflation adjustment)
- Proposed 2026 Security Rule would make encryption mandatory, require 72-hour breach notification to HHS, mandate annual compliance audits, and require written technology asset inventories
- Change Healthcare aftermath: The 190-million-record breach is accelerating regulatory urgency around vendor risk management and business associate oversight
What this means for your practice:
The era of “we’re too small to be noticed” is over. OCR is running two dedicated enforcement initiatives, complaint volumes are rising, and the proposed 2026 rules will significantly expand what’s required. Every practice — regardless of size — needs a documented, maintained compliance program.
Source: HHS OCR Enforcement Highlights
How to Use These Statistics
If you are a healthcare practice owner, compliance officer, or IT provider serving healthcare, here is what this data tells you:
- Do your risk analysis. It is the #1 violation OCR penalizes and they now have a dedicated initiative targeting it.
- Respond to patient record requests within 30 days. The Right of Access Initiative has produced 54 penalties and counting.
- Take cybersecurity seriously. 80% of breaches are hacking/IT incidents. Encryption, access controls, and workforce training are not optional.
- Document everything. OCR does not accept verbal assurances. If it is not written down, it did not happen.
- Manage your business associates. The Change Healthcare breach proved that your vendors’ security failures become your compliance problem.
Not sure where your gaps are? Take our free 3-minute HIPAA risk assessment or work through our 93-point compliance checklist to see exactly where you stand.