Healthcare Compliance & HIPAA Statistics (2026)

242.9 million exposed in 2024

In 2024, 663 large healthcare data breaches (each affecting 500 or more individuals) were reported to HHS OCR, exposing the protected health information of 242,908,056 individuals.

1.01 billion records since 2009

Since HHS OCR began tracking large healthcare data breaches in October 2009, the protected health information of 1,013,066,481 individuals has been exposed, more than 2.9 times the current U.S. population.

192.7 million in one attack

The February 2024 ransomware attack on Change Healthcare, a UnitedHealth Group subsidiary, affected an estimated 192.7 million individuals, making it the largest healthcare data breach ever recorded.

$3.09 billion in fallout

The 2024 ransomware attack on Change Healthcare cost UnitedHealth Group an estimated $3.09 billion in total cyberattack impacts for the full year.

Two breaches a day

More than 700 large healthcare data breaches affecting 500 or more individuals are now reported to HHS OCR each year, roughly two large breaches every day.

81% from hacking

Hacking and IT incidents caused 81% of all large healthcare data breaches reported to HHS OCR in 2024 and accounted for 241,582,022 of the individuals affected, or 99.45% of all victims that year.

16 million via unauthorized access

Unauthorized access and disclosure incidents were the second leading cause of large HIPAA breaches in 2024, accounting for 15.7% of reported breaches (114 incidents) and exposing 16,099,437 records, nearly double the prior year.

30% at business associates

Business associates were the location of 30% of large healthcare data breaches in 2024, while healthcare providers accounted for 62% and health plans 7%.

41.2% of third-party breaches

Healthcare was the industry most impacted by third-party breaches in 2024, accounting for 41.2% of all third-party breaches tracked globally.

Ransomware up 278%

Between 2018 and September 2023, OCR documented a 278% increase in large healthcare breaches involving ransomware and a 239% increase in hacking-related breaches overall.

System intrusion now #1

By 2025, system intrusion overtook miscellaneous errors as the top healthcare breach pattern, with ransomware up 37% year over year and espionage as a motive surging from 1% of healthcare incidents to 16%.

70% insider-driven

In 2024, 70% of the threat actors behind healthcare data breaches were internal, with miscellaneous errors, privilege misuse, and system intrusions together causing 83% of breaches.

$9.77M per breach (2024)

For the 14th consecutive year, healthcare had the costliest data breaches of any industry, reaching $9.77 million per incident in 2024, more than double the $4.88 million cross-industry average.

$7.42M per breach (2025)

Healthcare data breaches cost an average of $7.42 million per incident in 2025, still the highest of any industry and a rank healthcare has held for 14 consecutive years.

279 days to contain

Healthcare data breaches took an average of 279 days to identify and contain in 2025, roughly five weeks longer than the 241-day global average, making healthcare the slowest industry to detect and remediate breaches.

72% disrupt patient care

In 2025, 72% of healthcare organizations that experienced cyberattacks suffered disruption to patient care, up from 69% the prior year.

$1.2M average ransom

Among healthcare ransomware victims in 2025, 33% paid the demand, with the average payment rising to $1.2 million from $1.1 million in 2024.

22 penalties in 2024

In 2024, HHS OCR imposed 22 financial penalties on covered entities and business associates, the most enforcement actions in a single year, collecting $9,944,612 in total penalties.

30,256 complaints

In 2024, HHS OCR received 30,256 new HIPAA compliance complaints, opened investigations into all 663 large breaches, and resolved 785 breach investigations.

$4.75M insider settlement

OCR's largest 2024 single-case settlement was $4.75 million against Montefiore Medical Center for Security Rule failures that let a malicious insider steal and sell the ePHI of 12,517 patients.

374,322 complaints since 2003

Since April 2003, OCR has received 374,322 HIPAA complaints, resolved 99% of them, and made 2,419 criminal referrals to the Department of Justice.

57 months to resolve

OCR investigations that end in a settlement or penalty take an average of 57 months from the initial complaint or breach notice to the public announcement, with a range of 14 to 88 months.

7 enforcement actions

OCR's Risk Analysis Initiative produced 7 enforcement actions in its first six months, each tied to a ransomware attack and every one citing failure to conduct an accurate and thorough security risk assessment.

13 of 20 cases

Risk analysis failures were the most common HIPAA violation cited in OCR enforcement actions in 2024, appearing in 13 of the 20 enforcement matters analyzed, ahead of information system activity reviews and access requests.

$31.7B improper payments

The Medicare Fee-for-Service improper payment rate was 7.66% in FY 2024, totaling $31.70 billion, with insufficient documentation a leading driver.

82% from bad documentation

Most Medicaid improper payments in FY 2023, 82% of them, were associated with payments for services with missing or insufficient documentation.

70% codes unsupported

As of November 2023, OIG found that roughly 70% of high-risk Medicare Advantage diagnosis codes were not supported in the associated medical records, with some unsupported more than 90% of the time.

84.2% unsupported at Humana

In a 2024 OIG compliance audit of Humana Medicare Advantage, 202 of 240 sampled enrollee-years (84.2%) had diagnosis codes unsupported by medical records, leading OIG to estimate at least $13.1 million in overpayments.

$7.5B from HRAs alone

Diagnoses reported only on health risk assessments, with no supporting documentation in any other service record, drove an estimated $7.5 billion in Medicare Advantage risk-adjusted payments for 2023 across 1.7 million enrollees.

$11.7M voluntary disclosure

Penn State Health paid $11,712,336 to resolve allegations that it billed Medicare for Annual Wellness Visit services that were not supported by the medical record.

60% see more denials

In a March 2024 MGMA poll, 60% of medical group leaders reported an increase in claim denial rates versus the prior year, with insufficient documentation cited as a leading cause.

MA denials up 55.7%

Care denials rose an average of 55.7% for Medicare Advantage claims and 20.2% for commercial claims between 2022 and 2023.

54.3% overturned

In 2024, 15.7% of Medicare Advantage and 13.9% of commercial claims were initially denied, and more than half (54.3%) were ultimately overturned, but only after costly rounds of appeals that cost hospitals an estimated $19.7 billion in 2022.

$1.67B in FCA recoveries

Healthcare accounted for over $1.67 billion of the $2.9 billion in False Claims Act recoveries in FY 2024, much of it driven by billing, coding, and documentation fraud, alongside a record 979 qui tam lawsuits filed.