
What 2025 Healthcare Data Breaches & Biggest of All Time Reveal About Protecting PHI
Anna Fitzgerald
Senior Content Marketing Manager
The healthcare sector consistently experiences some of the highest volumes of data breaches across all industries, often with the heftiest price tags and most damaging consequences.
In fact, healthcare had the highest average breach cost (USD 7.42 million) among industries for the 14th consecutive year in IBM’s 2025 Cost of a Data Breach. Healthcare breaches also took the longest to identify and contain at 279 days—more than five weeks longer than the global average.
In this article, we’ll cover why healthcare is such a target and the latest 2025 breach stats according to the OCR’s Breach Portal. Then we’ll dive into the top 10 breaches of all time, the costs and consequences of these breaches, and how to protect against them.
Why is healthcare frequently the target of cyber attacks?
There are three main reasons the healthcare sector is so heavily targeted by cyber attackers:
1. PHI is lucrative
Healthcare organizations manage an immense volume of protected health information (PHI), which contains highly sensitive data like names, birth dates, addresses, medical histories, diagnoses, and payment data. This data is richer than other types of personally identifiable information (PII) and has an incredibly long lifespan, meaning it can be misused for longer periods and for a variety of nefarious purposes, like submitting fraudulent insurance claims or obtaining loans or credit cards in the victim’s names.
Even when detected, it can be incredibly time-consuming and difficult to achieve a satisfactory resolution for a health care data breach. There’s no simple solution like cancelling a stolen credit card number.
That makes PHI extremely valuable on the black market, where a single electronic health record can sell for $60—three times more than a Social Security number and 20 times more than a credit card number
2. Ransom payout is more likely
Ransomware actors, in particular, target hospitals and medical providers because availability is critical in healthcare environments. Since disruption of systems can delay or prevent care delivery, many healthcare organizations pay ransoms to restore access as quickly as possible. This urgency has made healthcare a high-value, high-success target for ransomware attacks.
According to a report by Claroty, more than three-quarters of healthcare organizations reported paying more than $500,000 in ransom as a result of cyberattacks.
3. Cyber maturity is likely lower
Finally, the health care sector has historically low levels of cyber maturity as a result of limited resources, competing priorities, legacy software, and reliance on specialized medical technologies that are difficult to secure like the Internet of Medical Things (IoMT) devices, among other reasons. This makes it relatively easy for hackers to gain unauthorized access to information and information systems.
In the Cybernews Business Digital Index, which grades worldwide organizations based on their online security measures, the combined security performance of the 100 largest US hospitals and health systems shows that 45% are in the high risk (D score) category, while 34% are in the critical risk (F score) category.

Recommended Reading

110+ of the Latest Data Breach Statistics to Know for 2026 & Beyond
What we know about the most recent healthcare data breaches in 2025
Health care data breaches continue to be prevalent this year, posing significant risks to patient privacy and security.
To assess how the health care sector has already been impacted by breaches this year and what we can expect in the future, we analyzed the Breach Portal maintained by the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR). We looked at the breaches reported this year, from January 1 to August 31, 2025, including both resolved breach reports and breaches currently under investigation.
Here are the key findings:
- Nearly 500 breaches of unsecured PHI affecting 500 or more individuals have been reported year-to-date to the Office for Civil Rights, including both open and resolved reports.
- Over 37.5 million individuals have been affected by healthcare breaches YTD.
- Healthcare breaches in 2025 have affected 76,000 individuals per breach on average.
- The most common covered entity type involved in these breaches is healthcare providers, accounting for 76% of reported breaches YTD.
- The most common type of breach is Hacking/IT Incident, accounting for 78% of reported breaches YTD.
- Network Server was the most common location of breached information, accounting for 58% of reported breaches YTD.
- A business associate was present in more than one-third (37%) of reported breaches YTD.
These findings suggest that hacking incidents targeting network servers and business associates will continue to dominate breach reports through the rest of 2025, reflecting the industry’s ongoing struggle with ransomware, vendor risk, and cloud security.

With multiple 2025 breaches already impacting millions of patients and many still under investigation, it’s likely that this year will rank among the costliest on record for healthcare data breaches, further intensifying regulatory scrutiny and class-action litigation.
To get a sense of this impact, the table below shows the 10 largest breaches reported to the OCR in 2025 to date. The first breach report by Yale New Heaven Health System has been resolved, while the rest are currently under investigation.
Name of Covered Entity | Covered Entity Type | Individuals Affected | Breach Submission Date | Type of Breach | Location of Breached Information | Business Associate Present |
---|---|---|---|---|---|---|
Yale New Haven Health System | Healthcare Provider | 5,556,702 | 04/11/2025 | Hacking/IT Incident | Network Server | No |
Episource, LLC | Business Associate | 5,418,866 | 06/06/2025 | Hacking/IT Incident | Network Server | Yes |
Blue Shield of California | Business Associate | 4,700,000 | 04/09/2025 | Hacking/IT Incident | Network Server | Yes |
Anne Arundel Dermatology | Healthcare Provider | 1,905,000 | 07/11/2025 | Hacking/IT Incident | Network Server | No |
Radiology Associates of Richmond, Inc. | Healthcare Provider | 1,419,091 | 07/01/2025 | Hacking/IT Incident | Network Server | No |
Southeast Series of Lockton Companies, LLC (Lockton) | Business Associate | 1,124,727 | 02/28/2025 | Hacking/IT Incident | Network Server | Yes |
Community Health Center, Inc. | Healthcare Provider | 1,060,936 | 01/30/2025 | Hacking/IT Incident | Electronic Medical Record, Network Server | No |
Frederick Health | Healthcare Provider | 934,326 | 03/28/2025 | Hacking/IT Incident | Network Server | No |
McLaren Health Care | Healthcare Provider | 743,131 | 06/24/2025 | Hacking/IT Incident | Network Server | No |
Medusind Inc. | Business Associate | 701,475 | 01/07/2025 | Hacking/IT Incident | Network Server | Yes |
While 2025 has already set records for settlements, many of the largest health care breaches in history still define the regulatory and security landscape today. Let’s take a look.
Recommended Reading

Biggest Data Breaches of 2024: What Went Wrong and Key Lessons for Strengthening Cybersecurity
Biggest data breaches in healthcare of all time
The 2025 breach statistics and examples above provide valuable insight into today’s healthcare threat landscape: which attack vectors are most common, which entities are being targeted, and how widespread the impact has been.
But to fully understand the risks to this sector and to the nation, we want to look at the largest healthcare breaches of all time.
There are two key benefits to taking this broader perspective:
- More information is available: Past breaches are more likely to have been investigated, reported on, and analyzed in detail by the media and the OCR. This means we have clearer insight into the root causes, enforcement actions, and long-term fallout of these breaches.
- They help show how breaches have evolved over time: From insider misuse in the early 2000s to sophisticated ransomware campaigns today, these breaches illustrate how healthcare threats have shifted over decades since HIPAA enforcement began.
By examining these landmark health care data breaches, we can see not only the persistence of certain cyber threats but also the lessons learned, which can help prevent the next generation of healthcare data breaches.
To identify the 10 healthcare data breaches affecting the highest number of individuals of all time, we analyzed the US Department of Health and Human Services (HHS)’s Breach Portal, looking at both cases currently under investigation and cases that have been resolved in the archive.
Let’s dive into each one below.
Name of Covered Entity | State | Covered Entity Type | Individuals Affected | Breach Submission Date | Type of Breach | Location of Breached Information | Business Associate Present |
---|---|---|---|---|---|---|---|
Change Healthcare, Inc. | MN | Business Associate | 192,700,000 | 07/19/2024 | Hacking/IT Incident | Network Server | Yes |
Anthem Inc. | IN | Health Plan | 78,800,000 | 02/13/2015 | Hacking/IT Incident | Network Server | No |
Welltok, Inc. | CO | Business Associate | 14,782,887 | 11/06/2023 | Hacking/IT Incident | Network Server | Yes |
Kaiser Foundation Health Plan, Inc. | CA | Health Plan | 13,400,000 | 04/12/2024 | Unauthorized Access/Disclosure | Network Server | No |
Optum360, LLC | MN | Business Associate | 11,500,000 | 07/01/2019 | Hacking/IT Incident | Network Server | Yes |
HCA Healthcare | TN | Business Associate | 11,270,000 | 07/31/2023 | Hacking/IT Incident | Network Server | Yes |
Premera Blue Cross | WA | Health Plan | 11,000,000 | 03/17/2015 | Hacking/IT Incident | Network Server | No |
Laboratory Corporation of America Holdings dba LabCorp | NC | Healthcare Provider | 10,251,784 | 07/13/2019 | Hacking/IT Incident | Network Server | Yes |
Excellus Health Plan, Inc. | NY | Health Plan | 9,358,891 | 09/09/2015 | Hacking/IT Incident | Network Server | No |
Perry Johnson & Associates, Inc. dba PJ&A | NV | Business Associate | 9,302,588 | 11/03/2023 | Hacking/IT Incident | Network Server | Yes |
1. Change Healthcare data breach
- Individuals affected: 192.7 million
- Year reported: 2024
- Cause: Sophisticated ransomware campaign
- Estimated cost: $2.9 billion
In 2024, Change Healthcare, one of the largest healthcare technology companies in the U.S., reported a catastrophic breach that exposed the PHI of nearly 193 million people. The incident was tied to a ransomware attack that exploited a lack of multifactor authentication—a basic cybersecurity safeguard—on a legacy server.
At the time of the attack, Change Healthcare was handling 15 billion transactions annually— more than one-third of all health care claims. When this ransomware attack took down the nation’s largest medical clearinghouse, it caused widespread disruptions to claims and therefore revenue cycles across physician practices, with smaller practices taking the biggest economic hit.
The cost of this attack is astronomical, with Change Healthcare estimating it at $2.87 billion in 2024. The total cost is expected to rise with an anticipated record-breaking HIPAA settlement and class action lawsuits.
Why it matters: This is the largest healthcare breach ever reported, dwarfing Anthem’s 2015 breach, and is expected to result in record-breaking settlements. It underscores how dependent the industry is on third-party service providers and how a single breach can ripple across the healthcare ecosystem.
2. Anthem data breach
- Individuals affected: 78.8 million
- Year reported: 2015
- Cause: Spear-phishing email attack
- Estimated cost: $260.5 million
The Anthem breach exposed personal information including names, Social Security numbers, addresses, and employment details of nearly 79 million people. Attackers gained access through a targeted spear-phishing email, which allowed them to install malware and move laterally through Anthem’s systems undetected for months.
Anthem’s report of the breach in early 2015 caused widespread alarm among Anthem’s members and ended up costing the insurer hundreds of millions of dollars in recovery efforts and legal expenses, including paying a $115 million class-action settlement in 2017 and record-setting $16 million settlement to the OCR for potential HIPAA violations related to the breach in 2018. In total, the breach is estimated to have cost Anthem approximately $260.5 million.
Why it matters: At the time, it was the largest healthcare breach in U.S. history and led to a $16 million HIPAA settlement, which is still the highest ever issued. It highlighted the risks of insufficient access controls, monitoring of system activity, and incident response.
3. Welltok data breach
- Individuals affected: 14.7 million
- Year reported: 2023
- Cause: Exploitation of zero-day vulnerability in MOVEit Transfer
- Estimated cost: Unknown
In May 2023, Welltok, a business associate providing population health management solutions, reported a breach affecting nearly 15 million people. When members of the Clop hacking group exploited a zero-day vulnerability in Progress Software's MOVEit Transfer tool, which Welltok used for transferring large datasets, they were able to gain unauthorized access to Welltok's server and exfiltrate sensitive data such as names, contact information, and health plan details.
Welltok is just one of more than 2,600 companies globally that fell victim to the global cyberattack by the Clop group.
In response to the breach, Welltook provided complimentary credit monitoring services, implemented additional administrative, technical, and security safeguards, and retrained staff to better protect PHI.
While the full extent of the damage and cost of this breach is unknown, we do know that Horizon Health—just one of thousands of partners affected by the Welltok incident—spent approximately $1 million on cybersecurity following the breach.
Why it matters: As a business associate, Welltok demonstrates how third-party vendors that handle PHI can be just as vulnerable as healthcare providers. This underscores how supply chain security must be a top priority in the healthcare sector.
4. Kaiser Foundation Health Plan data breach
- Individuals affected: 13.4 million
- Year reported: 2024
- Cause: Unauthorized access/disclosure via tracking technologies on its websites and apps
- Estimated cost: Unknown
In 2024, Kaiser Foundation Health Plan reported a breach caused by unauthorized disclosure of data to third parties such as Microsoft (Bing), Google, and X (Twitter) via tracking technologies on its websites and apps. Details included member IDs, personal information, and health plan data of 13.4 million people.
While not all records included sensitive clinical data, the scale of exposure was massive. It is the largest confirmed healthcare data breach to date involving website tracking technologies.
Following the breach report, OCR published guidance on HIPAA and tracking technologies In December 2022 and updated this guidance in 2024 to clarify when these technologies can be used and how they can be made HIPAA-compliant.
While the cost of this 2024 data breach is not yet known, it has resulted in a class action lawsuit and will likely result in a substantial HIPAA settlement.
Why it matters: This incident highlights that not all healthcare breaches involve malicious external actors and that not all breaches are caused by HIPAA violations made out of willful neglect. Insider error and a lack of awareness of HIPAA violations, particularly when it comes to implementing HIPAA requirements and mitigating the risks to ePHI when using new technologies like online tracking technologies, can lead to the impermissible disclosure of millions of records.
5. Optum360 data breach
- Individuals affected: 11.5 million
- Year reported: 2019
- Cause: Unauthorized user gained access to a business associate’s internal systems
- Estimated cost: Unknown
Optum360, a revenue-cycle management company that provided collections services for Quest Diagnostics, reported a breach after its business associate and billing services partner American Medical Collection Agency (AMCA) was hacked. The attack compromised sensitive patient billing and medical data of over 11 million individuals across multiple providers between August 2018 and March 2019. AMCA failed to detect the intrusion, despite warnings from banks that processed its payments.
Following the breach, Optum 360 terminated its business relationship with the AMCA, as did three of its other biggest customers. Shortly after, AMCA’s parent company laid off most of its workforce and filed for Chapter 11 bankruptcy due to the substantial costs associated with the data breach, including over $3.8 million to mail notifications to millions of affected individuals. Ultimately, AMCA filed for dismissal of the bankruptcy and settled a multistate action lawsuit for $21 million, which has been suspended.
While the cost of the AMCA breach is unknown, we know it affected at least 23 companies and nearly 25 million individuals.
Why it matters: The case shows how breaches at one vendor (AMCA) can cascade across many healthcare organizations, exposing millions of records and hurting the brand reputation and revenue of covered entities and BAs whose own systems were not directly affected by the breach. It also shows how severe the consequences of a breach can be, leading to terminated business relationships and bankruptcy.
6. HCA Healthcare data breach
- Individuals affected: 11.27 million
- Year reported: 2023
- Cause: Hacking of external storage location
- Estimated cost: Unknown
In mid-2023, HCA Healthcare, one of the largest hospital systems in the U.S., disclosed a breach that exposed personal data of more than 11 million patients. The compromised information appeared to be taken from an external storage location exclusively used to automate the formatting of email messages and included names, contact details, and appointment records, though not medical diagnoses or treatment data.
HCA Healthcare said the storage location was immediately disabled when the breach was discovered and that the incident had no impact on patient care and that it is not expected to have any impact on its business, operations, or financial results. However, in July 2025, the health system agreed to a class action lawsuit settlement that will involve paying an undisclosed sum to resolve allegations that it failed to protect patient information in the 2023 data breach.
Why it matters: While less sensitive clinical data was leaked, the scale made this one of the biggest breaches of 2023. It highlights that even “non-medical” identifiers can still fuel phishing, fraud, and identity theft against patients and the importance of ongoing education for employees to maintain awareness of safe practices when storing or handling PHI.
7. Premera Blue Cross data breach
- Individuals affected: 11 million
- Year reported: 2015
- Cause: Phishing email that installed malware in IT system
- Estimated cost: $90.85 million
In 2015, Premera reported a breach after hackers gained unauthorized access to its systems for nearly a year. After gaining access with a phishing email that installed malware that gave them access to Premera’s IT system, the attackers stole data from nearly 10.5 million people, including medical claims information, bank account numbers, and Social Security numbers.
Premera ultimately agreed to a $6.85 million HIPAA settlement, one of the largest ever at the time. The company also settled a multi-state lawsuit for $10 million and a class action lawsuit for $74 million ($32 million to a fund that will pay the costs of recovery to class members, attorney’s fees, and costs and $42 million toward improved data security).
Why it matters: This breach underscored the danger of delayed detection, which may enable attackers to remain in the network for months and lead to higher HIPAA fines and lawsuits. Having an incident response plan in place before a breach happens can help reduce cost, uncertainty, and disruption.
8. LabCorp data breach
- Individuals affected: 10.25 million
- Year reported: 2019
- Cause: Hacking incident at business associate AMCA
- Estimated cost: $11.5 million at least
Like Quest and its revenue cycle management provider, Optum360, Laboratory Corporation of America (LabCorp) used AMCA as a third-party billing collections firm and had to disclose in 2019 that AMCA had been breached. The incident exposed data of more than 10 million patients (although earlier estimates put that number closer to 7.7 million), including balances owed, contact details, and insurance information.
As a result of this breach, LabCorp, terminated its business relationship with AMCA.
In a SEC filing, LabCorp said the AMCA data breach cost the company $11.5 million in 2019 in response and remediation costs, but a lawsuit against LabCorp by a shareholder argues that this figure is just a fraction of the total losses and does not cover the cost of litigation that followed. This lawsuit also alleges that the impact of the 2019 breach was in part due to LabCorp providing PHI to AMCA without ensuring the company had sufficient cybersecurity controls in place and not having a sufficient data breach response plan in place,
Why it matters: Like the Optum360 breach, this shows how vendor-related incidents can balloon into massive exposures, especially when a single business associate serves multiple major healthcare providers. It further highlights how essential due diligence and oversight of vendors is when it comes to protecting PHI.
9. Excellus Health Plan data breach
- Individuals affected: 9.35 million
- Year reported: 2015
- Cause: Attackers gained unauthorized access to its systems and went undetected for over a year
- Estimated cost: $22.4 million
Excellus, a New York–based health plan, disclosed in 2015 that hackers had gained unauthorized access to its IT systems dating back nearly two years. The attackers installed malware and ultimately stole names, addresses, Social Security numbers, and financial account information of more than 9 million members.
Excellus paid $17.3 million responding to the breach that year. Then, in January 2021, Excellus agreed to pay $5.1 million to settle potential HIPAA violations related to this breach. This brings the total estimated cost to $22.4 million.
Why it matters: Long-term undetected breaches like this one highlight the importance of continuous monitoring, threat detection, and incident response readiness.
10. Perry Johnson & Associates (PJ&A) data breach
- Individuals affected: 9.3 million
- Year reported: 2023
- Cause: Unauthorized user gained access to PJ&A network and launched ransomware attack
- Estimated cost: Unknown
PJ&A, a Nevada-based medical transcription services provider, reported a breach in late 2023 that affected more than 9 million individuals. Attackers compromised sensitive PHI such as diagnoses, treatment details, and lab results.
Since PJ&A is a business associate of many healthcare organizations and some have chosen to report data breaches to OCR themselves, the scope of this breach is actually bigger than 9 million.
As of January 2024, at least 40 lawsuits had already been filed against PJ&A alleging negligence for failing to implement reasonable and appropriate cybersecurity measures to safeguard the sensitive health data provided by its clients. In some of these lawsuits, the affected healthcare companies are named as co-defendants.
Why it matters: PJ&A’s breach demonstrates how business associates—even those providing back-office services like transcription—are high-value targets for attackers due to their direct access to large volumes of clinical records.

Healthcare data breach cost
Data breaches in healthcare are the most expensive of any industry.
As mentioned earlier, the average cost of a healthcare breach is $7.42 million, which is about 40% higher than the global average, according to IBM’s latest Cost of a Data Breach Report.
This total cost includes a variety of factors, such as:
- HIPAA fines and settlements: Civil penalties can reach $1.5 million per year for identical HIPAA violations. While OCR can and does impose hefty civil penalties on organizations (like the $4.3 million fine on Cignet Health), it is more common that the OCR and organization agree to multi-million-dollar settlements to resolve investigations into potential HIPAA violations after large-scale breaches.
- Litigation: As seen in the examples above, class action lawsuits frequently follow large breaches and can drive up costs dramatically.
- Notification and credit monitoring: Notifying affected individuals is required by law when PHI is exposed in breaches, which can cost millions of dollars. Most organizations offer free credit monitoring services when notifying affected individuals as well, further driving up the cost. For example, Excellus paid Kroll Info Assurance $13.5 million in 2015 to provide credit monitoring and other identity theft protection for hundreds of thousands of customers affected by the breach.
- Remediation costs: Forensics investigations, system repairs, data restoration, and other immediate post-breach response actions add to the overall cost. Also, organizations that enter into corrective action plan agreements with the OCR often have to invest millions to implement these measures in the long term.
- Operational disruption: Lost revenue from system downtime, delayed treatments, disrupted billing, and diverted patients are also part of the average cost of a health data breach.
When you factor in reputational harm and patient churn, the true cost of a healthcare breach can far exceed the $7.42 million average. Let’s take a closer look at these non-financial consequences below.
Recommended Reading

HIPAA Violation Examples in 2025: 20 Common Violations With Real-World Enforcement Cases
Consequences of a data breach in healthcare
The financial impact of a health care data breach is severe, but there are other consequences that you can’t put a price tag on, such as:
- Patient safety risks: Ransomware or system outages can delay critical treatments, testing, or prescriptions.
- Loss of patient trust: Patients may switch providers after their PHI is exposed, especially if the breach was preventable.
- Reputational damage: Breaches can make headlines and tarnish a brand for years, impacting patient acquisition and retention.
- Regulatory scrutiny: OCR investigations can result in multi-year corrective action plans that typically expand compliance obligations and include more frequent audits and stringent reporting requirements.
- Staff burden: IT and compliance teams face burnout during prolonged remediation, while frontline staff have to take on the responsibility of managing patient concerns.
Healthcare breaches are particularly disastrous because they affect the organization’s bottom line, patient well-being, and the nation’s critical infrastructure.
Recommended Reading

Cybersecurity Explained: What It Is & 13 Reasons Cybersecurity is Important
Healthcare data breach causes
OCR’s enforcement history makes it clear: the same failures appear again and again in major healthcare breaches and investigations of HIPAA violations.
Since these represent systemic weaknesses that attackers exploit and regulators penalize most harshly rather than isolated oversights, let’s take a closer look at each so you can avoid them.
Failure to conduct an enterprise-wide risk analysis
One of the most common findings in OCR settlements is that organizations either never performed a comprehensive risk analysis or failed to keep it updated.
HIPAA requires covered entities and business associates to identify potential risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI). Without this foundation, organizations cannot effectively manage these risks or demonstrate compliance.

Don’t let overlooked risks lead to your next breach.
One of the most common OCR findings is failure to conduct an enterprise-wide risk analysis. Use our free HIPAA Risk Assessment Template to identify gaps, prioritize vulnerabilities, and document your compliance efforts.
Failure to address known risks and vulnerabilities
Even when risk analyses are performed, OCR often finds that organizations fail to act on the results. Simply documenting risks isn’t enough; HIPAA requires risks to be reduced to a reasonable and appropriate level.
Enforcement cases like the $3 million settlement with University of Rochester Medical Center show that ignoring high-risk findings (such as lack of encryption on portable devices) almost always leads to costly breaches and penalties.
Failure to monitor system activity
Healthcare entities must implement logging and monitoring capabilities to track access to ePHI.
OCR has penalized multiple organizations, including Premera Blue Cross, for not having sufficient hardware, software, or procedures in place to review system activity. Without this visibility, malicious insiders or external attackers often operate undetected for months or even years, amplifying the cost and overall damage of a breach.
Failure to respond to security incidents
OCR investigations frequently cite organizations for not having clear incident response procedures or for failing to act on red flags.
Whether it’s ignoring alerts, delaying forensic investigations, or failing to properly review and monitor access and audit logs, poor response amplifies the fallout from a breach and results in heavier penalties.
Failure to implement adequate access controls
Many breaches stem from unauthorized access to patient records, often by malicious outsiders but sometimes by employees or contractors without a valid treatment-related need.
HIPAA requires robust access controls such as role-based access, unique user IDs, and audit logs to limit unnecessary or inappropriate disclosure of PHI. OCR has emphasized that failing to enforce minimum necessary access is a direct violation of the HIPAA Privacy Rule and HIPAA Security Rule in several enforcement cases.
Failure to safeguard PHI across all devices
Unencrypted laptops left in cars, portable drives lost in transit, and smartphones used to access ePHI without proper security controls are all recurring themes in OCR’s breach archive.
HIPAA requires administrative, physical, and technical safeguards to protect PHI on every device, not just within central systems. Portable devices in particular remain one of the biggest weak spots in healthcare security.
Failure to establish business associate agreements (BAAs)
Vendors and contractors that create, receive, maintain, or transmit PHI are considered business associates under HIPAA. OCR has repeatedly penalized healthcare entities for sharing PHI without a signed BAA that outlines each party’s responsibilities.
With business associates implicated in more than one-third of reported breaches in 2025 to date, vendor management and proper business associate agreements continue to be essential to avoiding health data breaches and HIPAA violations.
Recommended Reading

Risk Management in Healthcare: How to Build Organizational Resilience
How to prevent healthcare data breaches
Healthcare organizations face complex and evolving cyber threats, but there are proven safeguards that significantly reduce risk. Below are the most important steps to take.
1. Conduct regular risk assessments
Routine HIPAA risk assessments allow you to identify risks and vulnerabilities before attackers do. This should be part of a larger risk management strategy involving penetration testing, internal audits, and third-party assessments.
Regular risk assessments and audits also help confirm whether your technical, administrative, and physical safeguards are working as intended and provide the documentation that regulators will expect to see if a breach does occur.
2. Encrypt sensitive data in transit and at rest
Encryption ensures that even if PHI is intercepted or stolen, it remains unreadable without the correct decryption keys.
While not explicitly required under HIPAA, encryption is considered a “best practice” safeguard and is often cited in enforcement cases where data was exposed without it—like Advocate Health’s breach that occurred when an unencrypted laptop was stolen from an unlocked vehicle overnight.
Applying encryption or an equivalent safeguard across endpoints, servers, cloud platforms, and mobile devices is one of the most effective defenses against data theft.
3. Implement multi-factor authentication (MFA)
Strong authentication helps prevent unauthorized access even if credentials are compromised. MFA requires users to provide an additional verification factor, such as a mobile code or biometric ID, before accessing systems that contain PHI.
In many of the largest breaches, including Change Healthcare’s landmark breach, attackers took advantage of this missing safeguard and leveraged stolen or weak passwords to gain unauthorized access to health systems.
4. Provide comprehensive cybersecurity and HIPAA training
Human error is one of the leading causes of healthcare breaches. Training employees to recognize phishing attempts, handle PHI appropriately, and follow organizational security policies reduces risk dramatically.
Effective training isn’t a one-time event but an ongoing program reinforced through simulations, refreshers, and real-world examples.
5. Keep systems patched and updated
Legacy systems, outdated tools, and unpatched software often serve as open doors for attackers. Applying security patches promptly and upgrading unsupported technology helps close known vulnerabilities.
A formal vulnerability management program that includes patch management as well as vulnerability scanning, asset management, continuous monitoring, and more is critical for hospitals and providers running diverse medical technologies, many of which may not be updated automatically.
6. Strengthen vendor risk management
Third-party vendors and business associates are implicated in more than one-third of healthcare breaches in 2025 to date.
To mitigate this risk, organizations should evaluate vendor security practices before onboarding, require signed Business Associate Agreements (BAAs), and perform annual security reviews. Continuous monitoring of vendor performance and compliance is equally important to maintain long-term assurance and protect your patients from impermissible disclosures of their PHI in systems they might not even know about.
Recommended Reading

2025’s Biggest Cybersecurity Threats: Analyzing Recent Attacks, Emerging Threats + How to Defend Against Them
How HIPAA and other cybersecurity frameworks help protect PHI
Preventing breaches requires more than ad hoc policies and controls—you need to put comprehensive, repeatable processes in place and monitor them over time to ensure they remain effective. This is where regulatory and cybersecurity frameworks come in.
These frameworks ensure that each of the prevention measures discussed in the previous section—from encryption to vendor risk management—is implemented consistently, audited regularly, and continuously improved. They also give organizations a way to prove their diligence to the OCR and other regulatory bodies, patients, and vendors, reducing the risk of devastating penalties after a breach.
Here are some frameworks you may be required to implement, or would benefit from doing so:
- HIPAA sets the baseline by requiring administrative, physical, and technical safeguards for PHI. Following HIPAA ensures organizations have the essentials, like access controls, workforce training, and breach notification procedures, in place.
- NIST Cybersecurity Framework (CSF) provides a flexible roadmap for identifying, protecting, detecting, responding to, and recovering from threats. It helps organizations align their activities with industry best practices and prioritize investments.
- NIST SP 800-66 tailors NIST principles specifically to HIPAA-covered entities, bridging the gap between compliance and practical security.
- ISO/IEC 27001 establishes an information security management system (ISMS) focused on risk-based controls and continuous improvement, ideal for healthcare organizations seeking a globally recognized benchmark.

Stay ahead of HIPAA violations and costly breaches
Download our Healthcare Cybersecurity Awareness kit for templates, checklists, and other tactical resources to help you prevent healthcare breaches and protect PHI into 2026 and beyond.
How Secureframe can help you prevent health care data breaches
Secureframe is a comprehensive GRC platform designed to help healthcare organizations streamline compliance efforts and protect sensitive data. With features such as automated continuous monitoring, policy management and templates, and AI-powered risk assessments, Secureframe empowers healthcare organizations to enhance their security and compliance posture and mitigate the risk of data breaches.
Here’s how Secureframe can help:
- Pre-built frameworks: Secureframe tells you exactly what controls and evidence you need to meet the requirements of the framework that applies to the data you're processing—whether it's HIPAA, GDPR, NIST, or others.
- Continuous control monitoring: Secureframe not only helps you implement the right security controls, like encryption, access controls, and audit logging, based on your unique environment and applicable frameworks — it also helps you maintain them over time with automatic continuous monitoring. This makes it easier to safeguard data from external threats and insider risks.
- Centralized risk management: With Secureframe, you gain visibility into your entire risk landscape. The platform helps identify vulnerabilities, track remediation efforts, and assign ownership, so nothing slips through the cracks.
- Employee training and policy management: Human error is a major risk factor. Secureframe provides built-in security awareness training and makes it easy to manage policies and procedures so your team understands how to handle sensitive data appropriately.
- Vendor risk assessments: Third-party risk is a critical piece of the data protection puzzle. Secureframe helps you evaluate vendors, monitor their risk posture, and track documentation so you can meet your due diligence requirements and reduce supply chain risk.
- Streamlined compliance across frameworks: Whether you're dealing with HIPAA or other regulations and standards, Secureframe maps your existing controls across multiple frameworks—helping you manage overlapping requirements efficiently and stay audit-ready year-round.
Request a demo of Secureframe today to see how we can help you reduce the risk of health care data breaches and simplify HIPAA compliance.