Healthcare had fewer large breaches in 2024 than in 2023 — and still managed to expose the protected health information of nearly a quarter-billion people. That paradox sits at the heart of the Office for Civil Rights’ annual reports to Congress, and every healthcare CTO, compliance officer, and software vendor should be reading them. The numbers improved on one axis and broke records on another, which means the industry’s playbook for protecting patient data is mispriced for the risk it now carries.
What the OCR’s 2024 Numbers Actually Reveal
According to OCR’s reports to Congress, 663 large data breaches occurred in calendar year 2024 — a 9% decrease from the 732 breaches in 2023. But across those incidents, the protected health information of 242,908,056 individuals was exposed or impermissibly disclosed. A single incident — the Change Healthcare breach — accounted for an estimated 192 million of those individuals. Hacking and IT incidents drove 81% of breaches and affected 241,582,022 people, or 99.45% of all victims.
Why it matters: the volume metric (number of breaches) and the blast radius metric (number of people affected) have decoupled. Breach counts can trend down while a handful of attacks on concentrated infrastructure providers do catastrophic damage. The risk model that compliance teams have used for a decade — “fewer incidents equals safer year” — is broken when one clearinghouse outage can dwarf every other breach combined.
Practical example: if you’re a regional payer plugged into a national clearinghouse, your exposure to a third-party breach now exceeds the exposure from your own internal controls. The Change Healthcare incident didn’t just hurt UnitedHealth — it pulled every connected provider, pharmacy, and payer into the blast radius.
Our take: 2025 reporting will show consolidation risk as the dominant story, and OCR will quietly start pushing more enforcement against business associate agreements rather than just covered entities.
Why Risk Analysis Failures Keep Showing Up in Every Settlement
Look at OCR’s 2024 penalty list and one phrase appears in nearly every row: “risk analysis.” Plastic Surgery Associates of South Dakota ($500,000), Bryan County Ambulance Authority ($90,000), Solara Medical Supplies ($3,000,000), Warby Parker ($1,500,000), Heritage Valley Health System ($950,000) — all cited for failures to conduct or complete risk analyses under the HIPAA Security Rule. OCR collected $7,813,831 in penalties from breach-related investigations, plus another $950,000 from a media-prompted investigation, for a combined $9,944,612 across 22 financial penalties in 2024.
Why it matters: risk analysis isn’t a paperwork exercise — it’s the upstream control that determines whether everything downstream works. OCR explicitly called out scant internal controls limiting lateral movement, excessive account privileges, default passwords, and single-factor remote access as recurring findings. These aren’t exotic vulnerabilities. They’re the kind of basic hygiene that a properly scoped risk analysis would have surfaced years before a threat actor walked through the front door.
Practical example: if you’re a 50-person specialty practice running an EHR plus a billing portal plus a patient communication tool, your risk analysis needs to cover all three integrations, every vendor’s BAA, and the authentication path each user takes. Most practices document one application and call it done — and that’s exactly the gap OCR keeps citing. Teams without dedicated GRC staff are using healthcare software engineered for compliance and outcomes so the controls live inside the product rather than in a spreadsheet.
Our take: expect OCR to formalize a recurring “Risk Analysis Initiative” — Bryan County Ambulance Authority was already flagged as the first such enforcement action — and expect penalties for inadequate risk analyses to outnumber penalties for actual breaches by 2026.
The Right of Access Penalties Nobody Talks About Enough
Buried under the breach headlines, nine of the 22 financial penalties in 2024 came from HIPAA Right of Access complaints, not breaches. American Medical Response ($115,200), Rio Hondo Community Mental Health Center ($100,000), Gums Dental Care ($70,000), Oregon Health and Science University ($200,000), Essex Residential Care ($100,000), and Holy Redeemer Hospital ($35,581) all paid for failing to give patients timely access to their own records. OCR’s most recent action was its 50th Right of Access penalty since the initiative began.
Why it matters: these penalties don’t require a data breach, a ransomware attack, or a sophisticated adversary. They require a patient who asked for their records and didn’t get them. In a year where OCR received 30,256 new complaints and 541 of them specifically cited Right of Access violations, the lowest-hanging compliance fruit is also the most ignored.
Practical example: if you’re building a patient portal, the request-to-fulfillment workflow for medical records is now a regulated business process — not a customer service nicety. Many teams that automate this with workflow and document automation cut the human-bottleneck failures that drive these penalties.
Our take: Right of Access enforcement will become the OCR’s most predictable revenue stream, because the violations are easy to substantiate and the patient complaints write themselves.
What Hacking-Driven Breaches Mean for Identity and Authentication
Network servers were the most common location of breached PHI, and OCR explicitly named weak authentication — default passwords, single-factor remote access — as a recurring root cause. Hacking and IT incidents accounted for 99.45% of affected individuals. Providence Medical Institute was hit by three ransomware attacks affecting 85,000 individuals before its $240,000 civil monetary penalty. Children’s Hospital Colorado paid $548,265 after two email-related incidents tied to phishing and inadequate workforce training.
Why it matters: HIPAA doesn’t mandate multifactor authentication by name, but OCR’s enforcement pattern makes it functionally required. If a breach investigation finds single-factor remote access on a system holding ePHI, the regulator now treats that as a documented compliance failure rather than a debatable design choice. Authentication is no longer an IT decision — it’s a legal one.
Practical example: if you’re a healthtech vendor selling into hospitals, your product needs to default to MFA, support phishing-resistant factors, and log every authentication event in a way that satisfies the Security Rule’s audit controls standard. Vendors who ship with optional MFA increase their customers’ regulatory risk. Healthcare needs the same hardened identity infrastructure financial services built over the past decade — compliant identity software for banks, fintechs, and marketplaces shows what that looks like in practice.
Our take: within 18 months, healthcare SaaS RFPs will require phishing-resistant MFA as a baseline, and vendors who don’t ship it by default will get cut in procurement.
FAQ
Q: What is the HITECH Act and why does OCR report to Congress under it? A: The Health Information Technology for Economic and Clinical Health (HITECH) Act requires OCR to submit annual reports to Congress on HIPAA compliance and breaches of unsecured protected health information. The reports document breach trends, enforcement actions, complaint volumes, and penalties collected, giving Congress a yearly snapshot of how well regulated entities are protecting patient data.
Q: How much did OCR collect in HIPAA penalties in 2024? A: OCR collected $9,944,612 in total settlements and civil monetary penalties in 2024, spread across 22 financial penalties — 13 from breach investigations and 9 from complaint investigations. Breach-related penalties alone totaled $7,813,831, plus a $950,000 penalty from a media-prompted investigation.
Q: What were the most common HIPAA compliance failures cited in 2024? A: OCR repeatedly cited failures in risk analysis, risk management, information system activity review, audit controls, and person or entity authentication. Common technical findings included excessive user privileges, weak controls on lateral movement, default passwords, and single-factor remote access on systems holding electronic protected health information.
Key Takeaways
- Healthcare organizations should stop treating breach count as a primary success metric and start modeling third-party concentration risk, because a single upstream vendor breach can outweigh every internal incident combined.
- Risk analysis is now the single most-cited HIPAA failure in OCR enforcement, so investing in continuous, integration-aware risk analyses will produce a larger return than any other compliance spend.
- Right of Access enforcement is the easiest path to a federal penalty, and any healthtech product touching patient records needs an automated, auditable fulfillment workflow before scaling.
- Vendors selling to healthcare should ship phishing-resistant MFA, audit-grade logging, and least-privilege defaults as standard features, because optional security has become a procurement liability.
- Compliance teams should expect OCR audits to resume and Business Associate enforcement to accelerate, especially after the Change Healthcare incident exposed how badly the sector underestimated clearinghouse-level risk.