Healthcare software isn’t being breached by clever zero-days. It’s being breached because somebody never ran a risk analysis. That’s the uncomfortable read between the lines of the Office for Civil Rights’ freshly delivered HIPAA reports to Congress — and if you’re building any product that touches protected health information, the numbers should change how you scope your next sprint.
The Department of Health and Human Services’ OCR submitted two reports covering calendar year 2023, as required by Section 13424(a) of the HITECH Act. The headline figures are grim: 732 large data breaches, 113,173,613 individuals exposed, and an average breach size of 154,609 people. Large breaches climbed 17% year-over-year, smaller breaches rose 7%, complaints inched up 2%, and OCR-initiated compliance reviews jumped 14%. Regulators are doing more with less, and the violations they’re punishing are not exotic.
Why Hacking Now Owns 96% of Breached Records
According to OCR’s data, hacking and IT incidents accounted for 81% of large breaches and 96% of breached records in 2023. Theft, loss, and improper disposal — the categories that dominated a decade ago — barely register. Out of 590 hacking incidents, 108,725,761 records were exposed, including the 11,270,000-individual HCA Healthcare breach that anchored the year.
This matters because the threat surface has fully shifted to networked systems, third-party integrations, and credential abuse. The corner-case risks regulators used to write memos about — a lost laptop, a misrouted fax — are statistical noise compared to ransomware crews hitting EHR vendors and clearinghouses. If you’re a CTO at a digital health startup, your compliance budget needs to follow the threat: identity, segmentation, logging, vendor risk. Not laminated badge policies.
If you’re a team running a SaaS platform that ingests claims data on behalf of provider networks, this means a single compromised business associate can implicate millions of records under one breach report — and you’ll be the named entity. Expect insurers and procurement teams to push harder on SOC 2 plus HIPAA Security Rule evidence as a precondition for renewal, not just onboarding. Healthcare hacking is now an infrastructure problem masquerading as a compliance problem, and the companies that treat it as the former will avoid the eight-figure breach disclosures of the next reporting cycle. Teams shipping healthcare software built for compliance and outcomes should be reading the OCR breakdown as an architectural brief, not a legal one.
The Boring Failures That Triggered $7.7M in Settlements
OCR resolved 14 investigations in 2023 with settlements totalling $7,735,000. That’s four fewer penalties than 2022, but the total dollar amount jumped by $6,932,500 year-over-year. Translation: fewer cases, bigger checks. Montefiore Medical Center paid $4,750,000. LA Care Health Plan paid $1,300,000. Lafourche Medical Group, the first phishing-related HIPAA penalty, paid $480,000.
Look at what OCR actually cited. The most common HIPAA failure resulting in a financial penalty was failure to conduct a risk analysis — seven cases. Failure to review records of information system activity came second, with five cases. HIPAA Right of Access violations followed with four. Risk management, Security Rule policies, audit-log mechanisms, business associate agreements — all show up in the citation list. None of these are bleeding-edge technical controls. They are baseline hygiene that engineering leaders routinely punt to “after launch.”
If you’re a Series A founder building a remote monitoring platform, the practical move is to bake a documented risk analysis into your release process before your first paying clinic. Tie audit log review to a scheduled job with named owners. Make right-of-access requests a first-class API, not a Zendesk ticket. The prediction here is straightforward: OCR will keep concentrating enforcement on companies that can’t produce a current risk analysis on demand, because it’s the cheapest violation for them to prove. Expect at least one nine-figure aggregate enforcement year by 2027 as breach volumes continue compounding.
What the 68,315 Small Breaches Reveal About People, Not Systems
OCR received 68,315 reports of breaches affecting fewer than 500 individuals — the vast quiet majority. The average size: fewer than four people. The dominant causes: misdirected faxes, emails, and mailings; staff snooping on records of co-workers, family, and friends. Per OCR, 66% of small breaches were unauthorized access or disclosure incidents, totaling 64,231 cases. Yakima Valley Memorial Hospital’s $240,000 settlement involved a security guard snooping on records — a workflow failure, not a hacker.
Product design carries more weight here than firewalls. Healthcare apps still ship with default-allow access patterns, weak break-glass logging, and no behavioral analytics on internal users. If your EHR module lets a clerk pull any chart with no friction and no review, you have built a snooping factory. Imagine you’re a hospital CIO renewing a patient portal contract — the right question to ask the vendor isn’t “are you encrypted” but “show me your access anomaly dashboard and your last 90 days of internal-misuse alerts.”
AI-driven workflow automation earns its keep here: classifying outbound communications before they leave the building, flagging anomalous record pulls in real time, and replacing the misdirected-fax problem with structured, authenticated exchange. The smart bet is that within two reporting cycles, OCR will start naming “failure to monitor for insider misuse” as a discrete citation category, because the small-breach data already justifies it.
How Identity Verification Becomes the Next Compliance Pressure Point
The report confirms what identity teams already suspect: many breaches trace back to credential failures, phishing-borne access, and shaky verification of who is requesting what. Lafourche Medical Group’s penalty was tied to phishing. Right of Access violations — four of OCR’s 2023 penalties — are identity-proofing problems wearing a privacy hat.
For anyone building patient apps, telehealth platforms, or claims tools, this means the verification stack has compliance weight, not just UX weight. A patient who can’t access their records because identity proofing failed is a complaint to OCR. A bad actor who can access records because identity proofing was too soft is a breach report. Building verifiable-credential and KYC infrastructure tuned for healthcare is moving from nice-to-have into the same tier as encryption-at-rest. The prediction: by the next OCR report cycle, expect identity assurance gaps to be cited explicitly in settlement language, not just implied through Right of Access findings.
FAQ
Q: What is the HITECH Act’s Section 13424(a) reporting requirement? A: Section 13424(a) of the HITECH Act requires OCR to submit annual reports to Congress on HIPAA Privacy, Security, and Breach Notification Rule compliance, plus breaches of unsecured protected health information. The 2023 reports were submitted by HHS and cover the full calendar year.
Q: What was the largest healthcare data breach reported to OCR in 2023? A: HCA Healthcare, which affected 11,270,000 individuals. It is one of 590 hacking and IT incidents OCR logged that year, a category that accounted for 96% of all breached records.
Q: Which HIPAA failure draws the most OCR penalties? A: Failure to conduct a risk analysis. Per the 2023 report, it was cited in seven of the 14 settled cases, more than any other category — followed by failure to review records of information system activity, cited in five.
Key Takeaways
- Treat documented risk analyses as a release-blocking artifact, not a year-end binder — OCR’s 2023 data shows it’s the single most-cited violation.
- Reweight security budgets toward identity, audit logging, and vendor risk, because hacking now drives 96% of breached records and the old physical-loss categories have collapsed.
- Build insider-misuse detection into clinical apps now; the 68,315 small breaches in 2023 are a leading indicator of where OCR enforcement attention moves next.
- Healthcare vendors should expect business associate agreements and identity assurance evidence to become procurement gating items, not paperwork.
- Plan for bigger average settlement amounts even as case counts stay flat — the $6,932,500 year-over-year jump in penalty dollars is the trend line that matters.