How many healthcare data breaches have been reported since 2009?

7,705 breaches of unsecured protected health information affecting 500 or more individuals have been reported to the U.S. Department of Health and Human Services since the HITECH Act breach-reporting requirement took effect in 2009, exposing roughly 1.03 billion patient records.

What causes the most healthcare data breaches today?

Hacking and ransomware now account for the large majority of reported breaches and nearly all of the records exposed. A decade ago, stolen and lost laptops, paper, and improper disposal dominated the list. The shift to hacking happened in roughly ten years.

How often are vendors involved in healthcare breaches?

About 42 percent of breaches on the 2026 federal investigation list involve a business associate such as a billing company, software vendor, cloud host, or transcription service, roughly double the share of the early 2010s.

Z Cyber data analysis

One billion records: what the federal breach list really shows

Q: What do HIPAA fines for breaches usually cite?

Recent HHS settlements citing breaches consistently cite 45 CFR 164.308(a)(1)(ii)(A), the requirement to conduct an accurate and thorough assessment of risks to patient data, the Security Risk Analysis. An inaccurate or missing risk analysis is the most-cited finding.

Every healthcare data breach reported to the U.S. government since 2009, visualized. One square is one reported breach of 500 or more patient records: 7,705 breaches, 1.03 billion patient records.

Stolen and lost devices, paper, disposalUnauthorized access and snoopingHacking and ransomware

2011 · stolen laptops and paper era2015 · Anthem: 78.8M records2020 · the ransomware eraToday · 729 open investigations

2009

0 breaches

0 patient records

Why it matters for your paperwork: the wall turned red in about a decade. If your written risk analysis still describes the gray era, laptops, file cabinets, and fax machines, it no longer describes your actual risk. Regulators call that an inaccurate risk analysis, and it is the most-cited finding in HIPAA fines.

Z Cyber data analysis · 01

The worst breach rates aren't where you think

Breach reports per 100,000 residents since 2009. The highest rates are in small states, D.C., Alaska, Connecticut, Wyoming, and Montana, not the big coastal systems. Smaller providers, thinner security teams, the same federal reporting duty.

AK3.8

ME2.1

VT2.1

NH2.4

WA2.0

ID1.1

MT3.1

ND2.4

MN2.8

IL2.5

WI1.9

MI2.0

NY2.3

RI3.2

MA3.0

OR2.6

NV1.5

WY3.2

SD1.5

IA2.8

IN2.7

OH2.1

PA2.3

NJ1.6

CT3.6

CA1.8

UT1.6

CO2.0

NE2.6

MO2.3

KY2.5

WV2.4

VA1.6

MD2.4

DE2.9

AZ1.9

NM2.4

KS2.3

AR2.8

TN2.3

NC1.6

SC1.3

DC4.4

OK1.7

LA1.2

MS1.6

AL1.6

GA1.8

HI1.3

TX1.8

FL1.7

PR1.0

Lower Higher · breach reports per 100k residents, 2009 to 2026

Why it matters for your paperwork: there is no safe state and no safe size. Every state appears on the federal list, and rates run highest where security staff are scarcest. The median breach affects 3,787 people. This list is made of ten-doctor practices, not just health systems. See how this plays out in healthcare security.

Z Cyber data analysis · 02

The quiet shift: your vendor is now your breach

Share of reported breaches where a business associate was involved: a billing company, software vendor, cloud host, or transcription service.

Why it matters for your paperwork: 42% of breaches on this year's federal investigation list involve a vendor, roughly double the share of the early 2010s. A risk analysis that stops at your own walls misses almost half the actual risk. The proposed HIPAA Security Rule update would explicitly require assessing vendor risk and refreshing the analysis at least every 12 months. This is the core of ongoing compliance and GRC work.

Z Cyber data analysis · 03

When the fines arrive, they all cite the same missing document

Federal HIPAA settlements citing risk-analysis failures, October 2024 to April 2026. Note the range: from a $10,000 fine on a small surgical group to $3 million. And note who is on it: treatment centers, imaging providers, one hospital, and several vendors.

Bryan County EMS$90,000
OK, ambulance service · Oct 2024 · ransomware
Solara Medical Supplies$3,000,000
CA, medical supplier · Jan 2025 · phishing, 114k patients
Elgon Information Systems$80,000
MA, EHR and billing vendor · Jan 2025 · ransomware
VPN Solutions$90,000
VA, cloud vendor · Jan 2025 · ransomware
Northeast Surgical Group$10,000
MI, surgical practice · Jan 2025 · ransomware
Health Fitness Corp.$227,816
IL, wellness vendor · Mar 2025 · exposed server
NERAD$350,000
NY/CT, imaging · Apr 2025 · exposed server, 298k patients
Guam Memorial Hospital$25,000
GU, public hospital · Apr 2025 · ransomware
Deer Oaks Behavioral$225,000
TX, behavioral health · Jul 2025 · risk analysis failure
Syracuse ASC$250,000
NY, surgery center · Jul 2025 · risk analysis failure
Top of the World Ranch$103,000
IL, addiction treatment · Feb 2026 · phishing
Axia Women's Health$320,000
NJ, women's health · Apr 2026 · ransomware
Assured Imaging$375,000
AZ, imaging · Apr 2026 · ransomware, 245k patients
Consociate Health$225,000
IL, benefits administrator · Apr 2026 · ransomware
Star Group Health Plan$245,000
NJ, employer health plan · Apr 2026 · ransomware

Every settlement above cites the same provision: 45 CFR §164.308(a)(1)(ii)(A), the requirement to conduct an "accurate and thorough" assessment of risks to patient data. Not the breach itself. The document that was supposed to see it coming.

Why timing matters: the breaches behind the April 2026 settlements happened in 2020 and 2021. Investigations surface years later, and the first document requested is the risk analysis you have on file today. A risk analysis done mid-year leaves months to actually fix what it finds. One crammed in December is just a signed list of your gaps.

1.03B

Patient records in breaches reported to HHS since 2009, three times the U.S. population

729

Organizations on OCR's open investigation list right now; 189 added since January 1, 2026

42%

Of 2026 investigations involve a business associate, double the early-2010s share

$10K–$3M

Range of recent fines citing the risk-analysis rule. Small practices are on the list

Every organization above was asked for the same document first: its security risk analysis.

Find out in 15 minutes whether yours would hold up. Free, 50 questions drawn from the official HHS tool, two reports in your inbox. Every gap mapped to the specific rule it touches, ranked by risk, with a recommended fix.

Take the free HIPAA SRA →

Methodology: Z Cyber analysis of the HHS OCR Breach Portal (archive plus cases under investigation, exported June 9, 2026), all 7,705 breaches of unsecured protected health information affecting 500 or more individuals reported under the HITECH Act. Wall squares are ordered chronologically by report month; within each month, cause categories are shown in proportion to that period's reported types. Per-capita rates use 2024 U.S. Census population estimates. Settlement amounts are from HHS OCR press releases and resolution agreements, October 2024 to April 2026. "Hacking and ransomware" is the HHS category "Hacking/IT Incident."