In January 2026, the U.S. Department of Health and Human Services’ Office of Inspector General (HHS-OIG) released its annual Top Management & Performance Challenges Facing HHS report, identifying persistent and emerging cybersecurity vulnerabilities within HHS and across the broader U.S. healthcare sector.
The report noted that the HHS, a large and complex federal department, has struggled to unify and standardize its cybersecurity governance, resulting in fragmented approaches across different divisions and operating units. This fragmentation complicates efforts to detect, prevent, and respond effectively to cyber threats and undermines the department’s ability to protect sensitive health data and systems.
OIG emphasized that cybersecurity responsibilities and authorities are diffused within HHS and extends to a vast network of contractors, grantees, and external partners, each with its own security practices, making coordinated defense challenging. The report noted that cyberattacks against the healthcare sector, including ransomware and increasingly sophisticated phishing campaigns, continue to rise, targeting systems that maintain patient records, process claims, and support public health and human services. HHS’s preparedness and resilience are further stressed by reliance on older technology and an inadequate workforce, compounding risks.
The report is rooted in both concrete enforcement actions and internal assessments that reveal persistent gaps in how health information systems are protected. The settlement with Comstar, LLC over a May 2025 ransomware incident illustrates the real consequences of failing to implement foundational cybersecurity safeguards.
In that case, a breach exposed the protected health information of more than 585,000 individuals, and investigators found that basic requirements of the HIPAA Security Rule were not met. The federal response, a negotiated resolution after the fact, provides a reactive pattern in which vulnerabilities are only fully confronted once patient data has already been compromised.
At the same time, the department’s own cybersecurity program was evaluated as “Not Effective” in an independent audit for Fiscal Year 2024, marking the second consecutive year it received this rating. This assessment goes beyond isolated lapses; it points to systemic weaknesses across core functions, including risk identification, threat detection, incident response, and recovery planning. If the agency charged with safeguarding the health system’s integrity struggles to maintain a coherent and effective security posture internally, it heightens the risk that similar or worse gaps will persist in the broader healthcare ecosystem.
According to the report, “Addressing HHS’s top management and performance challenges will support high-quality care and services, ensure careful stewardship of taxpayer dollars, and mitigate fraud and other risks so that programs operate as intended.”
For healthcare organizations, this is a warning that compliance alone is not enough. The report reflects a shift in expectations toward proactive risk management, stronger leadership oversight, and continuous investment in security capabilities.
The OIG’s findings suggest that federal oversight and enforcement are likely to intensify, particularly around how organizations assess risk, respond to incidents, and safeguard data across complex networks of vendors and partners. In practical terms, the report challenges healthcare leaders to treat cybersecurity as a core component of patient care and organizational resilience, rather than a back-office function.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
HHS serves as the Sector Risk Management Agency (SRMA) for the Healthcare and Public Health (HPH) sector under federal directives.
The Office for Civil Rights (OCR) within HHS enforces the HIPAA Security Rule, which sets national standards for protecting electronic protected health information (ePHI).
HHS collaborates closely with agencies such as the Cybersecurity and Infrastructure Security Agency (CISA), the Food and Drug Administration (FDA), and state and local partners.