OCR report confirms 113M affected by healthcare data breaches in 2023

Hacking accounted for 81% of large healthcare breaches and 96% of all compromised records in a year that set a new benchmark for both breach volume and scale.

What happened

The HHS Office for Civil Rights has submitted its annual reports to Congress on HIPAA compliance and healthcare data breaches for calendar year 2023, fulfilling its statutory obligation under the HITECH Act. According to the 2023 OCR Annual Report to Congress on HIPAA Compliance, OCR received 732 reports of data breaches affecting 500 or more individuals in 2023, a 17% year-over-year increase. Across those breaches, 113,173,613 individuals had their protected health information exposed, stolen, or impermissibly disclosed, with a single incident, the HCA Healthcare breach, accounting for 11,270,000 of those individuals. Hacking and IT incidents drove the majority of the damage, accounting for 590 of the 732 large breaches and 108,725,761 of the 113 million compromised records. OCR also received 68,315 reports of smaller breaches affecting fewer than 500 individuals, overwhelmingly caused by human error, including misdirected emails and faxes and unauthorized access to colleagues' records.

Going deeper

OCR settled 14 investigations in 2023 with corrective action plans and financial penalties totaling $7,735,000, four fewer penalties than in 2022 however $6,932,500 more in total penalty value. The largest settlement was $4,750,000 with Montefiore Medical Center. The most commonly cited compliance failure across all 2023 enforcement actions was failure to conduct a risk analysis, identified in seven of the 14 settled cases. Failure to review records of information system activity appeared in five cases, and failure to fulfill patient right of access obligations appeared in four. No civil monetary penalties were imposed; all 14 were resolved through negotiated settlements with corrective action plans. OCR received 30,968 new complaints in 2023, a 2% year-over-year increase, and resolved 38,601 complaints during the year, reducing the backlog that had accumulated in prior years. Business associate breaches increased by 22% year over year, according to Healthcare Dive, continuing a pattern that has made third-party vendors a growing share of the healthcare breach sector.

What was said

In a statement cited by Healthcare Dive, OCR Director Melanie Fontes Rainer noted that approximately 140 million people were affected by large healthcare breaches in 2023, up from 51 million in 2022, and warned that 2024 was expected to see that number potentially double, given the Change Healthcare and Ascension breaches. In the 2023 OCR compliance report, OCR stated there has been "a general trend of increasing data breaches and complaints, which is placing greater pressure on OCR's limited resources," while acknowledging progress in reducing the backlog of open investigations during the year.

In the know

The 2023 report arrives as a baseline document against which subsequent years' escalation can be measured. The 2024 Change Healthcare breach alone affected approximately 100 million individuals, which would exceed the entire 2023 large-breach total of 113 million when combined with other 2024 incidents. According to Becker's Hospital Review, 2023 set a record for healthcare data breach volume that was then surpassed in subsequent years. OCR has repeatedly noted to Congress that its investigative staff fell 30% between fiscal year 2010 and 2023, even as complaint volume and breach reports continued to climb, creating a structural enforcement gap that Congress has not fully addressed through appropriations.

The big picture

The 2023 OCR data establishes that failure to conduct a risk analysis remains the single most cited HIPAA compliance failure in enforcement actions, appearing in half of all settled cases that year. That finding is consistent with what Paubox has documented in breach analysis across 2024 and 2025. According to Paubox's What Healthcare Gets Wrong About HIPAA and Email Security report, many compliance failures in healthcare email stem from organizations treating a one-time audit as a permanent compliance status rather than as a point-in-time assessment requiring ongoing review. OCR's enforcement pattern confirms that regulators reach the same conclusion: organizations that are breached and then investigated frequently lack documented risk analysis activity, regardless of whether they have security tools in place.

FAQs

Why does OCR report 2023 data to Congress in 2026?

HITECH requires OCR to submit annual reports to Congress on HIPAA compliance and breach notification activity. The production of these reports involves compiling enforcement data, finalizing investigation outcomes, and preparing the statutory analysis, a process that typically results in reports being submitted and published roughly two to three years after the calendar year they cover.

What is the difference between a large breach and a small breach under HIPAA?

HIPAA classifies breaches affecting 500 or more individuals as large breaches, which trigger immediate HHS notification, potential media notification, and automatic OCR compliance review. Breaches affecting fewer than 500 individuals must still be reported to HHS, but can be compiled and submitted annually rather than within 60 days.

Why did seven of 14 enforcement settlements in 2023 cite failure to conduct a risk analysis?

A risk analysis is the foundational HIPAA Security Rule requirement from which all other security controls flow. Organizations that cannot demonstrate a documented, detailed risk analysis have no defensible baseline for their security decisions. OCR has cited risk analysis failures in enforcement actions consistently across the past decade because the requirement is both clearly defined and frequently incomplete or absent when investigators examine breached organizations' records.

What does a 22% increase in business associate breaches indicate for covered entities?

Business associates handle PHI on behalf of covered entities, meaning a breach at a vendor produces notification obligations and potential regulatory exposure for the covered entity even when the covered entity's own systems were not compromised. A 22% annual increase signals that third-party risk management is not keeping pace with the volume of PHI flowing through vendor relationships.

How does OCR prioritize which breaches to investigate, given its resource constraints?

OCR opens a compliance review for every breach affecting 500 or more individuals, which in 2023 meant 732 new reviews on top of open cases carried over from prior years. With investigative staff having fallen 30% over the prior decade, OCR has acknowledged to Congress that this volume exceeds its capacity to investigate at pace, resulting in a backlog that the agency made partial progress in reducing during 2023.