OCR reports 242 million records exposed in 2024

A single ransomware attack on a claims-processing vendor accounted for 79% of all individuals affected by a large healthcare breach in the United States last year.

What happened

The HHS Office for Civil Rights (OCR) has submitted its annual reports to Congress on HIPAA compliance and breaches of unsecured protected health information for calendar year 2024. Across 663 large breaches, the protected health information (PHI) of 242,908,056 individuals was exposed, a figure that dwarfs every previous year on record. Roughly 192 million of those records trace to the February 2024 ransomware attack on Change Healthcare, a UnitedHealth Group subsidiary that processes a substantial portion of US insurance claims. Strip that one incident out, and 2024 would sit below 2023's 113 million total. OCR also received 74,299 reports of smaller breaches, collectively affecting another 340,618 individuals. The large breach count fell 9% from 2023's 732 incidents to 663, but the concentration of exposure in a single-vendor attack entirely offset that modest volume improvement.

Going deeper

Hacking and IT incidents drove 81% of all large breaches and accounted for 99.45% of affected individuals. Network servers remained the most common location of breached PHI. For smaller breaches, unauthorized access and disclosure were more common, often involving paper records or films rather than electronic systems. OCR imposed 22 financial penalties in 2024, collecting $9,944,612 across settlements and civil monetary penalties. The largest breach-related settlement was $3 million against Solara Medical Supplies. Gulf Coast Pain Management Consultants received the largest civil monetary penalty at $1.19 million. Across all 2024 enforcement actions, risk analysis failure appeared in every single case. No HIPAA audits were initiated despite OCR being required to conduct them under the Health Information Technology for Economic and Clinical Health (HITECH) Act. OCR received 30,256 new complaints and completed investigations on 1,370, resolving the majority through technical assistance rather than formal enforcement.

What was said

In its 2024 breach report to Congress, OCR stated that "there is a continued need for HIPAA-regulated entities to improve compliance" and that "many data breaches could have been prevented through proactive compliance, rather than addressing security issues after exploitation." OCR specifically cited incomplete risk analyses, excessive user privileges enabling lateral movement, and weak authentication, including default passwords and single-factor remote access, as the most consistently identified failures across breach investigations.

In the know

The Change Healthcare figure in the 2024 report is still an estimate. According to HHS OCR's Change Healthcare FAQ page, Change Healthcare initially reported just 500 affected individuals to the breach portal in July 2024. The figure grew to approximately 130 million by January 2025 and reached 192.7 million in a filing submitted to OCR in July 2025, more than a year after the attack. That figure now appears in the 2024 congressional report. Still, the number continued expanding for 17 months after the incident, which means the 242 million headline shows a moving target captured at a specific point rather than a settled final count.

The big picture

OCR's enforcement pattern across 2024 confirms what the agency has documented for years without variation: organizations that experience large breaches routinely lack a completed risk analysis, allow excessive internal access privileges, and rely on single-factor authentication for remote access. Thirteen of the 22 financial penalties imposed in 2024 stemmed from breach investigations, and each cited a failure in risk analysis. According to Paubox's "What Healthcare Gets Wrong About HIPAA and Email Security" report, healthcare organizations consistently overestimate their compliance posture, with many treating a one-time audit as a permanent status rather than a baseline that requires ongoing review. The OCR's repeated findings confirm that assessment.

FAQs

Why do the OCR reports to Congress cover 2024 data in 2026?

OCR submits reports based on the calendar year in which breaches occurred, not when they were reported. Compiling enforcement data, finalizing investigation outcomes, and preparing the statutory analysis for Congress takes roughly two years, which is why 2024 breach data appears in a 2026 submission.

How does a 9% drop in large breach volume coexist with a record number of affected individuals?

Fewer large breaches occurred in 2024 than in 2023, but the Change Healthcare attack alone exposed more individuals than the combined large-breach totals from most prior years. Volume and exposure are separate metrics, and a single vendor breach affecting a central piece of healthcare infrastructure can distort both.

Why does risk analysis failure appear in every OCR enforcement action?

A risk analysis is the foundational Security Rule requirement from which all other security decisions flow. Without one, an organization has no documented basis for its security choices, no way to demonstrate due diligence to investigators, and no systematic process for identifying the vulnerabilities that attackers exploit. OCR treats its absence as both a standalone violation and evidence of broader compliance failure.

What does OCR's complaint resolution pattern reveal about enforcement capacity?

OCR received 30,256 complaints in 2024 and completed investigations on 1,370 of them. The gap shows resource constraints that OCR has acknowledged to Congress for years, noting that staffing levels have not kept pace with the volume of complaints and breaches. Most complaints are resolved through technical assistance, which produces compliance guidance but no enforcement action.

How should covered entities read the Change Healthcare figure in the 2024 report?

The 192.7 million figure attributed to Change Healthcare in the 2024 congressional report was not submitted to OCR until July 2025, more than 17 months after the attack. Covered entities reviewing the report should understand the 242 million total as a snapshot of a changing count rather than a finalized number verified at the time of the breach.