The FBI's 2025 Internet Crime Report recorded 460 ransomware attacks and 82 data breaches against healthcare and public health organizations last year, enough to make the sector the most targeted piece of critical infrastructure in the country for a second consecutive year. The bureau does not pretend those numbers tell the whole story, as they represent what was disclosed, not necessarily what actually happened.

HIPAA's Breach Notification Rule is straightforward on paper. If PHI is exfiltrated, notice should be provided to victims within 60 days, a report should be given to the Department of Health and Human Services, and in some cases, provided to the media. What complicates all of that is the quiet arithmetic running underneath it. Disclosure brings regulatory scrutiny, press coverage, and reputational damage in a community that the organization has to keep serving long after the incident fades from the news. A quiet payment to an attacker who claims the stolen data will be deleted can look, in the moment, like the best option, but that solution can never be truly trusted.

 

Why exfiltration rewired the math

Ransomware before around 2019 was mostly an encryption story. Systems failed, staff noticed within minutes, and concealing something that was visible was close to impossible. Then came double extortion, where attackers steal a copy of the data before encrypting anything, giving them two separate ways to pressure a victim instead of one. That change altered the incentive to hide an incident more than almost anything else in the last decade of ransomware evolution. Encryption forces disclosure because it is visible almost immediately, whereas exfiltration can happen quietly enough that no one notices for months.

The Verizon 2026 Data Breach Investigations Report put ransomware in 48% of confirmed breaches this year, the highest share in the report's 19-year run. Buried in that finding is something close to an admission about the report's own limits. Verizon's methodology depends on what partner organizations, law enforcement contacts, and voluntary submissions choose to share. An attack settled quietly through payment, handled entirely in-house, or built around theft with no visible outage has a much smaller chance of ever making it into that dataset.

The same report tracked 1,492 healthcare incidents, 1,438 of them confirmed data disclosures, most tied to ransomware-driven system intrusions. Set that against HHS OCR's public breach portal, which only posts breaches affecting 500 or more people publicly, and the picture narrows further. Smaller incidents go into an annual log sent to HHS instead, and anything paid off quietly, with no formal breach determination ever made, does not appear anywhere at all.

Read more: What is ransomware?

 

The cost nobody sees coming

An organization that has never suffered a public breach has no reliable way to measure its own risk relative to what is actually happening across the sector. The data reaching boards and security teams shows only what was disclosed, which skews everything toward incidents that were caught or forced into daylight, away from the quieter ones that were resolved through payment and stayed buried.

Those disclosures, and those that weren’t, shapes real decisions made by board members, who may think they are more secure or less likely to be targeted than in reality. HHS OCR Director Melanie Fontes Rainer has framed the expectation bluntly, warning entities to be "proactive and not wait for OCR" to surface problems that were always there. Threat intelligence takes the same hit. CISA's joint advisories on active groups like Interlock are assembled from what gets reported and what trusted third parties choose to share, and an attack settled in silence contributes nothing to the advisory that might have warned a hospital two states over.

 

How HIPAA notification requirements can prevent disclosure

HIPAA presumes a ransomware attack is a reportable breach unless the organization can show a low probability that PHI was actually compromised. The standard exists to force disclosure, but in practice, a handful of real conditions get in its way.

Data theft without encryption is genuinely harder to spot than encryption, which announces itself the moment systems stop working. An organization may not know, inside the 60-day window, whether data actually left the network, or whether what was left even counted as PHI. Forensics takes time, and an attacker's claim that nothing was taken cannot be independently verified. The regulatory deadline and the pace of a real investigation do not always sync up, which leaves organizations navigating a gap that the rule never fully accounted for.

Enforcement has hardened around this gap rather than softened. OCR's Risk Analysis Initiative has now closed 19 ransomware investigations, and in nearly all of them, the agency found an absent or inadequate risk analysis sitting behind the incident. Organizations that skip notification and later get investigated anyway end up facing two violations instead of one: the original security failure and the failure to notify, and the penalties for both are cumulative.

Paubox's 2026 Healthcare Email Security Report documented 170 email-related healthcare breaches in 2025, affecting more than 2.5 million individuals, but no one actually knows how many organizations may have been impacted by a breach. There’s simply no way to formally count breaches that were quietly resolved or never triggered a formal determination.

 

What actually closes the gap

Fixing this is not primarily a technology problem, which is part of why it has lingered so long. It needs a cultural shift toward treating disclosure as a risk management decision rather than a threat to be managed away, paired with regulatory frameworks that make early voluntary disclosure more attractive than concealment ever could be.

The UK is testing one version of that shift right now, with proposals under consideration that would require ransomware reporting within 72 hours, closer to GDPR's timeline than to HIPAA's current framework. Faster disclosure is meant to enable faster collective defense for organizations that have not been hit yet.

For healthcare specifically, the argument does not need to stay abstract. OCR investigations don’t only start with breach reports. Patient complaints, media coverage, whistleblowers, and attacker leak sites trigger them too, and organizations convinced they successfully concealed an incident often discover months later that the incident found them anyway, now carrying a missed notification window on top of everything else.

The controls that lower the odds of a disclosable incident happening at all address this more reliably than any reporting framework can. Phishing remains the documented entry point behind most healthcare ransomware chains, and Paubox's 2025 Healthcare Email Security Report found that only 5% of known phishing attempts in healthcare get reported by employees to security teams. The delivery mechanism passes through almost entirely unnoticed at the human level, which is exactly the gap that pre-delivery filtering is built to close, catching a message before any ransom decision, disclosure question, or temptation to stay quiet ever becomes relevant. Paubox Inbound Email Security uses AI to analyze sender behavior, message intent, and contextual signals across every inbound message, catching what signature-based filters miss before it reaches an inbox.

Learn more: Paubox Inbound Email Security

 

FAQs

Does HIPAA require reporting every ransomware attack?

A ransomware attack is presumed reportable unless the organization can show a low probability that PHI was compromised. Paying quietly without conducting that analysis does not remove the obligation, and organizations caught skipping it later often face penalties for both the original breach and the failure to notify.

 

Why do some organizations pay without disclosing?

Public notification means regulatory scrutiny and reputational damage in the community they serve, and against that, a quiet payment can feel faster. The risk is that the incident often surfaces anyway through complaints or leak sites, at which point the missed notification becomes its own violation.

 

How does underreporting hurt organizations that have never been breached?

Threat intelligence is only as good as what gets reported. When most attacks stay hidden, the advisories other organizations rely on show a fraction of real activity, which means comparing your own risk to published statistics can badly understate the actual threat.

 

What's the difference between an attack and a reportable breach?

A ransomware attack becomes reportable once PHI is accessed, acquired, or disclosed in a way HIPAA does not permit, unless a four-factor risk assessment shows a low probability of compromise. Encryption alone might not clear that bar. Exfiltration almost always does.

 

What single step avoids both the attack and the disclosure question?

Close the initial access point. Most ransomware chains in healthcare begin with a phishing email, and filtering that message out before it reaches an inbox removes the entry point before any ransom demand or disclosure decision ever has to happen.