OCR submitted its annual reports to Congress for calendar year 2024 covering HIPAA compliance activities and breaches of unsecured protected health information (PHI), documenting 663 large data breaches that occurred in 2024 and reporting exposure or impermissible disclosure of PHI affecting 242,908,056 individuals across those incidents.
Reports Submitted to Congress for Calendar Year 2024
The Department of Health and Human Services Office for Civil Rights issued annual reports to Congress on compliance with the Health Insurance Portability and Accountability Act (HIPAA) and breaches of unsecured PHI for 2024. The reporting process is required under the Health Information Technology for Economic and Clinical Health (HITECH) Act and provides a structured record of breach activity, compliance enforcement actions, and regulatory oversight outcomes.
The reporting framework is based on the calendar year in which breaches occurred rather than the year of reporting. For calendar year 2024, OCR recorded 742 breach reports involving 500 or more individuals, with 663 of those incidents tied to breaches occurring during 2024.
Breach Reporting and Impact Data
OCR recorded 663 large breaches in 2024 involving 500 or more individuals. Across these incidents, the PHI of 242,908,056 individuals was exposed or impermissibly disclosed. A single incident involving Change Healthcare accounted for an estimated 192 million individuals within the total affected population.
For breaches involving fewer than 500 individuals, OCR received 74,299 reports in 2024, affecting 340,618 individuals across those incidents.
The most frequently identified cause of breach events remained hacking and information technology incidents. These accounted for 81 percent of reported breaches involving 500 or more individuals and affected 241,582,022 individuals. Network servers were identified as the most common location of breached PHI. Smaller breach incidents were more frequently associated with unauthorized access or disclosure events involving paper or film records.
Enforcement Activity and Investigations
OCR initiated investigations into all 663 large breach reports and two additional smaller breach incidents. Most investigations were resolved through voluntary corrective actions or technical assistance provided to regulated entities. OCR completed 785 breach investigations during 2024, including 12 cases resolved through settlement agreements, corrective action plans, and financial penalties.
OCR collected $7,813,831 in penalties connected to data breach investigations and an additional $950,000 related to a separate investigation initiated following media reporting of a breach incident.
Complaints and Compliance Reviews
OCR received 30,256 new complaints related to potential HIPAA violations in 2024 and carried forward 2,955 complaints from earlier periods. OCR resolved 28,228 complaints, including 17,466 resolved without initiating investigations and 9,392 resolved through technical assistance.
OCR completed 1,370 complaint investigations during the year. Approximately 48 percent resulted in required corrective action by regulated entities. Around 51 percent of investigations did not identify sufficient evidence of HIPAA Rule violations. Nine complaint investigations resulted in financial penalties totaling $1,180,781.
Common complaint categories included impermissible uses and disclosures, Right of Access concerns, gaps in general safeguards, deficiencies in HIPAA Security Rule administrative safeguards, and delays or failures in breach notification requirements.
OCR also initiated 730 compliance reviews and completed 797 compliance reviews that were not triggered by complaints. No audits were initiated under the HITECH Act audit requirement during the year. OCR conducted 89 outreach activities focused on education related to HIPAA rights and breach trends.
Financial Penalties and Resolution Activity
OCR issued 22 financial penalties during 2024, consisting of actions tied to both breach investigations and complaint resolutions. Total collected settlements and penalties reached $9,944,612.
Penalties were issued to entities across healthcare and related services, including cases involving risk analysis deficiencies, insufficient security measures, access control failures, and weaknesses in breach notification processes. Entities subject to penalties included Plastic Surgery Associates of South Dakota, Providence Medical Institute, Children’s Hospital Colorado, Warby Parker, and others identified in enforcement actions during the year.
HIPAA Security Rule Compliance Observations
OCR identified recurring compliance gaps linked to the HIPAA Security Rule. Areas frequently associated with noncompliance included risk analysis processes, risk management practices, information system activity review procedures, audit controls, and authentication standards.
Findings from investigations indicated instances of incomplete risk analysis processes, weak internal access controls, excessive user privileges, and authentication practices that included default credentials or single-factor remote access. These conditions were identified in connection with multiple breach investigations involving unauthorized access to electronic protected health information systems.