OCR Reports to Congress on HIPAA Compliance and Data Breaches in 2023
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has submitted a pair of reports to Congress on the state of compliance with the Health Insurance Portability and Accountability (HIPAA) Privacy, Security, and Breach Notification Rules, and breaches of unsecured protected health information for calendar year 2023, as required by Section 13424(a) of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
OCR maintains a data breach portal, through which HIPAA-regulated entities must submit their reports of breaches of unsecured protected health information, and a web page through which individuals may submit a health information privacy complaint. There has been a general trend of increasing data breaches and complaints, which is placing greater pressure on OCR’s limited resources; however, OCR made progress in decreasing the backlog of complaint and data breach investigations in 2023.
The reports show data breaches affecting fewer than 500 individuals increased by 7% year-over-year, data breaches affecting 500 or more individuals increased by 17% year-over-year, complaints were up 2%, and there was a 14% increase in compliance reviews initiated by OCR. In total, OCR resolved 14 investigations in calendar year 2023 with settlements totalling $7,735,000. While that is 4 penalties fewer than in 2022, the total penalty amount increased by $6,932,500 year-over-year. OCR also conducted 182 outreach activities to improve public education about HIPAA rights and to advise regulated entities about compliance and trends in large data breaches reported to OCR.
Healthcare Data Breaches in 2023
In calendar year 2023, OCR received 732 reports of data breaches affecting 500 or more individuals. Across those data breaches, 113,173,613 individuals had their protected health information exposed, stolen, or impermissibly disclosed. The largest healthcare data breach of the year – HCA Healthcare – affected 11,270,000 individuals. The average data breach size in 2023 was 154,609 individuals.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Summary of Data Breaches Affecting 500 or More Individuals
OCR has five classifications for healthcare data breaches, and the majority of large healthcare data breaches fell into the hacking/IT incident category. Hacking and IT incidents accounted for 81% of the year’s data breaches and 96% of breached records.
| Cause of Breach | Number of Incidents | Individuals Affected | Largest Data Breach |
| Hacking/IT Incident | 590 | 108,725,761 | 11,270,000 individuals |
| Unauthorized Access/Disclosure | 120 | 4,359,037 | 3,179,835 individuals |
| Theft | 14 | 69,893 | 34,016 individuals |
| Loss | 4 | 16,247 | 13,184 individuals |
| Improper Disposal | 4 | 2,675 | 1,005 individuals |
Summary of Data Breaches Affecting Fewer Than 500 Individuals
OCR received 68,315 reports of data breaches affecting fewer than 500 individuals in calendar year 2023. Smaller HIPAA breaches vastly outnumber large data breaches, but they typically affect only a few individuals. Across those HIPAA breaches, the protected health information of 269,290 individuals was exposed, stolen, or impermissibly disclosed, with an average breach size of fewer than 4 individuals. The vast majority of smaller breaches were due to human error – employee mistakes and a lack of understanding about HIPAA requirements. The most common causes were misdirected communications (fax, email, mailing) and impermissibly accessing the medical records of co-workers, friends, family members, and other individuals.
| Cause of Breach | Number of Incidents | Individuals Affected | Percentage of Breaches |
| Unauthorized Access/Disclosure | 64,231 | 178,031 | 66% |
| Loss | 2,414 | 10,186 | 4% |
| Hacking/IT Incident | 753 | 61,021 | 1% |
| Theft | 714 | 15,742 | 1% |
| Improper Disposal | 203 | 4,310 | <1% |
2023 Settlements to Resolve Alleged HIPAA Violations
OCR settled 14 investigations with financial penalties and corrective action plans in 2023. No civil monetary penalties were imposed.
| HIPAA Regulated Entity | Affected Individuals | Settlement Amount |
| Montefiore Medical Center | 12,517 | $4,750,000 |
| LA Care Health Plan | 1,498 | $1,300,000 |
| Lafourche Medical Group | 34,862 | $480,000 |
| MedEvolve Inc. | 230,572 | $350,000 |
| Yakima Valley Memorial Hospital | 415 | $240,000 |
| Optum Medical Care | 1 | $160,000 |
| Doctors’ Management Services | 206,695 | $100,000 |
| St. Joseph’s Medical Center | 3 | $80,000 |
| UnitedHealthcare | 1 | $80,000 |
| iHealth Solutions (Advantum Health) | 267 | $75,000 |
| Green Ridge Behavioral Health | 14,000 | $40,000 |
| Phoenix Healthcare (dba Green Country Care Center) | 1 | $35,000 |
| Manasa Health Center, LLC | 4 | $30,000 |
| David Mente, MA, LPC | 1 | $15,000 |
Keen readers of the HIPAA Journal may notice a discrepancy between these figures and those on pages such as our data breach statistics page, as the HIPAA Journal reports on the year the penalty was announced rather than the year it was agreed.
In 2023, OCR imposed financial penalties to resolve HIPAA failures in 11 areas. The most commonly identified HIPAA failure resulting in a financial penalty was the failure to conduct a risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of protected health information, and the failure to review records of activity in information systems containing protected health information.
| Area of HIPAA Noncompliance | Cases |
| Risk Analysis | 7 |
| Review records of information system activity | 5 |
| HIPAA Right of Access | 4 |
| Impermissible Use or Disclosure of PHI | 3 |
| Risk Management | 2 |
| HIPAA Security Rule Policies and Procedures | 2 |
| Mechanisms for Recording/Examining Activity in Information Systems | 2 |
| Business Associate Agreements | 1 |
| HIPAA Privacy Rule Policies and Procedures | 1 |
| Security Measures to Reduce Risks/Vulnerabilities | 1 |
| Periodic Technical and Nontechnical Evaluations | 1 |
HIPAA Complaints and Compliance Reviews in 2023
OCR investigates complaints submitted through the health information privacy complaint web page and initiates compliance reviews if complaints are substantiated. Compliance reviews are also initiated in response to data breaches.
Summary of HIPAA Complaints
- 30,968 new complaints received alleging violations of the HIPAA Rules and the HITECH Act (+553 YOY)
- 9,680 open complaints carried over from previous years (-10,497 YOY)
- 38,601 complaints were resolved in calendar year 2023 (+6,351 YOY)
- 30,464 complaints were resolved before an investigation was initiated (-2,357 YOY)
- 6,749 complaints were resolved through technical assistance (+3,867 YOY)
- 691 complaints were resolved through voluntary corrective action (+131 YOY)
- 695 complaints had insufficient evidence of HIPAA violations (-9 YOY)
- 2 complaints resulted in OCR providing technical assistance after an investigation (-13 YOY)
- 5 complaints were resolved through resolution agreements, corrective action plans, and monetary settlements ($320,000), three more than in 2022, when $2,425,640 was collected in settlements/civil monetary penalties.
Summary of Compliance Reviews
- 773 compliance reviews initiated to investigate allegations of HIPAA violations not stemming from complaints
- 732 compliance reviews were due to large data breaches (affecting 500 or more individuals), 9 were in response to smaller breaches, and 32 were initiated for other reasons
- OCR closed 737 of those compliance reviews in 2023 – 580 cases (79%) through voluntary compliance, 60 cases (8%) through technical assistance, 67 cases (9%) where there was insufficient evidence of a HIPAA violation, and 30 cases (4%) were closed due to a lack of jurisdiction to investigate.
- OCR resolved nine compliance reviews with resolution agreements and corrective action plans, collecting $7,415,000 in financial penalties.
You can view a summary of the HIPAA reports for 2022 in this post. Click the following links to access the full OCR reports on HIPAA compliance in 2023 (PDF) and 2023 healthcare data breaches (PDF)
