Which breaches are included?

Only breaches affecting 500 or more individuals, which are the breaches OCR is required to publish. Smaller breaches are reported to OCR annually but are not part of the public 500-plus data set, so they are not shown here. Records cover reports submitted since 2009, when the breach notification rule took effect.

How current is the data?

The tracker refreshes when our ingestion script re-pulls the OCR data and the site is redeployed. The last refresh date is shown above the table once data is loaded. OCR itself updates the portal as new breaches are reported and as investigations close, so figures can change over time as records are corrected or recategorized.

Can I cite or reference this tracker?

Yes. The underlying data is public-domain US government information from HHS OCR. When you cite a specific figure, attribute it to the HHS Office for Civil Rights breach portal as the primary source. You are welcome to link to this page as a convenient, searchable view of that data.

Free resource

The live HIPAA breach tracker

Name: HIPAA breach tracker (HHS OCR breaches affecting 500+ individuals)
Creator: RiskWatch
License: https://www.usa.gov/government-works

A free, searchable tracker of reported HIPAA breaches affecting 500 or more individuals, built on the public HHS Office for Civil Rights breach portal. Filter by entity, state, entity type, breach type, and year, and see the trends.

HIPAA compliance software Free HIPAA security checklist

The short version

Every reported HIPAA breach affecting 500 or more people, in one searchable place

Under the HIPAA Breach Notification Rule, covered entities and their business associates must report breaches of unsecured protected health information. Breaches affecting 500 or more individuals are published by the U.S. HHS Office for Civil Rights. This tracker is a free, searchable view of that public data, with the records in a sortable table and the trends summarized in charts. Every figure traces back to the OCR breach portal, and there is no invented data.

Data ingestion is pending. The table and charts show a clear pending state until the source data is loaded. Primary source: the HHS Office for Civil Rights breach portal. Free to cite with attribution to that source.

Searchable database

Search the HIPAA breach database

Filter every reported breach of unsecured protected health information affecting 500 or more individuals. Search by entity, narrow by state, entity type, breach type, year, and the number of individuals affected. Sorted by individuals affected by default.

Loading breach data…

Trends

What the HHS breach data shows

Aggregated from every reported breach of unsecured protected health information affecting 500 or more individuals. Counts and totals are derived directly from the HHS Office for Civil Rights breach portal.

Data pending

Charts pending data ingestion

No aggregates have been computed yet. Run scripts/ingest-hipaa-breaches.mjs to populate the summary from the HHS Office for Civil Rights breach portal. No counts or trends are shown until real, sourced data is loaded.

Methodology and sources

How this tracker is built

The single source for this tracker is the U.S. HHS Office for Civil Rights (OCR) breach portal, the official, public list of reported breaches of unsecured protected health information affecting 500 or more individuals. The data is US government work in the public domain.

We ingest the OCR data with a build-time script, normalize each record to a consistent schema, derive the submission year, and write the result to a static data file plus a small set of pre-aggregated chart summaries. Because this site is a static export, the table and charts read those static files in the browser. There is no live query against OCR at page load; instead, the data refreshes when we re-run the ingestion and redeploy.

We report only the fields OCR publishes: entity name, state, covered-entity type, individuals affected, breach type, location of the breached information, submission date, and status. We do not add a financial cost figure, because OCR does not publish a cost per breach. When the source data has not yet been ingested, the table and charts show an explicit pending state rather than any placeholder numbers, so nothing on this page is invented.

Primary source

U.S. Department of Health and Human Services, Office for Civil Rights, Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Keep your own organization off this list

The breaches in this tracker are the public end of a private failure to manage risk. These resources help you run a defensible HIPAA program before a breach ever has to be reported.

HIPAA compliance assessment software

Run HIPAA Security and Privacy Rule assessments, track remediation, and keep an audit-ready evidence trail in one platform.

Free HIPAA security checklist

A practical checklist of HIPAA Security Rule safeguards to pressure-test your program against the controls breaches most often miss.

FAQ

Frequently asked questions

Build a defensible HIPAA program

Turn HIPAA from a checklist into a managed program

RiskWatch runs HIPAA Security and Privacy Rule assessments alongside 40+ other frameworks in one platform, with remediation tracking and an audit-ready evidence trail. Start a free trial or request a quote.

Start free trial Book a demo

No credit card required · 30-day free trial · Cancel anytime