Following the HITECH Act, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued regulations requiring HIPAA covered entities to provide certain notifications for breaches of unsecured protected health information. OCR provides data on its website for breaches affecting 500 or more individuals.

To better understand trends for these large breaches, we have compiled the following charts. The first set looks at all breaches affecting 500 or more individuals posted on the OCR, by the cause of breach and the type of media involved. We have provided charts by number of breach incidents reported as well as by number of individuals affected, as this may help understand causes or types of media that affect a disproportionate number of individuals. To better analyze breaches happening at the business associate level, we have provided the same charts, based on the OCR data, where OCR indicates a business associate was involved. Finally, we have provided charts illustrating the number of breaches, and number of individuals affected, according to the OCR data by business associates or type of covered entity involved.

View our previous breach charts from Spring 2015 and 2014.

Charts of all breaches reported to OCR:

Charts of breaches involving business associates:

Charts of breaches by business associates or type of covered entity: