(This article was written in collaboration with Noah Block, J.D. Candidate, Quinnipiac University School of Law, ’26)
Enforcement activity under the Health Insurance Portability and Accountability Act (HIPAA) offers a clear view of regulators’ shifting priorities. Over the past several years, regulators have steadily elevated cybersecurity as a core enforcement priority and it took center stage in 2025.
The Department of Health and Human Services’ Office for Civil Rights (OCR) is sending a message that compliance with the HIPAA Security Rule, and particularly the risk analysis requirement, is essential to reducing significant cyber threats in healthcare.
Failure to conduct an adequate security risk analysis was again the top finding in 2025 and ransomware attacks were the most common cyber triggering event. OCR repeatedly tied ransomware attacks to longstanding gaps in risk analyses and system monitoring, some of which resulted in costly seven figure settlements or penalties.
Cybersecurity failures were not the only focus of enforcement. Although the number of Right of Access cases has declined, it remains a top priority for OCR. Settlement and penalty amounts per action increased, with the average amount for Right of Access violations rising sharply from prior years. Finally, don’t forget about business associates; they continue to be in the hot seat as well.
Below is a scoreboard comparing HIPAA enforcement over the past five years.
| 2025[1] | 2024 | 2023 | 2022 | 2021 | |
| Announced Resolutions | 22 | 16 | 13 | 22 | 14 |
| Amount Collected | $8,453,066 | $9,263,846 | $4,176,500 | $2,170,140 | $5,982,150 |
| Civil Money Penalties (CMPs) v. Settlements | 3 CMPs; 19 settlements | 7 CMPs; 9 settlements | All settlements | 2 CMP; 20 settlements | 1 CMP; 13 settlements |
| Right of Access | $372,500 (3) | $420,000 (5) | $271,500 (4) | $859,000 (17) | $857,150 (12) |
| Risk Analysis | $7,898,566 (18) | $8,808,265 (10) | $3,555,000 (6) | $875,000 (1) | $5,125,000 (2) |
Ransomware and Cybersecurity Failures Dominated the Year
Alleged risk analysis failures in 2025 were driven primarily by cyberattacks. Nine of the 17 cases involved ransomware. In 2024, OCR began tracking ransomware as a separate enforcement category and has since announced at least 15 related resolutions. The message is clear. Criminal activity by third parties does not excuse covered entities or business associates from meeting the standards intended to reduce cyber risk.
The Return of Large-Dollar Settlements
2025 marked the return of several large‑dollar settlements for allegations that HIPAA Security Rule violations. Solara Medical supplies paid a $3,000,000 settlement relating to a phishing attack affecting 114,007 individuals. Likewise, Warby Parker faced a $1,500,000 civil monetary penalty for credential stuffing attacks affecting 198,470 individuals.[2] Collectively, these cases demonstrate OCR’s continued willingness to impose substantial financial penalties where foundational security safeguards are lacking.
Impermissible Disclosures and Misconfigurations Persisted
Impermissible disclosures and basic configuration errors remained a steady source of enforcement activity. OCR pursued several cases involving PHI exposed through public facing websites, social media, or other preventable lapses.[3] These actions underscore the persistent risks associated with marketing content, online communications, and misconfigured systems that inadvertently expose PHI, and they reflect OCR’s continued expectation that entities maintain tight control over how patient information appears in any public-facing environment.
Right of Access Enforcement Continued, but at Lower Volume
While cybersecurity dominated much of the year’s enforcement landscape, OCR remains committed to ensuring patients have access to their health information without delay. There were fewer right of access enforcement actions than in prior years, but the average settlement or penalty increased significantly to about $125,000 per matter, approximately 30% higher than 2024 and 50% higher than 2023. This year, OCR focused on cases involving significant delays or complete inaction. Three entities settled for Right of Access violations,[4] reinforcing that timely access to records remains a core patient right and that violations can result in substantial penalties.
Business Associates Remained a Central Enforcement Target
Business associates have become central enforcement targets in large part because they manage large volumes of PHI across multiple clients, and their security lapses can cascade across the healthcare ecosystem. Still, HIPAA requires and OCR expects them to meet the same operational fundamentals as covered entities. Several settlements involved multi-year misconfiguration, inadequate system monitoring, or unauthorized access to ePHI.[5]
Part 2 Enforcement Emerges as a Parallel Priority
In the 2020 CARES Act, Congress directed that the civil and criminal penalties under HIPAA apply to the federal regulations governing substance use disorder records at 42 CFR Part 2. As a result, HHS’s OCR now handles civil enforcement and assumed that role on February 16, 2026. Three days later, OCR announced a settlement with a substance use disorder treatment provider. Although the settlement addressed only HIPAA violations involving a phishing attack on a workforce member’s email account, OCR signed the agreement in June 2025 and announced it during the week of February 16, 2026, which suggests the agency intended to signal its readiness to enforce 42 CFR Part 2.
What Does 2025 Signal for 2026?
The 2025 enforcement year reflects a more focused and increasingly rigorous approach by OCR, with cybersecurity lapses, particularly those tied to inadequate risk analyses, driving a significant share of enforcement activity. At the same time, OCR continues to reinforce that core compliance obligations, including timely patient access to records, remain firmly in scope. The combination of larger settlements and penalties, continued attention to business associates, and the emergence of Part 2 enforcement signals a broader and more coordinated regulatory posture. Covered entities and business associates should expect this trajectory to continue into 2026, with heightened expectations around both foundational compliance practices and the ability to proactively manage evolving cyber risks.
[1] The 2025 numbers include one enforcement action announced in February 2026, although the settlement agreement was signed in June 2025. For purposes of this article, any enforcement action announced by the end of February with a resolution date in 2025 is counted as a 2025 enforcement resolution.
[2] Solara Medical Supplies — phishing breach affecting 114,007 individuals; $3,000,000 settlement; Warby Parker — credential‑stuffing attacks affecting 198,470 individuals; $1,500,000 CMP; PIH Health, Inc. — phishing breach affecting 189,763 individuals; $600,000 settlement; BayCare Health System — access control and risk analysis failures affecting one individual; $800,000 settlement.
[3] Cadia Healthcare — PHI posted on website/social media affecting 150 individuals; $182,000 settlement; Deer Oaks — unauthorized disclosure plus ransomware; $225,000 settlement.
[4] Memorial Healthcare System — access failure affecting one individual; $60,000 settlement; Concentra — multiple requests over a year; $112,500 settlement; OHSU — 16‑month delay in providing records; $200,000 CMP.
[5] USR Holdings’ deletion of ePHI affecting 2,903 individuals ($337,750 settlement, two‑year CAP); Health Fitness Corporation’s long‑standing risk‑analysis failures affecting 4,304 individuals ($227,816 settlement, two‑year CAP); BST & Co. CPAs’ ransomware‑related violations ($175,000 settlement); and Comstar’s ransomware incident affecting more than half a million individuals ($75,000 settlement)