HHS OCR Breach Portal: Search Reported HIPAA Data Breaches

Overview of OCR Breach Portal

The HHS Office for Civil Rights (OCR) maintains a public portal—often called the “breach portal”—that lists reports of breaches involving unsecured protected health information (PHI) submitted under the HIPAA Breach Notification Rule. It lets you quickly search reported HIPAA data breaches to understand what happened, who was affected, and how incidents are categorized.

Reports come from covered entities and their business associates across healthcare providers, health plans, and clearinghouses. The portal promotes transparency and accountability: inclusion indicates a reported incident, not necessarily a finalized finding of noncompliance. Cases may appear as under investigation or archived once reviewed.

The listings are organized by breaches affecting 500 or more individuals and those affecting fewer than 500 individuals. You can use both areas to benchmark your program, perform vendor due diligence, and study how similar organizations experience and report incidents.

Accessing and Navigating the Portal

Choose the appropriate listing

• Breaches affecting 500 or more individuals: current and archived entries, with visibility into large-scale events.
• Breaches affecting fewer than 500 individuals: entries organized by the calendar year in which incidents were discovered.

Search and filter effectively

• Use the search bar to look up a covered entity or business associate by name; partial names and common abbreviations help.
• Filter by state, individuals affected, breach submission date, incident date range, and breach type classification to narrow results.
• Sort columns (for example, by individuals affected or submission date) to surface the most relevant entries first.

Interpret result details

• Open an entry to view fields such as location of breached information, whether a business associate was involved, and the type of breach.
• Treat “individuals affected” as the entity’s current estimate; counts can adjust as investigations progress.
• Note whether a case is still under investigation or archived; status can shape how you interpret the data.

Categories of Reported Breaches

Common breach type classifications

• Hacking/IT incident (often including ransomware, credential compromise, or exploitation of vulnerabilities).
• Unauthorized access/disclosure (misdirected communications, snooping, or policy lapses).
• Theft or loss (devices, media, or paper records).
• Improper disposal (records discarded without proper destruction).

Location of breached information

• Network server, email, cloud storage, or electronic medical record systems (ePHI).
• Laptop, desktop, other portable devices, or removable media.
• Paper/films and other physical records.

These categories help you focus your controls—email security, endpoint protection, and record destruction procedures—on where incidents most often occur.

Data Fields in Breach Reports

Each entry includes structured data to help you analyze and compare incidents. Typical fields include:

• Name of covered entity and whether a business associate was involved.
• Covered entity type (provider, plan, or clearinghouse) and state.
• Individuals affected (estimated count) and incident date(s).
• Breach submission date (when the entity reported the incident to OCR).
• Breach type classification and location of breached information.
• Case status (under investigation or archived) and posting/archival dates.

Pay particular attention to the breach submission date versus the incident date. Submission shows when the report reached OCR; the incident date reflects when the compromise occurred. Gaps between them can reveal detection and response timelines.

Trends in HIPAA Data Breaches

While year-to-year totals fluctuate, several durable patterns appear across the portal. Hacking/IT incidents remain a leading cause, with network servers and email frequently implicated. Ransomware and credential-based attacks continue to drive large-scale exposures of ePHI.

Business associate involvement is common in higher-impact events, reflecting complex data flows across vendors and cloud platforms. At the same time, unauthorized access/disclosure—such as misdirected emails, fax errors, or inappropriate access—persists as a steady source of smaller but frequent breaches.

Organizations that prioritize multi-factor authentication, timely patching, email security controls, and strong vendor governance tend to reduce exposure to the most prevalent threat patterns highlighted by the portal.

Reporting Requirements for Covered Entities

Under the HIPAA Breach Notification Rule, you must first determine whether an incident constitutes a breach of unsecured protected health information. This data breach risk analysis typically evaluates the nature and extent of PHI involved, the unauthorized person who used or received it, whether the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated.

• Notification to individuals: without unreasonable delay and no later than 60 days after discovery.
• Notification to HHS OCR:
  • Breaches affecting 500 or more individuals: report without unreasonable delay and no later than 60 days after discovery.
  • Breaches affecting fewer than 500 individuals: log and report to OCR no later than 60 days after the end of the calendar year in which the breaches were discovered.
• Notification to media: required for incidents affecting 500 or more residents of a state or jurisdiction.
• Business associate duties: notify the covered entity without unreasonable delay so the covered entity can meet its obligations.
• Documentation: retain your breach analysis, decision-making, and notices to demonstrate compliance.

Ensure your timeline tracking aligns with the portal’s breach submission date to verify you met reporting deadlines and can evidence timely action.

Utilizing Breach Data for Risk Management

Turn public data into practical safeguards

• Benchmark threats: compare your environment to similar organizations’ breach type classifications and locations (for example, email vs. network server).
• Prioritize controls: map recurring weaknesses to specific mitigations, such as MFA expansion, phishing-resistant authentication, and email DLP.
• Inform vendor oversight: use entries involving a business associate to refine due diligence, contract requirements, and monitoring cadence.
• Strengthen training: tailor awareness content to real missteps (improper disposal, misdirected records) evident in the portal.
• Refine incident response: use observed detection-to-submission intervals to set internal service levels and escalation paths.
• Enhance your data breach risk analysis: incorporate portal patterns into tabletop scenarios and control testing.

Conclusion

The HHS OCR Breach Portal is a practical lens on how unsecured protected health information is compromised—and how quickly organizations respond. Use its filters, breach submission date, and breach type classification fields to study patterns, sharpen controls, and demonstrate a disciplined, evidence-based HIPAA compliance program.

FAQs.

What types of breaches are reported in the OCR Breach Portal?

The portal lists reported breaches of unsecured protected health information under the HIPAA Breach Notification Rule. Entries are categorized by breach type classification (for example, hacking/IT incident, unauthorized access/disclosure, theft, loss, and improper disposal) and show where information was stored or accessed (such as network server, email, or paper records).

How can I search for a specific covered entity’s breach report?

Use the search bar to enter the covered entity’s name (or a partial name). You can narrow results further by state, individuals affected, breach submission date or incident date range, and breach type classification. Sorting columns helps bring the most relevant matches to the top.

What information is included in each breach report?

Typical fields include the covered entity’s name, whether a business associate was involved, state, covered entity type, individuals affected, incident date(s), breach submission date, breach type classification, location of breached information, and the case status (under investigation or archived).

Are breaches affecting fewer than 500 individuals reported?

Yes. Breaches affecting fewer than 500 individuals are reported to HHS OCR and appear in a listing organized by the calendar year in which they were discovered. Large-breach and small-breach listings are separate to reflect different reporting timelines.

How often is the breach portal updated?

The portal is updated on an ongoing basis as organizations submit reports and OCR posts reviewed entries. Timing varies with discovery, reporting, and review, so checking back periodically is the best way to see newly posted or updated cases.