HHS Wall of Shame (HIPAA Breach Portal): What It Is and How to Search It

Overview of the HHS Breach Portal

The HHS Wall of Shame—formally the HIPAA Breach Portal—publicly lists breaches of unsecured Protected Health Information (PHI) reported to the HHS Office for Civil Rights (OCR). It focuses on large incidents affecting 500 or more individuals under the HIPAA Breach Notification Rule.

Each listing identifies the reporting organization (a HIPAA covered entity or business associate), key dates, the number of people affected, the breach type classification, and where the information resided. Results are organized by status, typically showing items currently under investigation and an archive of older cases.

For compliance teams, privacy officers, and security leaders, the portal serves as both a transparency tool and a practical reference for information security compliance trends across the healthcare sector.

Importance of Public Accessibility

Public access empowers you—whether a patient, researcher, or security professional—to see how organizations protect PHI and how often incidents occur. Transparency strengthens accountability and helps drive industry-wide improvements.

For covered entities, visibility on the portal reinforces the urgency of rapid detection, containment, and accurate data breach submission. For patients, it supports informed decisions and timely protective steps after a breach.

• Accountability: Public reporting encourages stronger safeguards and executive attention.
• Awareness: Individuals can quickly check whether their provider or plan reported a breach.
• Benchmarking: Security teams can study patterns to refine controls and training.

Utilizing Search Filters Effectively

Core filters you can combine

• Entity name and state: Find a specific covered entity, business associate, or region.
• Covered entity type: Health care provider, health plan, health care clearinghouse, or business associate.
• Breach type classification: Hacking/IT incident, unauthorized access/disclosure, theft, loss, improper disposal, or other.
• Location of breached information: Network server, email, electronic medical record, desktop, laptop, portable device, or paper/film.
• Individuals affected: Focus on large-scale events or narrow to mid-sized incidents.
• Dates: Filter by discovery date or breach submission date to reconstruct timelines.
• Status: Compare items under investigation with archived cases.

Practical search tips

• Start broad, then layer filters (for example, by state and breach type) to reach relevant results quickly.
• Use partial names for entities with complex legal titles or health system affiliates.
• Contrast discovery vs. submission dates to understand response velocity and reporting cadence.
• Review the location of breached information to infer likely attack vectors and control gaps.

Understanding Breach Report Details

What each listing typically shows

• Organization details: Covered entity or business associate name and covered entity type.
• Impact: Number of individuals affected and the state associated with the report.
• Timeline: Date the breach was discovered and the breach submission date to OCR.
• Breach context: Breach type classification and the location of the breached information.
• Status: Whether the matter is under investigation or in the archive.

How to interpret the data

Relate breach type to the location of data to gauge risk. For example, hacking involving a network server may point to ransomware or lateral movement, whereas unauthorized disclosure tied to paper records can indicate mail or filing errors.

Numbers alone don’t tell the whole story. Examine timelines and recurring patterns—like repeated email compromises—to spotlight training needs, MFA gaps, or insufficient data loss prevention controls.

Compliance with HIPAA and HITECH Requirements

Under the HIPAA Breach Notification Rule, covered entities must notify affected individuals, report to the HHS Office for Civil Rights (OCR), and in some cases notify prominent media. Business associates must notify the covered entity so it can fulfill these duties, or report directly if their agreements require it.

Timing matters: For breaches affecting 500 or more individuals, notifications to individuals and the OCR must occur without unreasonable delay and no later than 60 calendar days after discovery. Smaller incidents must be logged and reported to OCR annually. Accurate, timely data breach submission helps demonstrate good-faith compliance.

• Conduct and document a four-factor risk assessment to determine if an impermissible use or disclosure constitutes a reportable breach.
• Maintain Business Associate Agreements and vendor oversight aligned with information security compliance expectations.
• Implement safeguards required by the HIPAA Security Rule, including risk analysis, encryption, access controls, and workforce training.
• Retain documentation to substantiate decision-making, notices, and remediation efforts.

Monitoring and Responding to Breaches

For covered entities and business associates

• Detect and contain: Escalate promptly, secure systems, preserve logs, and engage incident response.
• Assess risk: Evaluate the nature of PHI, the unauthorized recipient, whether data was actually viewed/acquired, and mitigation steps taken.
• Notify: Deliver clear notices to individuals; for large breaches, meet the 60-day deadline and coordinate media notice where required.
• Submit and update: Provide an accurate breach submission to OCR and update it if facts change.
• Remediate: Close root causes, strengthen controls, and document corrective actions for compliance and future audits.

For patients and consumers

• Use the portal to confirm whether your provider, plan, or vendor reported a PHI incident.
• Follow recommended protections such as account monitoring, password changes, fraud alerts, or credit freezes if financial data may be involved.
• Contact the organization with questions about what was exposed and available support.

Best Practices for Data Protection

Technical safeguards

• Apply least privilege, strong authentication (including MFA), and continuous patching.
• Encrypt PHI at rest and in transit; use email security controls and disable legacy protocols.
• Deploy endpoint detection and response, network segmentation, and robust backups with routine restore testing.
• Enable logging, alerting, and data loss prevention to detect and stop exfiltration.

Administrative and vendor controls

• Perform periodic risk analyses and update policies to reflect current threats.
• Strengthen workforce training and phishing resilience with realistic exercises.
• Manage Business Associate risk with due diligence, BAAs, and continuous monitoring.
• Minimize PHI collection and retention to reduce breach impact.

Operational readiness

• Run tabletop exercises that cover investigation, notification, and public communications.
• Track metrics like time-to-detect and time-to-notify to drive continuous improvement.
• Document everything to demonstrate HIPAA and HITECH-aligned information security compliance.

Conclusion

The HHS Wall of Shame (HIPAA Breach Portal) helps you research real-world PHI incidents, refine defenses, and verify regulatory follow‑through. Use filters to zero in on relevant cases, read listings in context, and align your response and safeguards with HIPAA, HITECH, and industry best practices.

FAQs.

What information is included in an HHS breach report?

You will typically see the reporting organization, covered entity type, state, number of individuals affected, breach discovery and submission dates, the breach type classification, the location of the breached information, whether a business associate was involved, and the status (under investigation or archived).

How often is the HHS Wall of Shame updated?

The portal is updated on a rolling basis as OCR receives, reviews, and posts breach submissions from covered entities and business associates. Listings may be revised if organizations provide corrections or additional details.

Who is required to report breaches to the HHS portal?

HIPAA covered entities—and their business associates—must report breaches of unsecured PHI to the HHS Office for Civil Rights under the Breach Notification Rule. Large breaches (500 or more individuals) require notice to OCR without unreasonable delay and no later than 60 days after discovery, while smaller incidents are reported annually.