What Is the HIPAA Wall of Shame? A Plain-English Guide to HHS's Breach Portal

Overview of the HIPAA Wall of Shame

The “HIPAA Wall of Shame” is the nickname for the U.S. Department of Health and Human Services’ breach notification portal managed by the HHS Office for Civil Rights (OCR). It publicly lists large breaches of unsecured Protected Health Information (PHI) that covered entities and their business associates report under the HIPAA and HITECH Act breach notification rules.

The portal is a searchable database you can use to see who reported a breach, when it occurred, how many individuals were affected, and what type of incident it was. Its visibility encourages stronger data security compliance across the health sector.

Purpose and Importance

Congress created the HITECH Act breach notification requirements to bring transparency to significant privacy incidents in healthcare. By making reports public, the portal helps you understand common risks and pressures organizations to prevent repeat errors.

For covered entity breach reporting, the portal serves three goals: inform the public, guide industry improvements, and support OCR’s breach investigation process. The result is a feedback loop—public accountability drives better controls, which in turn reduce future PHI exposure.

Details Included in the Breach Reports

Each listing contains concise facts that help you quickly assess what happened and its scale. Typical data points include:

• Entity name and type (healthcare provider, health plan, clearinghouse, or business associate)
• State where the entity is located
• Number of individuals affected
• Breach start and end dates and the date the report was submitted
• Type of breach (for example, hacking/IT incident or unauthorized access/disclosure)
• Location of breached information (such as network server, email, EMR, paper/films, laptop, or portable device)
• Whether a business associate was involved
• Investigation status updates as OCR reviews or closes the case

Together, these fields let you compare incidents, spot patterns, and understand where your own safeguards may need attention.

Categories and Types of Breaches

Incident categories you will see

• Hacking/IT Incident: Network intrusions, ransomware, or email account compromises that expose PHI
• Unauthorized Access/Disclosure: Snooping, misdirected emails/faxes, or improper sharing
• Theft or Loss: Stolen or misplaced devices, records, or backups
• Improper Disposal: Records or media discarded without proper destruction
• Other: Events that don’t cleanly fit the main buckets

Locations where PHI is commonly exposed

• Network server and cloud-hosted systems
• Email and webmail accounts (often via phishing)
• Electronic medical record (EMR) applications
• Paper/films and printed reports
• Laptops, desktops, and portable electronic devices

Recognizing these categories helps you prioritize controls—like multi-factor authentication, encryption, access monitoring, and secure disposal—to meet data security compliance expectations.

Legal Reporting Requirements

Who must report and when

Under the HIPAA Breach Notification Rule, covered entities—and business associates, via timely notice to their covered entities—must report breaches of unsecured PHI. Incidents affecting 500 or more individuals in a single state or jurisdiction require notice to HHS without unreasonable delay and no later than 60 days after discovery. Smaller incidents can be logged and submitted to HHS in aggregate after the end of the calendar year.

Notifying individuals and, when required, the media

You must notify affected individuals without unreasonable delay and within 60 days of discovery. If a breach affects 500 or more individuals in a state or jurisdiction, a prominent media notice is also required so the public can be informed.

Risk assessment and safe harbor

An impermissible use or disclosure of PHI is presumed to be a breach unless you demonstrate a low probability of compromise based on a documented risk assessment. Secure encryption or proper destruction that renders PHI unusable, unreadable, or indecipherable generally provides safe harbor from breach notification duties.

Duration and Archiving of Breaches

Large-breach entries appear on the active list for a defined period and are then moved to an archive. Archived entries remain publicly accessible, preserving a long-term record of incidents and outcomes. OCR may update listings as new facts emerge during the breach investigation process.

For your compliance planning, assume that a large breach will be visible to the public for years—first on the active list, then in the archive—making accuracy and timeliness in covered entity breach reporting essential.

Public Access and Controversy

The breach notification portal is open to anyone. You can search by entity name, state, date ranges, and incident characteristics to find specific cases or study trends. This transparency helps patients stay informed and gives compliance teams real-world data to benchmark controls.

Critics argue the “Wall of Shame” label overemphasizes reputational harm. Supporters counter that public accountability accelerates security improvements and deters repeat violations. Either way, the portal’s visibility means your incident response—communication, remediation, and prevention—matters as much as the breach itself.

Conclusion

The HIPAA Wall of Shame is a public, permanent reminder that safeguarding PHI is a core obligation. Use its insights to strengthen controls, refine training, and verify that your breach response and reporting meet the HITECH Act breach notification requirements.

FAQs

What criteria determine inclusion on the HIPAA Wall of Shame?

Listings reflect breaches of unsecured PHI affecting 500 or more individuals that covered entities report to HHS (with business associates notifying their covered entities). The incidents must meet HIPAA/HITECH breach notification thresholds.

How long do breaches stay on the Wall of Shame?

Breaches appear on the active list for a set period and then move to an archive, where they remain publicly accessible. Expect visibility for years, even after OCR closes its review.

Can individuals search the Wall of Shame database publicly?

Yes. The breach notification portal is publicly searchable, allowing you to filter by organization, location, dates, and incident characteristics to find specific cases or analyze trends.

What types of breaches are most commonly reported?

Hacking/IT incidents—especially email and network server compromises—are frequently reported, followed by unauthorized access/disclosure. Theft and loss have declined as encryption and device controls have improved, while improper disposal is less common but still occurs.