A HIPAA breach is any unauthorized access, use, or disclosure of protected health information (PHI) that violates federal privacy rules. In practical terms, it means someone’s medical records, billing details, insurance information, or other health data ended up where it shouldn’t have, whether through a cyberattack, a lost laptop, a misdirected email, or an employee snooping through files they had no reason to open. Not every security incident qualifies as a reportable breach, but the bar is lower than most people assume.
What Counts as Protected Health Information
HIPAA covers a broad category of data called protected health information. This includes anything that connects a person’s identity to their health care: diagnoses, treatment records, prescription history, lab results, insurance claims, and payment information. It also includes demographic details like names, addresses, birth dates, and Social Security numbers when they’re tied to health records. Digital files, paper charts, verbal conversations, and even faxes all fall under the same umbrella.
The law applies to “covered entities,” which includes hospitals, clinics, doctors’ offices, pharmacies, and health insurance companies. It also extends to “business associates,” meaning any outside vendor that handles health information on behalf of a covered entity. Think billing companies, cloud storage providers, IT contractors, and even shredding services. If any of these organizations allows PHI to be accessed or disclosed without authorization, that’s the starting point for a potential breach.
When a Security Incident Becomes a Breach
Not every mistake triggers HIPAA’s formal breach notification process. The rule draws a line between a security incident and a reportable breach based on whether the exposed data was “unsecured.” Unsecured PHI is health information that hasn’t been made unusable, unreadable, or indecipherable to unauthorized people. The Department of Health and Human Services recognizes two methods for securing data: encryption and destruction. If a stolen laptop’s hard drive was fully encrypted to federal standards, for example, that theft is a security incident but not a reportable breach. The organization doesn’t need to notify patients or the government.
If the data was not encrypted or destroyed, the organization must then assess the probability that the information was actually compromised. This risk assessment considers factors like the nature of the data involved, who accessed it, whether the information was actually viewed or acquired, and what steps were taken to mitigate the risk. An accidental email sent to the wrong colleague within the same practice, quickly recalled and confirmed deleted, may not rise to the level of a reportable breach. A spreadsheet with thousands of patient records posted to a public server almost certainly does.
The default assumption under HIPAA is that any impermissible use or disclosure of unsecured PHI is a breach unless the organization can demonstrate a low probability that the data was compromised. The burden of proof falls on the organization, not the patient.
Most Common Causes
Breaches fall into several categories tracked by the HHS Office for Civil Rights: hacking and IT incidents, unauthorized access or disclosure, theft, loss, and improper disposal. The landscape has shifted dramatically over the past decade. Hacking and IT incidents now dominate in terms of the number of people affected. In 2015, hacking incidents accounted for nearly 99% of all individuals affected by breaches, even though they made up only about 20% of the total number of reported incidents. A single ransomware attack or database intrusion can expose millions of records at once, which is why hacking events produce such outsized numbers.
The more common day-to-day breaches, by sheer count, involve unauthorized access and disclosure. These are the “insider” incidents: an employee accessing a patient’s chart out of curiosity, a receptionist sharing information with a family member without consent, or records being sent to the wrong patient. Theft of devices (laptops, USB drives, paper files) and simple loss of equipment also remain persistent causes. Improper disposal, like tossing unshredded patient records into a dumpster, rounds out the list.
Who Gets Notified and How Quickly
Once a breach of unsecured PHI is confirmed, HIPAA’s Breach Notification Rule sets strict timelines. Covered entities must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovering the breach. The clock starts when the organization first knows about the breach or reasonably should have known, not when the investigation wraps up.
The size of the breach determines what else happens. When 500 or more individuals are affected in a single state or jurisdiction, the organization must also notify prominent local media outlets within that same 60-day window. All breaches affecting 500 or more people must be reported to the HHS Secretary at the same time individuals are notified. These large breaches are posted publicly on the HHS “Wall of Shame,” an online portal where anyone can search for breaches by organization name, location, or type of incident.
Smaller breaches affecting fewer than 500 individuals still require individual notification within 60 days, but the report to HHS can be filed annually, no later than 60 days after the end of the calendar year in which the breach was discovered. Business associates who discover a breach must notify the covered entity within 60 days so the covered entity can handle the rest of the notification chain.
Financial Penalties
The penalties for HIPAA violations, including breaches caused by inadequate safeguards, follow a four-tier system based on how much the organization knew or should have known. As of 2024, the tiers work like this:
- Tier 1, lack of knowledge: The organization didn’t know about the violation and couldn’t have reasonably known. Penalties range from $141 to $71,162 per violation, capped at about $2.13 million per year for identical violations.
- Tier 2, reasonable cause: The organization should have known but didn’t act with willful neglect. Penalties range from $1,424 to $71,162 per violation, with the same annual cap.
- Tier 3, willful neglect corrected within 30 days: The organization knowingly disregarded the rules but fixed the problem. Minimum penalty jumps to $14,232 per violation.
- Tier 4, willful neglect not corrected: The most serious category. The minimum is $71,162, the maximum is about $2.13 million per violation, and that figure also serves as the annual cap.
These are civil penalties enforced by the HHS Office for Civil Rights. Criminal violations, such as intentionally selling PHI or obtaining it under false pretenses, can result in fines up to $250,000 and prison time up to 10 years, pursued by the Department of Justice. In practice, the largest settlements have reached tens of millions of dollars for organizations with widespread compliance failures.
The Encryption Safe Harbor
One of the most important practical details in the breach notification rule is the encryption safe harbor. If health information was properly encrypted at the time it was lost, stolen, or exposed, the incident does not trigger notification requirements. HHS specifies that encryption and destruction are the only two methods that qualify. Encryption must meet recognized federal standards, meaning consumer-grade password protection on a Word document doesn’t count.
This safe harbor is a major reason why health care organizations invest heavily in encrypting data both in storage and in transit. A stolen encrypted laptop is a property loss. A stolen unencrypted laptop with patient data is a federal breach with mandatory notifications, potential media involvement, and regulatory scrutiny. The difference in consequences is enormous.
What Happens if You’re Affected
If your health information is involved in a breach, you’ll receive a written notification from the organization responsible. This notice must describe what happened, the types of information involved, steps you should take to protect yourself, what the organization is doing in response, and contact information for questions. For large breaches, the organization often provides free credit monitoring or identity theft protection services, though this isn’t strictly required by HIPAA.
You have the right to file a complaint with the HHS Office for Civil Rights if you believe your information was mishandled. You can also check the HHS breach portal yourself to see whether an organization has reported a large breach. While HIPAA itself doesn’t give individuals the right to sue directly for a breach, many states have their own health data privacy laws that may provide additional protections or legal avenues. Some states impose shorter notification timelines than the federal 60-day window, meaning organizations operating across state lines often need to comply with the strictest applicable deadline.

