The Department of Health and Human Services Office for Civil Rights (OCR) “Wall of Shame” and Third-Party Involvement

Nearly 38% of the U.S. population has been affected by a third-party, HIPAA-related breach in the past 13 months.

Some colleagues think I’m eccentric for enjoying browsing through the data on the U.S. Department of Health and Human Services Office for Civil Rights (OCR) Breach Portal. However strange this may seem, I find that others’ challenges present opportunities for improvement through analysis.

When you think of the OCR, many of you have an impending sense of dread. But I’d recommend that instead of thinking of the OCR as an enforcement agency, think of it as a treasure trove of data that you can leverage for your own benefit. The OCR’s Breach Portal, or so-called “Wall of Shame,” is full of insightful data.

screenshot of U.S. Department of Health and Human Services Office for Civil Rights breach portal — *U.S. Department of Health and Human Services Office for Civil Rights breach portal or “wall of shame.”*

The Breach Portal allows anyone to gain insights into the prevalence of HIPAA-related breaches and their general causes. In October 2023, the OCR analyzed its data for Cybersecurity Awareness Month. From that, we learned that since 2019, the OCR experienced a 239% increase in hacking breaches. But we also learned that ransomware-specific incidents shot up 278% during that same timeframe. Since that report, at least 48 additional ransomware attacks have occurred. Over 20% of those 48 involved a third party.

While exploring the OCR breach portal, I found some shocking statistics. As of February 25, 2025, 650 breach reports are currently under investigation. Notably, 32% of these reports from the past 13 months involved third parties, affecting over 128 million people. That’s nearly 38% of the U.S. population in just over a year.

We all know third parties can be a threat, but who knew that third parties were involved in data incidents on this scale? Clearly, mitigating the risk from third parties is more essential than ever. We must be vigilant and not just trust a SOC2 from a vendor. We have to dig deeper.

One example of the complexities that third-party risk poses in healthcare is merger and acquisition activity. Healthcare IT M&A continues to march forward due to private equity investment in that market. According to Capstone, healthcare IT transactions jumped 2.7% in 2024 to at least 265 transactions. How often are these newly acquired companies truly integrated into the trusted environment of their larger, more security-mature parent companies?

If you have a detailed assessment of a company on file and that company manages employee timekeeping or recognition program, the IT evaluation likely didn’t address their controls over sensitive patient data. But if that same company acquired another that provides deep patient AI analytics, a passing grade for the parent company doesn’t suffice.

It’s essential to assess third parties at the engagement level, not just at the company level. Failing to do so leaves a significant gap in your third-party assessment program—a gap large enough to land you a spot on the Wall of Shame for others to learn from.