The U.S. healthcare sector suffered yet another intense month of data breaches in May 2025, with 59 incidents reported to the Department of Health & Human Services (HHS) Office for Civil Rights (OCR). These attacks compromised the protected health information (PHI) of over 1.8 million individuals, largely through hacking and network-based intrusions.
But May wasn’t just a bad month for data security—it was also a loud warning shot from regulators. The OCR announced multiple enforcement actions involving ransomware attacks and inadequate risk analysis, making it clear that noncompliance is no longer going unpunished.
May 2025 Breach Summary
- Total Reported Breaches: 59
- Individuals Affected: 1,884,653
- Primary Cause: Hacking/IT Incidents (77%)
- Most Affected: Business Associates and Medium-to-Large Healthcare Providers
Largest Breaches in May
Regulatory Spotlight: OCR Cracks Down on Compliance Failures
In tandem with May’s breach activity, the OCR announced two major enforcement settlements:
- Comstar: Fined for a ransomware attack that compromised over 585,621 records. OCR found that Comstar failed to conduct an accurate risk analysis or implement required security measures.
- Vision Upright MRI: Agreed to a settlement over failure to conduct a proper security risk assessment—a fundamental HIPAA requirement that left them vulnerable to a breach.
These recent cases show OCR is targeting noncompliance, particularly:
- Lack of documented risk analysis
- Weak or missing safeguards for data at rest and in transit
- Inadequate business associate oversight
How Compliancy Group Prevents These Mistakes Before They Happen
With Compliancy Group’s healthcare compliance software, you don’t just check boxes—you proactively secure your organization.
Risk Analysis That Meets OCR Standards
Our risk analysis walks you through a guided, thorough process. It flags security gaps and offers solutions tailored to HIPAA requirements—so you’re never caught off guard in an audit or investigation.
Security Policies and Procedures
We provide policy templates that include guidance on implementing data encryption, access controls, and contingency plans—all of which are required in OCR ransomware settlements.
Vendor & Business Associate Management
Business associates were behind several large breaches in May. Compliancy Group helps you issue, track, and manage Business Associate Agreements (BAAs), and evaluate vendor risk—protecting you from their failures.
Training and Incident Response Templates
Most ransomware incidents begin with human error. We provide staff training and response planning that helps your team recognize threats and react fast.
Audit-Ready Documentation
Our platform keeps a digital paper trail of everything—risk assessments, policies, training logs, and BAAs—so you’re ready for OCR scrutiny anytime.
“Most practices don’t fail OCR audits because they don’t care—they fail because they weren’t prepared. We make it easy to be both.” — Compliancy Group
What You Can Learn from May’s Breaches
- Network Servers Are the #1 Target
Ensure they are patched, monitored, and protected. - Business Associates Are Still a Weak Link
Vet your vendors and ensure you have active BAAs in place. - Risk Analysis Is Not Optional
It’s required by law—and the #1 failure OCR is enforcing against.
Don’t Wait for a Breach to Start Protecting Your Practice
The cost of inaction isn’t just reputational—it’s regulatory.
Compliancy Group helps you build a culture of compliance, secure your data, and stay audit-ready, no matter what the threat landscape looks like. Schedule a demo to learn more about how our software can help you protect your business today!
