Data privacy enforcement actions shift focus to business associates

The Office for Civil Rights, or OCR, ramped up its pursuit of enforcement actions against healthcare business associates in 2025, law firm BakerHostetler noted in its annual report on data security incident response. Additionally, state attorneys general filled enforcement gaps, launching their own investigations into vendor breaches that complement federal efforts. 

BakerHostetler drew on more than 1,250 data security incidents across several industries it worked on in 2025, providing data on ransomware payments, response timelines and regulatory inquiries and litigation. 

Health data privacy enforcement action trends 

Past iterations of the report noted a marked rise in legal risk tied to the healthcare sector's use of third-party tracking pixels and other web analytics tools. This year, new filings in the pixel litigation space declined and several cases were settled, with legal activity focused elsewhere. 

At the federal level, OCR's enforcement activity increased as the year went on, despite a slow start due to organizational changes and layoffs. OCR issued just 12 enforcement actions in 2025, compared to 23 in 2024. 

However, the dozen enforcement actions it did issue revealed a theme. 

"Significantly, the OCR made it clear in 2025 that business associates are now firmly in the enforcement spotlight," the report stated.  

"Between November 2024 and throughout 2025, the OCR reported seven resolution agreements against business associates, doubling the number of business associates the OCR has penalized since they first came under enforcement purview in 2013." 

OCR also focused on its security risk analysis initiative, imposing four penalties and resolution agreements in 2025. By the end of 2025, investigators "indicated that the OCR may tone down investigations in the coming year, opting for efficient technical assistance for reported incidents involving more than 500 individuals," the report noted. 

"This is a departure from the OCR’s long-standing position for what it terms 'large scale breaches.' This change may be due to fewer personnel in Washington, D.C., and a desire to focus on larger and more impactful breaches and compliance deficiencies." 

Even if federal enforcement activity slows in 2026, state attorney general (AG) activity in 2025 suggests that states are more than willing to fill the gaps. What's more, they have the authority to do so under the HITECH Act and recently enhanced state privacy laws. 

"We saw many instances where multiple state AGs launched investigations despite concurrent -- or even closed -- OCR investigations," the report stated. 

"In many of these investigations, the AGs are enforcing HIPAA (without the same understanding or application as the OCR) and their own state privacy and security statutes, often couched in terms of overarching consumer protection and deceptive trade practices act powers." 

State AGs have also expressed interest in pursuing enforcement actions against providers, the report noted, since healthcare data breaches tied to a state or region tend to disproportionately impact residents of that state or region. 

Healthcare data breach, ransomware themes 

Healthcare data breaches remain costly, often spurring legal action and steep recovery costs. While the industry improves its security posture over time, vendors remain a weak spot. More than a third of the 2025 incidents that BakerHostetler handled for healthcare clients were attributed to vendors. 

AI will add another layer of complexity to vendor management in 2026, the firm suggested, requiring organizations to keep a close eye on how they manage their AI vendors and how their vendors use AI. 

BakerHostetler also tracked multiple healthcare ransomware incidents in 2025, with an average ransom demand of $18 million. The healthcare industry had the highest average ransom paid at $1.2 million. 

Healthcare took an average of 12.7 days to restore its systems and incurred average forensic investigation costs of $40,000.  

In 2026, healthcare will likely continue to face a high volume of breaches, with AI adoption, vendor management challenges and regulatory uncertainty defining the year. 

Jill Hughes has covered health tech news since 2021.