Healthcare data breaches are now large enough, frequent enough, and operationally disruptive enough that treatment center leadership can no longer treat cybersecurity as a back-office compliance issue. Rising breach rates, growing vendor exposure, and continued ransomware activity mean admissions portals, CRMs, intake systems, and third-party tools now sit directly inside the organization’s liability surface. In 2026, HIPAA compliance, vendor security, and ransomware preparedness are leadership issues because they affect revenue continuity, client trust, and regulatory risk.
Most treatment centers do not think about cybersecurity through the lens of admissions operations. They think about it as an IT responsibility, a vendor question, or a compliance checkbox.
That framing is outdated.
The systems that drive growth today also create exposure. Intake forms collect protected health information before a client is admitted. CRMs store contact data, insurance details, and admissions notes. Call tracking tools, website forms, live chat platforms, patient portals, and analytics scripts all create additional points of vulnerability. If one of those systems is compromised, the impact is not limited to privacy. It affects admissions continuity, internal operations, client confidence, and legal exposure.
Leadership teams need to understand that a breach in the admissions-to-intake workflow is not simply a technical failure. It is a business interruption event tied directly to trust and revenue.
The Direction of the Data Is Clear
The long-term trend is not ambiguous. Large healthcare data breaches have risen sharply since federal breach reporting began in 2009. The pace accelerated significantly between 2018 and 2021 as ransomware groups increasingly targeted the healthcare sector. While the number of large breaches declined modestly from 2024 to 2025, the industry is still operating at a breach volume that would have been unthinkable a decade ago.
In 2023, 746 large healthcare data breaches affecting 500 or more individuals were reported. In 2024, 742 were reported. In 2025, that number fell to 710, which is lower, but not meaningfully reassuring. The monthly pace has slowed from the 2023 and 2024 peak, but breach volume remains structurally high.
This matters because the baseline has changed. Healthcare is no longer dealing with occasional breach events. It is operating in a high-frequency threat environment.
The Bigger Risk Is the Size of the Breaches
The number of breaches tells only part of the story. The size of the largest incidents has changed the economics of risk.
Between 2022 and 2023, the number of reported large breaches rose by only about 3.8%, but the number of affected individuals increased by 193.5%. Between 2023 and 2024, the number of large breaches declined slightly, yet the number of affected individuals jumped 58% to more than 289 million. That total was driven by mega breaches, especially the Change Healthcare ransomware attack, which affected an estimated 192.7 million individuals.
Even after that spike, 2025 still involved roughly 62 million affected individuals. That is far below the 2024 total, but it is still not a normal operating environment.
For treatment center leadership, the takeaway is simple. A stable breach count does not mean stable risk. A single vendor compromise can expose millions of records and create downstream disruption across covered entities, business associates, intake workflows, reimbursement functions, and client communications.
Hacking Now Dominates the Threat Profile
Healthcare used to deal more heavily with lost devices, stolen records, and improper disposal. That is no longer the primary problem.
Hacking and other IT incidents now account for the overwhelming majority of large healthcare breaches. In 2019, hacking represented 49% of reported breaches. In 2023, that figure rose to 79.7%. In 2025, hacking and other IT incidents accounted for more than 80% of large healthcare breaches.
That shift changes how leadership should think about protection.
The old model focused on physical safeguards, device management, and record disposal. Those still matter, but the center of gravity has moved. The higher-risk questions now involve privileged access, cloud permissions, MFA enforcement, ransomware resilience, vendor integrations, tracking technologies, and incident response readiness.
Treatment centers that still think of a breach as a stolen laptop problem are defending against yesterday’s threat model.
Business Associates Have Become a Major Exposure Point
One of the clearest lessons in the data is that supply chain risk is now central to healthcare cybersecurity.
Many of the largest breaches in recent years have occurred at business associates rather than the covered entities themselves. Change Healthcare is the most obvious example, but it is not the only one. The breach data shows how a single vendor incident can cascade across many organizations because one business associate often sits inside multiple workflows across multiple clients.
This is especially relevant for treatment centers. Admissions and intake operations often rely on external tools for CRM management, form capture, call tracking, insurance workflows, website chat, analytics, EHR integrations, and financial communications. Each tool may improve workflow efficiency, but each tool also expands the attack surface.
The leadership mistake is assuming that vendor use reduces operational burden without increasing operational risk. It does both.
A third-party platform handling admissions or client data is not separate from your security posture. It is part of it.
Admissions Systems Are Now Part of the Liability Surface
This is where many treatment centers are underestimating the problem.
Most breach conversations focus on EHRs and enterprise systems. In practice, admissions systems may be just as exposed. Website forms, landing pages, chat widgets, CRM automations, intake notes, and digital scheduling tools often process protected health information earlier in the client journey than leadership realizes.
That creates a dangerous blind spot. A facility may believe its core records are secure while overlooking exposure in the front end of the funnel.
The risk increases when tracking and analytics tools are installed without clear HIPAA review. The data shows that unauthorized access and disclosure incidents have increasingly involved website tracking technologies and patient-facing digital tools. If protected health information is collected and transmitted without the appropriate agreement structure or controls, that is not simply sloppy marketing ops. It can become a reportable breach.
For treatment centers, this means the line between growth infrastructure and compliance infrastructure has disappeared.
OCR Enforcement Is Not Slowing Down
The HHS Office for Civil Rights is carrying a growing backlog of investigations, but that should not be confused with reduced enforcement risk.
As of January 31, 2026, 978 large breach investigations were under or awaiting investigation. OCR has adjusted how it uses limited resources and has focused more directly on specific provisions of the HIPAA Security Rule, especially risk analysis failures. That matters because risk analysis is one of the most common weaknesses identified after hacking incidents.
Enforcement is also continuing across multiple fronts. OCR increased enforcement actions again in 2025, and its current initiatives include not only Right of Access enforcement but continued scrutiny of risk analysis, risk management, and breach notification failures.
The practical lesson for leadership is not that every breach produces a large fine. It is that organizations are being evaluated on whether they understood their risks, documented them, and acted on them. A breach followed by visible risk analysis gaps creates a very different regulatory posture than a breach followed by evidence of disciplined security governance.
Ransomware Preparedness Is Now Operational Preparedness
Ransomware is not just a security event. It is an operating model stress test.
When systems go down, admissions slows. Insurance verification stalls. Internal communication becomes fragmented. Staff begins creating workarounds. Documentation quality suffers. Client experience degrades. Leadership is forced into reactive decision-making.
This is why ransomware preparedness has to move beyond firewall language and become an operational readiness issue.
A treatment center needs to know what happens if the admissions portal goes offline, if CRM access is interrupted, if intake notes become unavailable, or if a vendor system that supports eligibility or communication is compromised. Those are not hypothetical questions. They are continuity questions tied directly to census and cash flow.
An organization that cannot continue core intake and admissions functions during a cyber event does not have a cybersecurity problem alone. It has a business resilience problem.
Faebl Executive Perspective
The rise in healthcare breaches should change how treatment center leadership evaluates growth systems.
Admissions portals, CRMs, call tracking tools, intake platforms, and analytics layers are not neutral infrastructure. They are part of the organization’s HIPAA and cybersecurity exposure. If they collect, route, store, or transmit protected health information, they belong inside risk analysis, vendor review, and incident planning.
Leadership should treat three questions as urgent.
First, where does protected health information enter the system before admission, and which tools touch it?
Second, which vendors are inside the admissions-to-intake workflow, and how strong is the due diligence behind those relationships?
Third, if a ransomware event or vendor breach interrupted intake operations tomorrow, how long could the facility continue to function without material revenue disruption?
Facilities that cannot answer those questions clearly are operating with more cyber risk than they realize.
