News
Amazon's One Medical Seniors Hit by ShinyHunters Extortion Group: 8.8TB of Legacy Patient Data at Risk · Data BreachOpenLoop Health Telehealth Infrastructure Vendor Breach Exposes Patient Data Across Multiple Digital Health Clients · Data BreachHealthcare AI Vendor Xsolis Breach Exposes 1.4 Million Records Across Seven Hospital Systems Including Mayo Clinic · Data BreachHHS Breach Portal Backlog: OCR Still Adding March 2026 Breaches in Late June — What the Delay Means for Compliance Teams · AnalysisKettering Health Refused to Pay the Ransom. The Data Leaked Anyway: What 1.7 Million Exposed Records Teach About Ransomware and HIPAA · Data BreachOCR Settles Ransomware Investigation with Employer-Sponsored Health Plan for $450,000 · OCR EnforcementWhy a Third of Healthcare Breaches Now Trace Back to a Vendor: A Mid-Year 2026 Analysis · AnalysisFrom 4 Million to 60+ Million: The Conduent Breach Shows How Far Third-Party Risk Reaches · Data BreachNYC Health + Hospitals Breach: 1.8 Million Records Exposed via Third-Party Vendor, Including Biometric Data · Data BreachWhen Your Vendor Is the Breach: Millions of Patient Records Just Hit the HHS Tracker, and the Common Thread Is Third-Party Risk · Data BreachDo I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesAmazon's One Medical Seniors Hit by ShinyHunters Extortion Group: 8.8TB of Legacy Patient Data at Risk · Data BreachOpenLoop Health Telehealth Infrastructure Vendor Breach Exposes Patient Data Across Multiple Digital Health Clients · Data BreachHealthcare AI Vendor Xsolis Breach Exposes 1.4 Million Records Across Seven Hospital Systems Including Mayo Clinic · Data BreachHHS Breach Portal Backlog: OCR Still Adding March 2026 Breaches in Late June — What the Delay Means for Compliance Teams · AnalysisKettering Health Refused to Pay the Ransom. The Data Leaked Anyway: What 1.7 Million Exposed Records Teach About Ransomware and HIPAA · Data BreachOCR Settles Ransomware Investigation with Employer-Sponsored Health Plan for $450,000 · OCR EnforcementWhy a Third of Healthcare Breaches Now Trace Back to a Vendor: A Mid-Year 2026 Analysis · AnalysisFrom 4 Million to 60+ Million: The Conduent Breach Shows How Far Third-Party Risk Reaches · Data BreachNYC Health + Hospitals Breach: 1.8 Million Records Exposed via Third-Party Vendor, Including Biometric Data · Data BreachWhen Your Vendor Is the Breach: Millions of Patient Records Just Hit the HHS Tracker, and the Common Thread Is Third-Party Risk · Data BreachDo I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business Associates

Analysis

HHS Breach Portal Backlog: OCR Still Adding March 2026 Breaches in Late June — What the Delay Means for Compliance Teams

TL;DR

OCR's breach portal has a significant backlog, reportedly linked to the 43-day government shutdown in late 2025. As of late June 2026, March 2026 breaches are still being added. Covered entities relying on the portal to monitor BA exposure may be operating with incomplete information. The portal is also offline for maintenance June 26–27, 2026.

OCR's breach portal has a significant backlog, reportedly linked to the 43-day government shutdown in late 2025. As of late June 2026, March 2026 breaches are still being added. Covered entities relying on the portal to monitor BA exposure may be operating with incomplete information. The portal is also offline for maintenance June 26–27, 2026.

OCR's HIPAA breach portal is running months behind schedule, still posting March 2026 breaches in late June. Here is what the lag means for covered entities tracking business associate risk.

medcomply.ai editorial teamPublished June 19, 2026Updated June 19, 20265 min read

As of late June 2026, the Office for Civil Rights is still adding breach reports from March 2026 to its public breach portal, meaning the list is running roughly three months behind real time. For compliance teams that use the portal to monitor business associate exposure, that gap is not a minor inconvenience. It is a material blind spot.

Warning

The OCR breach portal is currently months behind schedule. Covered entities relying on it as a primary tool for business associate breach monitoring may be unaware of incidents that have already been reported to HHS but not yet published. Do not treat the portal as a real-time or near-real-time source right now.

What Is Causing the Backlog

The backlog is widely attributed to the 43-day federal government shutdown in late 2025. HHS operations, including the staff and systems responsible for reviewing and publishing breach reports to the portal, were disrupted during that period. The HIPAA Journal, which tracks portal activity closely, noted that the portal has been slow to add new breach entries in the months since the shutdown ended.

The result is a compounding delay. Breaches reported on schedule by covered entities and business associates are sitting in the queue, unposted and invisible to anyone monitoring the portal from the outside.

To add to the disruption, the portal is scheduled for maintenance downtime on June 26 and 27, 2026, which will temporarily suspend public access entirely during that window.

Why This Matters for Covered Entities

The breach portal, sometimes called the "wall of shame," is a standard reference tool for compliance officers and privacy teams assessing third-party risk. When a business associate suffers a breach affecting multiple covered entity clients, the portal is often the first public signal that something went wrong.

Under 45 CFR §164.410, business associates are required to notify covered entities of breaches without unreasonable delay and no later than 60 days after discovery. The covered entity then carries its own notification obligations downstream to affected individuals and, in many cases, to HHS.

The portal does not replace that direct notification chain. But in practice, many compliance teams use it as a cross-reference, a way to confirm whether a BA they work with has had a reportable incident, and whether other covered entities using the same vendor have been affected.

When the portal is three months behind, that cross-referencing function breaks down. A business associate breach affecting hundreds of thousands of individuals could have been reported to HHS in March and still not appear on the portal in late June. A compliance officer checking the portal today would have no way of knowing.

What Covered Entities Should Do Now

This is not the time to reduce monitoring. It is the time to diversify it.

Revisit your business associate agreements. Your BAAs should already require timely breach notification under 45 CFR §164.314. If your agreements do not specify a notification timeline shorter than the statutory 60-day maximum, consider tightening that in your next renewal cycle. Many organizations now require 10 to 30 day notification windows contractually.

Do not rely on the portal as your only signal. Industry publications, vendor communications, state attorney general notifications, and direct vendor outreach are all supplemental channels that can surface breach information that the federal portal has not yet published.

Document your monitoring efforts. If a BA breach is later discovered and OCR asks what steps your organization took to identify it, you want a paper trail showing active monitoring through multiple channels, not just periodic portal checks.

Plan around the June 26–27 maintenance window. If your team has scheduled any portal-dependent reporting reviews or risk assessments for that period, move them. The portal will be unavailable.

A Note on Reporting Obligations

The portal delay does not change any reporting deadlines. Covered entities are still required to notify HHS of breaches affecting 500 or more individuals at the time of discovery under 45 CFR §164.408, and to notify affected individuals without unreasonable delay under 45 CFR §164.404. The backlog is an HHS publication issue on the receiving end, not a signal that deadlines have been relaxed.

This situation is not an OCR enforcement action, and no fines or penalties have been announced in connection with the portal delay itself.

The Bigger Picture

Federal agency operations have faced sustained disruption over the past year, and the breach portal backlog is one visible consequence. The 43-day shutdown did not pause the healthcare sector's breach activity. Incidents kept happening. Reports kept coming in. The queue just stopped moving at the pace it normally would.

For compliance teams, the lesson is structural: any third-party risk monitoring program that depends on a single government-maintained source is fragile. The portal is a useful tool when it is current. Right now, it is not current, and there is no public timeline for when the backlog will be fully resolved.

The OCR breach portal is running approximately three months behind as of late June 2026, likely due to disruption from the 43-day government shutdown in late 2025. Covered entities using the portal to monitor business associate breach activity should supplement it immediately with direct BAA notification requirements, vendor risk management processes, and industry news monitoring. The portal will also be offline for maintenance June 26–27, 2026. Reporting obligations for covered entities and business associates remain unchanged.

Sources & citations

  • HIPAA Journal: Healthcare Data Breach StatisticsOpen

All content verified against official HHS guidance and the Code of Federal Regulations.

Frequently asked questions

Why is the OCR breach portal so far behind in 2026?
The backlog is reportedly linked to the 43-day government shutdown in late 2025, which disrupted HHS operations including breach portal updates. As of late June 2026, the portal is still adding breaches reported in March 2026.
Does the portal delay affect a covered entity's own breach reporting obligations?
No. Covered entities and business associates are still required to report breaches to HHS within the standard timeframes under 45 CFR §164.408. The portal delay is an HHS publication issue, not a change to reporting deadlines.
How can compliance teams monitor business associate breaches if the portal is behind?
Teams should not rely solely on the portal. Direct contractual notification clauses in business associate agreements, vendor risk management programs, and industry news sources like the HIPAA Journal are important supplemental monitoring tools.
When is the HHS breach portal scheduled for maintenance downtime?
The portal is scheduled for maintenance downtime on June 26 and 27, 2026, according to HIPAA Journal reporting.
Is this portal backlog an enforcement action or a fine against any organization?
No. This situation concerns HHS's internal publication delays on the breach portal. It is not an OCR enforcement action, and no fines have been announced in connection with this matter.

Related intelligence

Analysis

Why a Third of Healthcare Breaches Now Trace Back to a Vendor: A Mid-Year 2026 Analysis

7 min read

Analysis

HIPAA Compliance Checklist for Covered Entities — 2026 Edition

9 min read

Analysis

HIPAA Staff Training Requirements — What's Required, Who Needs It, and How to Document It

7 min read

Not legal advice. medcomply.ai provides compliance intelligence for educational and operational planning. Consult qualified counsel for legal interpretation.