Analysis — 2026 / Healthcare

HIPAA breach & home health agency exposure.

Three interactive maps exploring the spatial relationship between breach activity and home health agency density across the United States. All data drawn from federal sources; all code and methodology are open.

The Figures

7,486

Breaches

843M

People affected

12,306

Agencies

73%

For-profit

The Maps

Threat

Every HIPAA breach affecting 500+ people, 2015–2026. Toggle among density hexagons, typed scatter points, and heat.

7,486 breaches3 view modesdeck.gl

Open

Exposure

Every Medicare-certified home health agency, colored by ownership type. For-profit dominance visible at a glance; zoom into any metro area.

12,306 agenciesOwnership, density, heatdeck.gl

Open

Overlay

Breach heat layered on agency density. Toggle layers to see the correlation — where the industry grows, the breaches follow.

Both datasetsLayer toggledeck.gl

Open

Findings

01 · The thesis

Breaches scale with agency density.

Plot every state's home health agency count against its HIPAA breach count. The relationship is close to linear. California and Texas are the rightmost outliers; the mid-range cluster (Florida, Illinois, Pennsylvania) sits exactly where regression would put them.

Scatter plot: 50 US states, x-axis is number of Medicare-certified home health agencies (0 to 3,300), y-axis is number of HIPAA breaches affecting 500+ individuals (0 to about 1,000). Dots are colored by for-profit percentage on a faint-to-clay gradient. California sits in the upper right at roughly 3,150 agencies and 860 breaches. Texas at roughly 1,850 agencies and 630 breaches. Florida at 1,150 and 410. A dashed regression line passes through the cluster.

Same person, same population, same federal data. If a state has more agencies caring for more patients, it has more places where a breach can happen. The for-profit color encoding shows the dominant ownership type sits around 70 to 95 percent in every high-volume state.

02 · The temporal shift

Hacking swallowed every other breach type.

Stacked area, 2015 to 2025. Total breaches climbed roughly 6x. Hacking and IT incidents went from a thin layer in the mix to dominating the stack outright. Theft, loss, and improper disposal are now rounding errors.

Stacked area chart of HIPAA breaches by type, 2015 to 2025, in editorial paper palette. Five bands: Hacking/IT Incident in clay, Unauthorized Access in amber, Theft in violet, Loss in teal, Improper Disposal in ghost. Total height grows from about 200 in 2015 to over 1,300 in 2025. The Hacking/IT Incident band starts as a thin slice in 2015 and grows to dominate the stack by 2024-2025.

Healthcare cybersecurity is not the same problem it was ten years ago. A 2015-era HIPAA program was built to address physical theft and improper disposal. Those categories are still in the data; they just don't move the chart anymore.

03 · The ownership concentration

For-profit agencies own the exposure footprint.

Top 15 states by Medicare-certified home health agency count, split by ownership type. For-profit operators run the majority of the network in every high-volume state: 94 percent in Texas, 86 percent in Illinois, 90 percent in Oklahoma. California is the structural outlier at 56 percent for-profit, with an unusually large “Other” classification covering more than a third of its 3,147 agencies.

Horizontal stacked bar chart of the top 15 US states by Medicare-certified home health agency count, in editorial paper palette. Each state's bar is split by ownership type: For-Profit in clay (dominating most bars), Non-Profit in teal, Government in amber, Other in grey-ghost. California's bar is the longest at 3,147 agencies but only 56 percent for-profit, with a large Other slice. Texas next at 1,850 agencies and 94 percent for-profit. Florida at 1,134 and 72 percent for-profit. Each row is annotated with total count and for-profit percentage.

The exposure surface is privately operated, except where it is not classified at all. Across most high-volume states, the home health industry runs through for-profit corporate networks more than through nonprofit and government providers combined. California is the conspicuous exception: more than a third of its agencies are classified as “Other,” which means the structural ownership mix in the largest state market is partially opaque even to the federal data system that tracks it.

Where the industry grows, the breaches follow.

Data

HHS Office for Civil Rights Breach Portal: HIPAA breaches affecting 500+ individuals, 2015–2026 — archived and under-investigation reports.
CMS Provider Data Catalog: Medicare-certified home health agencies, April 2026, with ownership classification.

Method

Breach records from the HHS OCR portal were cleaned, deduplicated, and geocoded to state centroids with a small random jitter for visualization. Agency records from CMS were geocoded from zip codes using the zipcodes package with bundled USPS data. Ownership was classified into For-Profit, Non-Profit, Government, Combination, and Other from the CMS ownership field.

The maps are built with deck.gl — GPU-accelerated WebGL layers — on a CARTO Dark Matter basemap. Data processing is in Python (pandas, zipcodes); static charts are in matplotlib. The full pipeline, intermediate data, and rendering code are on GitHub.

Nothing here is a proxy for causation. What the maps show is co-location and co-density — the spatial argument that breach activity tracks industry growth, visible most clearly in the overlay.