U.S. healthcare organizations face a sustained, multi-year escalation in data breaches tracked by HHS OCR since the 2009 HITECH Act mandate, with hacking and ransomware now the dominant breach categories, displacing earlier physical media theft patterns. Covered entities and their business associates are both primary targets, with third-party vendor compromise representing a growing share of exposure. The business risk is significant: PHI has long-term value on criminal markets, breach notification and regulatory penalties under HIPAA are substantial, and clinical operational disruption from ransomware directly affects patient safety.