Skip to content
Security & Trust

American Healthcare on WordPress: The HIPAA Reckoning is Coming

Thousands of US medical practices run patient-facing services on WordPress. The OCR is increasing enforcement. The math doesn't work.

· 6 min read
Share on X LinkedIn
American Healthcare on WordPress: The HIPAA Reckoning is Coming

The Scale

Walk into any medical practice in America. There's a reasonable chance their website — the one with the appointment booking form, the patient portal link, the telehealth intake — runs WordPress. Our scan data and W3Techs estimates suggest 35-45% of US healthcare provider websites are WordPress-based.

These sites process protected health information. Names, dates of birth, insurance details, medical histories — flowing through a framework with 18,005 known vulnerabilities.

The OCR Enforcement Trend

$6.7M total
HHS OCR HIPAA settlements (2025)
Source: HHS Office for Civil Rights published enforcement actions. Enforcement frequency increasing year over year.
$50K - $1.9M
Average HIPAA violation fine
Source: 45 CFR 160.404. HHS published penalty tiers, adjusted for inflation.

The Office for Civil Rights has been increasing both the frequency and severity of HIPAA enforcement actions. The 'reasonable safeguards' standard in HIPAA doesn't specify frameworks, but running patient data through a CMS with thousands of unpatched vulnerabilities tests the definition of 'reasonable.'

The Plugin Problem in Healthcare

Healthcare WordPress sites typically run appointment booking plugins, HIPAA-compliant form plugins, patient portal connectors, and EHR integrations. Each plugin is an independent codebase. Each handles sensitive data. Each is a potential breach vector.

When a booking plugin has a vulnerability — and WordPress booking plugins have had dozens — patient appointment data is exposed. The breach notification costs alone can exceed the cost of migrating the entire site to a modern framework.

What the Math Says

$10.9M
Healthcare breach avg cost
Source: IBM Cost of a Data Breach Report 2025. Highest of any industry for 13 consecutive years.

One breach on a WordPress healthcare site can cost more than migrating every healthcare website in a small hospital network to Astro with a HIPAA-compliant API backend. The risk-adjusted cost of staying on WordPress exceeds the cost of leaving it.

Share this insight