A cumulative increase of more than 100% points to a structural shift, not a temporary surge.
This sustained growth goes beyond an increase in litigation; it demonstrates the convergence of legal challenges, regulatory scrutiny, and heightened awareness of the need to protect sensitive data.
Healthcare organizations, insurers, employers, and their partners now function in an environment where some of their most sensitive information is also among the most frequently compelled.
The role of medical records in legal disputes
Medical records are often vulnerable to legal requests because they are key evidence in many disputes and are closely examined. Medical records provide a factual basis for arguments, expert opinions, and judicial decisions.
Medical record subpoenas commonly arise in:
- Personal injury and malpractice litigation
- Insurance coverage disputes
- Criminal matters and administrative proceedings
- Workplace injury and data breach class actions
Each requires careful review to comply with privacy and disclosure requirements, including redaction of non relevant or sensitive information.
Medical records that are routinely compelled through legal proceedings are also among the most tightly regulated categories of data. In December 2024, the HHS Office for Civil Rights underscored this reality by proposing the first substantial updates to the HIPAA Security Rule since 2013. This proposed update addresses the scale of cybersecurity threats currently targeting health data and the growing regulatory pressures on organizations that manage this information.
Increased litigation driving volume
Several distinct and growing categories of litigation are converging to sustain and accelerate the volume of medical record subpoenas.
Data breaches
While the number of large healthcare data breaches declined slightly in 2025 compared to 2024, the scale and impact remain significant. According to the HHS OCR and analysis from HIPAA Journal, more than 700 large breaches (affecting 500+ individuals) were reported in 2025, down from 742 in 2024. Despite this modest decrease, over 61 million individuals had their protected health information exposed or disclosed without authorization.
These incidents continue to drive litigation. Individuals affected by breaches are increasingly pursuing legal action, contributing to a rise in subpoena volumes. In 2023, BakerHostetler managed more than 1,150 data privacy incidents, 58 of which resulted in one or more lawsuits, up from 42 in 2022. Notably, nearly 40 of those lawsuits involved health information, underscoring the growing legal exposure tied to healthcare data breaches.
Health insurance
A growing share of health insurance litigation targets insurers’ reliance on AI and algorithmic tools to make coverage decisions. Class action lawsuits have alleged improper denials of Medicare and Medicaid claims based on these systems, and similar challenges to algorithmic decision making in private insurance have emerged and remain under judicial review.
Healthcare providers and regulators have increasingly focused on the use of insurance algorithms in recent years. States such as California and Texas have already enacted legislation aimed at increasing insurer accountability. Other influential states with large healthcare markets, including Massachusetts and New York, are now positioned to consider similar measures.
Healthcare fraud and DOJ enforcement
In 2025, the Department of Justice (DOJ) indicated that combating healthcare fraud remains one of the most persistent bipartisan priorities in Washington and one of its Criminal Division’s ten "high-impact" priority areas. This announcement was soon followed by the largest healthcare fraud takedown in DOJ history, known as "Operation Gold Rush," which involved charges related to telemedicine, genetic testing, kickbacks, and technology-driven schemes.
This year, the Criminal Division has also expanded its Corporate Whistleblower Awards Pilot Program to include federal healthcare benefit programs, which is likely to result in an increase in related qui tam lawsuits and criminal investigations. Additionally, government agencies are conducting more audits and investigations than in previous years, meaning that providers may receive subpoenas, civil investigative demands, or requests for claims data as part of extensive multi-state inquiries.
Federal investigators now have quicker access to billing analytics and data-sharing networks, which can accelerate the progression of concerns to criminal or civil review.
