Skip to main content
US Healthcare Data Breaches · 2023-10-12 to 2026-06-16

US healthcare data breaches

A U.S. healthcare data breach is an impermissible access to or disclosure of unsecured protected health information that a covered entity or business associate must report under the HIPAA Breach Notification Rule. This page breaks down the 726 breaches affecting 500 or more individuals reported to the U.S. HHS Office for Civil Rights in 2023-10-12 to 2026-06-16 — by breach type and by state — taken directly from the HHS OCR public portal.

Quick answer

In 2023-10-12 to 2026-06-16, U.S. covered entities and business associates reported 726 healthcare data breaches affecting 500+ individuals to HHS OCR, collectively exposing 356,175,086 individuals' protected health information. The largest cause by far was hacking/it incident (88.7% of all breaches), and the highest-volume state was California. Most breaches are hacking/IT incidents rather than lost or stolen devices.

By the numbers

Totals computed directly from the HHS OCR HIPAA Breach Reporting Portal records for 2023-10-12 to 2026-06-16. Each record is one breach affecting 500 or more individuals.

726
Breach records
356.2M
Individuals affected
4
Breach types
49
States / territories

Most recently reported breaches

The 50 most recent breaches added to the HHS OCR portal in 2023-10-12 to 2026-06-16, by submission date. Each row is exactly what the covered entity reported to HHS.

DateCovered entity / business associateStateTypeIndividuals
06/16/2026Gail J May Ltd d/b/a/ Insight OpticalILHacking/IT Incident501
06/11/2026Chickasaw Nation Department of HealthOKUnauthorized Access/Disclosure1,607
06/05/2026Minnesota Epilepsy Group, P.A.MNHacking/IT Incident80,061
06/05/2026Xsolis, Inc.TNHacking/IT Incident1,396,519
06/03/2026Amicus Solutions, Inc. (additional related entities may be impacted, the names of which are available upon request)SCHacking/IT Incident1,137
06/03/2026City of MiddletownOHHacking/IT Incident20,608
06/02/2026JASON R EGBERT OD PCWAHacking/IT Incident1,225
06/02/2026Lincoln National Corporation d/b/a Lincoln FinancialINUnauthorized Access/Disclosure3,070
05/29/2026Campbell UniversityNCHacking/IT Incident500
05/29/2026United Medical DoctorsCAHacking/IT Incident501
05/23/2026Virta Medical PCCOHacking/IT Incident14,636
05/22/2026Acadia Healthcare Company, IncTNHacking/IT Incident1,807
05/22/2026AUTOAPS LLCCAHacking/IT Incident1,591
05/22/2026Equinix Incorporated Group Health and Welfare Benefit PlanCAHacking/IT Incident677
05/22/2026Gastro HealthFLHacking/IT Incident1,628
05/22/2026Gastro HealthFLHacking/IT Incident35,632
05/22/2026Nottingham VillagePAHacking/IT Incident5,240
05/22/2026Oakwood Lutheran Senior Ministries, Inc.WIHacking/IT Incident1,080
05/22/2026South Florida Injury Centers, Inc.FLHacking/IT Incident1,525
05/22/2026Southern Illinois Ob-Gyn Associates, S.C.ILHacking/IT Incident38,700
05/21/2026Coastal Carolina Centers of Urology and Surgery, LLCSCHacking/IT Incident2,886
05/21/2026Defense Health Agency (TriWest)VAHacking/IT Incident11,848
05/21/2026Ira L. Savetsky, MD PLLCNYHacking/IT Incident564
05/21/2026Radiology Associates of RichmondVAHacking/IT Incident266,183
05/21/2026RegenceORHacking/IT Incident2,856
05/20/2026Southwest Behavioral Health Services.orgAZHacking/IT Incident2,316
05/19/2026Singing River Health SystemMSHacking/IT Incident53,888
05/18/2026Community ConnectionsDCHacking/IT Incident18,943
05/18/2026Eyemart Express, LLCTXHacking/IT Incident25,000
05/18/2026Greenbaum Rowe Smith & Davis LLPNJHacking/IT Incident12,801
05/18/2026Jefferson Health PlansPAUnauthorized Access/Disclosure1,855
05/15/2026Liberty Solutions, Inc.NYUnauthorized Access/Disclosure7,329
05/15/2026Lumexa ImagingNCHacking/IT Incident2,994
05/14/2026Bridle Trails Family DentistryWAHacking/IT Incident20,976
05/14/2026NJ Pain Care Specialists, LLCNJHacking/IT Incident501
05/13/2026Pivot HealthFLHacking/IT Incident5,864
05/13/2026Trinity HealthMIUnauthorized Access/Disclosure5,905
05/12/2026Ocelot Ventures, LLC dba ExcelasOHHacking/IT Incident2,275
05/11/2026Adams County Memorial HospitalINHacking/IT Incident5,305
05/11/2026Saurabh N. Patel, M.D – Florida Retina CenterLAHacking/IT Incident13,652
05/08/2026Bronsky OrthodonticsNYHacking/IT Incident3,183
05/08/2026Palomar Health Medical GroupCAHacking/IT Incident501
05/08/2026Verber Dental Group PCNYHacking/IT Incident8,598
05/08/2026ViaQuest Psychiatric & Behavioral Solutions, LLCOHHacking/IT Incident6,420
05/07/2026Sanger Skilled Care, LLC dba Cornerstone Care CenterCAHacking/IT Incident1,510
05/05/2026Aroostook Mental Health CenterMEHacking/IT Incident501
05/05/2026Passaic County, New JerseyNJHacking/IT Incident1,109
05/04/2026BAYADA Home Health Care, Inc.NJHacking/IT Incident500
05/04/2026IKRON CorporationOHHacking/IT Incident11,845
05/01/2026Capitol Pain InstituteCOHacking/IT Incident695

Source: U.S. HHS Office for Civil Rights — HIPAA Breach Reporting Portal (HIPAA Cases Currently Under Investigation (breaches affecting 500+ individuals)), under HITECH Act s.13402(e)(4); HIPAA Breach Notification Rule. This is a work of the U.S. federal government in the public domain. Figures are record counts and reported affected-individual totals for 2023-10-12 to 2026-06-16, retrieved 2026-06-27. Presented neutrally; this is statistics, not legal advice.

Breaches by type

How the 726 reported breaches in 2023-10-12 to 2026-06-16 happened. Select a type for its dedicated breakdown.

#Breach typeBreachesIndividualsShare
1Hacking/IT Incident644355,345,36588.7%
2Unauthorized Access/Disclosure75770,00210.3%
3Theft625,0440.8%
4Improper Disposal134,6750.1%

Explore breaches by state

Pick a state to see the breaches it reported in 2023-10-12 to 2026-06-16, the individuals affected, its share of the total, and its rank. Every figure is a published HHS OCR record — a factual lookup, not a predictive score.

See the HIPAA breaches actually reported to HHS OCR from this state in 2023-10-12 to 2026-06-16. All figures are published federal records — not a prediction.

63
Reported breaches
12,089,759
Individuals affected
8.7%
Share of all records
#1
Rank by volume

Across 726 breach records reported in 2023-10-12 to 2026-06-16, this state accounts for 8.7%. Figures are historical published records and do not indicate the likelihood of any future breach.

Breaches by state

Distinct breach records reported to HHS OCR in 2023-10-12 to 2026-06-16, by U.S. state or territory.

#State / territoryBreachesIndividualsShare
1CaliforniaCA6312,089,7598.7%
2TexasTX576,966,4317.9%
3FloridaFL564,951,9267.7%
4New YorkNY474,073,3426.5%
5IllinoisIL314,183,1264.3%
6PennsylvaniaPA311,335,4824.3%
7WashingtonWA242,778,1743.3%
8MichiganMI221,120,1313%
9MinnesotaMN21193,351,6102.9%
10OhioOH212,159,5022.9%
11TennesseeTN205,650,9662.8%
12GeorgiaGA1915,858,7932.6%
13MassachusettsMA19166,1222.6%
14North CarolinaNC19592,3252.6%
15ArizonaAZ182,000,2672.5%
16New JerseyNJ1862,728,4632.5%
17MissouriMO179,634,0542.3%
18ColoradoCO165,461,9902.2%
19MarylandMD153,686,8182.1%
20VirginiaVA142,063,6021.9%
21UtahUT124,420,7091.7%
22IndianaIN1172,5941.5%
23LouisianaLA112,992,4961.5%
24WisconsinWI11345,2291.5%
25AlabamaAL10313,7081.4%
26KansasKS9211,5041.2%
27OklahomaOK9332,7101.2%
28South CarolinaSC9363,5051.2%
29ConnecticutCT81,399,4881.1%
30IowaIA81,022,6541.1%
31OregonOR828,4251.1%
32MaineME7154,2101%
33NebraskaNE7240,1351%
34NevadaNV71,331,1381%
35IdahoID6653,5360.8%
36KentuckyKY5184,9370.7%
37MississippiMS5288,3150.7%
38New MexicoNM5106,7530.7%
39ArkansasAR4216,1990.6%
40New HampshireNH474,8210.6%
41Rhode IslandRI4234,0760.6%
42Unspecified / territory3117,8060.4%
43AlaskaAK374,1630.4%
44HawaiiHI332,1770.4%
45West VirginiaWV36,3950.4%
46District of ColumbiaDC237,8920.3%
47DelawareDE114,0950.1%
48MontanaMT121,2430.1%
49South DakotaSD125,3980.1%
50VermontVT15,8920.1%

Source: U.S. HHS Office for Civil Rights — HIPAA Breach Reporting Portal (HIPAA Cases Currently Under Investigation (breaches affecting 500+ individuals)), under HITECH Act s.13402(e)(4); HIPAA Breach Notification Rule. This is a work of the U.S. federal government in the public domain. Figures are record counts and reported affected-individual totals for 2023-10-12 to 2026-06-16, retrieved 2026-06-27. Presented neutrally; this is statistics, not legal advice.

What to do: prevention by breach type

Each step below targets a breach type in this dataset. The breach count next to each is the 2023-10-12 to 2026-06-16 total for the type it addresses.

Defend against hacking and IT incidents

644 breaches

Hacking/IT incidents are by far the largest category in this data. Enforce multi-factor authentication everywhere, patch internet-facing systems promptly, segment networks, keep tested offline backups, and run phishing-awareness training. Most reported hacks start with a stolen credential or an unpatched edge device.

Lock down unauthorized access and disclosure

75 breaches

Apply least-privilege access, log and alert on unusual record access, and add recipient-verification and redaction checks before any disclosure of protected health information. Many incidents in this category are avoidable internal process failures, not external attacks.

Prevent device and record theft

6 breaches

Encrypt every laptop, phone and removable drive that can hold protected health information so a stolen device is not a reportable breach, and keep physical records in access-controlled storage. Under the HIPAA Breach Notification Rule, properly encrypted data is generally not "unsecured".

Dispose of data securely

1 breaches

Shred paper records and cryptographically wipe or destroy storage media before disposal, and keep a documented chain of custody. Improper disposal is a small but entirely preventable category.

US healthcare data breaches FAQ

What is a U.S. healthcare data breach under HIPAA?
Under the HIPAA Breach Notification Rule (HITECH Act s.13402), a breach is an impermissible acquisition, access, use, or disclosure of unsecured protected health information (PHI). Covered entities and their business associates must notify affected individuals, the Secretary of HHS, and — for breaches affecting 500 or more individuals — must report to HHS within 60 days, after which the breach is published on the HHS Office for Civil Rights public portal. Properly encrypted PHI is generally not "unsecured", so an encrypted lost laptop usually is not a reportable breach.
How many U.S. healthcare data breaches were reported to HHS OCR in 2023-10-12 to 2026-06-16?
HHS OCR's portal lists 726 breaches of unsecured protected health information affecting 500 or more individuals for 2023-10-12 to 2026-06-16, collectively affecting 356,175,086 individuals. Each record is one breach reported by a covered entity or business associate. The figures on this page are taken directly from the HHS OCR HIPAA Breach Reporting Portal.
What is the most common type of US healthcare data breach?
By a wide margin the largest category is hacking/it incident, accounting for 644 of the 726 breaches (88.7%) in 2023-10-12 to 2026-06-16. The shift toward hacking and IT incidents — rather than lost or stolen devices — is the defining trend in HIPAA breach reporting.
Which states report the most healthcare data breaches?
The highest-volume states in 2023-10-12 to 2026-06-16 were California (63 breaches), Texas (57 breaches), Florida (56 breaches). Volume largely tracks the number of healthcare organizations in a state, so a higher count is not on its own evidence of weaker security.
Do I have to report a healthcare data breach to HHS?
Yes. Covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovery. Breaches affecting 500 or more individuals must also be reported to HHS and prominent media outlets within 60 days; smaller breaches are reported to HHS in an annual log. Business associates must notify the covered entity. A tested incident-response process is what makes the 60-day clock manageable.
How can a healthcare organization reduce its data-breach risk?
Because hacking/IT incidents and unauthorized access dominate this data, the controls with the biggest effect are practical: multi-factor authentication and least-privilege access, prompt patching of internet-facing systems, encryption of PHI at rest and in transit, tested offline backups, phishing training, and a rehearsed breach-response plan. A structured compliance audit maps your data flows against the HIPAA Security Rule and produces a prioritized remediation plan.

Data retrieved 2026-06-27 · reporting window 2023-10-12 to 2026-06-16.

Harden your data protection before it becomes a breach report

The overwhelming majority of the breaches in this data are hacking/IT incidents and unauthorized access — both reducible with basic access, email and backup controls. GeraCompliance's fixed-scope compliance sprint maps your data flows, hardens the controls behind these breach types, and leaves you with a tested incident-response plan — in days, not months.