US healthcare data breaches
A U.S. healthcare data breach is an impermissible access to or disclosure of unsecured protected health information that a covered entity or business associate must report under the HIPAA Breach Notification Rule. This page breaks down the 726 breaches affecting 500 or more individuals reported to the U.S. HHS Office for Civil Rights in 2023-10-12 to 2026-06-16 — by breach type and by state — taken directly from the HHS OCR public portal.
Quick answer
In 2023-10-12 to 2026-06-16, U.S. covered entities and business associates reported 726 healthcare data breaches affecting 500+ individuals to HHS OCR, collectively exposing 356,175,086 individuals' protected health information. The largest cause by far was hacking/it incident (88.7% of all breaches), and the highest-volume state was California. Most breaches are hacking/IT incidents rather than lost or stolen devices.
By the numbers
Totals computed directly from the HHS OCR HIPAA Breach Reporting Portal records for 2023-10-12 to 2026-06-16. Each record is one breach affecting 500 or more individuals.
Most recently reported breaches
The 50 most recent breaches added to the HHS OCR portal in 2023-10-12 to 2026-06-16, by submission date. Each row is exactly what the covered entity reported to HHS.
| Date | Covered entity / business associate | State | Type | Individuals |
|---|---|---|---|---|
| 06/16/2026 | Gail J May Ltd d/b/a/ Insight Optical | IL | Hacking/IT Incident | 501 |
| 06/11/2026 | Chickasaw Nation Department of Health | OK | Unauthorized Access/Disclosure | 1,607 |
| 06/05/2026 | Minnesota Epilepsy Group, P.A. | MN | Hacking/IT Incident | 80,061 |
| 06/05/2026 | Xsolis, Inc. | TN | Hacking/IT Incident | 1,396,519 |
| 06/03/2026 | Amicus Solutions, Inc. (additional related entities may be impacted, the names of which are available upon request) | SC | Hacking/IT Incident | 1,137 |
| 06/03/2026 | City of Middletown | OH | Hacking/IT Incident | 20,608 |
| 06/02/2026 | JASON R EGBERT OD PC | WA | Hacking/IT Incident | 1,225 |
| 06/02/2026 | Lincoln National Corporation d/b/a Lincoln Financial | IN | Unauthorized Access/Disclosure | 3,070 |
| 05/29/2026 | Campbell University | NC | Hacking/IT Incident | 500 |
| 05/29/2026 | United Medical Doctors | CA | Hacking/IT Incident | 501 |
| 05/23/2026 | Virta Medical PC | CO | Hacking/IT Incident | 14,636 |
| 05/22/2026 | Acadia Healthcare Company, Inc | TN | Hacking/IT Incident | 1,807 |
| 05/22/2026 | AUTOAPS LLC | CA | Hacking/IT Incident | 1,591 |
| 05/22/2026 | Equinix Incorporated Group Health and Welfare Benefit Plan | CA | Hacking/IT Incident | 677 |
| 05/22/2026 | Gastro Health | FL | Hacking/IT Incident | 1,628 |
| 05/22/2026 | Gastro Health | FL | Hacking/IT Incident | 35,632 |
| 05/22/2026 | Nottingham Village | PA | Hacking/IT Incident | 5,240 |
| 05/22/2026 | Oakwood Lutheran Senior Ministries, Inc. | WI | Hacking/IT Incident | 1,080 |
| 05/22/2026 | South Florida Injury Centers, Inc. | FL | Hacking/IT Incident | 1,525 |
| 05/22/2026 | Southern Illinois Ob-Gyn Associates, S.C. | IL | Hacking/IT Incident | 38,700 |
| 05/21/2026 | Coastal Carolina Centers of Urology and Surgery, LLC | SC | Hacking/IT Incident | 2,886 |
| 05/21/2026 | Defense Health Agency (TriWest) | VA | Hacking/IT Incident | 11,848 |
| 05/21/2026 | Ira L. Savetsky, MD PLLC | NY | Hacking/IT Incident | 564 |
| 05/21/2026 | Radiology Associates of Richmond | VA | Hacking/IT Incident | 266,183 |
| 05/21/2026 | Regence | OR | Hacking/IT Incident | 2,856 |
| 05/20/2026 | Southwest Behavioral Health Services.org | AZ | Hacking/IT Incident | 2,316 |
| 05/19/2026 | Singing River Health System | MS | Hacking/IT Incident | 53,888 |
| 05/18/2026 | Community Connections | DC | Hacking/IT Incident | 18,943 |
| 05/18/2026 | Eyemart Express, LLC | TX | Hacking/IT Incident | 25,000 |
| 05/18/2026 | Greenbaum Rowe Smith & Davis LLP | NJ | Hacking/IT Incident | 12,801 |
| 05/18/2026 | Jefferson Health Plans | PA | Unauthorized Access/Disclosure | 1,855 |
| 05/15/2026 | Liberty Solutions, Inc. | NY | Unauthorized Access/Disclosure | 7,329 |
| 05/15/2026 | Lumexa Imaging | NC | Hacking/IT Incident | 2,994 |
| 05/14/2026 | Bridle Trails Family Dentistry | WA | Hacking/IT Incident | 20,976 |
| 05/14/2026 | NJ Pain Care Specialists, LLC | NJ | Hacking/IT Incident | 501 |
| 05/13/2026 | Pivot Health | FL | Hacking/IT Incident | 5,864 |
| 05/13/2026 | Trinity Health | MI | Unauthorized Access/Disclosure | 5,905 |
| 05/12/2026 | Ocelot Ventures, LLC dba Excelas | OH | Hacking/IT Incident | 2,275 |
| 05/11/2026 | Adams County Memorial Hospital | IN | Hacking/IT Incident | 5,305 |
| 05/11/2026 | Saurabh N. Patel, M.D – Florida Retina Center | LA | Hacking/IT Incident | 13,652 |
| 05/08/2026 | Bronsky Orthodontics | NY | Hacking/IT Incident | 3,183 |
| 05/08/2026 | Palomar Health Medical Group | CA | Hacking/IT Incident | 501 |
| 05/08/2026 | Verber Dental Group PC | NY | Hacking/IT Incident | 8,598 |
| 05/08/2026 | ViaQuest Psychiatric & Behavioral Solutions, LLC | OH | Hacking/IT Incident | 6,420 |
| 05/07/2026 | Sanger Skilled Care, LLC dba Cornerstone Care Center | CA | Hacking/IT Incident | 1,510 |
| 05/05/2026 | Aroostook Mental Health Center | ME | Hacking/IT Incident | 501 |
| 05/05/2026 | Passaic County, New Jersey | NJ | Hacking/IT Incident | 1,109 |
| 05/04/2026 | BAYADA Home Health Care, Inc. | NJ | Hacking/IT Incident | 500 |
| 05/04/2026 | IKRON Corporation | OH | Hacking/IT Incident | 11,845 |
| 05/01/2026 | Capitol Pain Institute | CO | Hacking/IT Incident | 695 |
Source: U.S. HHS Office for Civil Rights — HIPAA Breach Reporting Portal (HIPAA Cases Currently Under Investigation (breaches affecting 500+ individuals)), under HITECH Act s.13402(e)(4); HIPAA Breach Notification Rule. This is a work of the U.S. federal government in the public domain. Figures are record counts and reported affected-individual totals for 2023-10-12 to 2026-06-16, retrieved 2026-06-27. Presented neutrally; this is statistics, not legal advice.
Breaches by type
How the 726 reported breaches in 2023-10-12 to 2026-06-16 happened. Select a type for its dedicated breakdown.
| # | Breach type | Breaches | Individuals | Share |
|---|---|---|---|---|
| 1 | Hacking/IT Incident | 644 | 355,345,365 | 88.7% |
| 2 | Unauthorized Access/Disclosure | 75 | 770,002 | 10.3% |
| 3 | Theft | 6 | 25,044 | 0.8% |
| 4 | Improper Disposal | 1 | 34,675 | 0.1% |
Explore breaches by state
Pick a state to see the breaches it reported in 2023-10-12 to 2026-06-16, the individuals affected, its share of the total, and its rank. Every figure is a published HHS OCR record — a factual lookup, not a predictive score.
See the HIPAA breaches actually reported to HHS OCR from this state in 2023-10-12 to 2026-06-16. All figures are published federal records — not a prediction.
Across 726 breach records reported in 2023-10-12 to 2026-06-16, this state accounts for 8.7%. Figures are historical published records and do not indicate the likelihood of any future breach.
Breaches by state
Distinct breach records reported to HHS OCR in 2023-10-12 to 2026-06-16, by U.S. state or territory.
| # | State / territory | Breaches | Individuals | Share |
|---|---|---|---|---|
| 1 | CaliforniaCA | 63 | 12,089,759 | 8.7% |
| 2 | TexasTX | 57 | 6,966,431 | 7.9% |
| 3 | FloridaFL | 56 | 4,951,926 | 7.7% |
| 4 | New YorkNY | 47 | 4,073,342 | 6.5% |
| 5 | IllinoisIL | 31 | 4,183,126 | 4.3% |
| 6 | PennsylvaniaPA | 31 | 1,335,482 | 4.3% |
| 7 | WashingtonWA | 24 | 2,778,174 | 3.3% |
| 8 | MichiganMI | 22 | 1,120,131 | 3% |
| 9 | MinnesotaMN | 21 | 193,351,610 | 2.9% |
| 10 | OhioOH | 21 | 2,159,502 | 2.9% |
| 11 | TennesseeTN | 20 | 5,650,966 | 2.8% |
| 12 | GeorgiaGA | 19 | 15,858,793 | 2.6% |
| 13 | MassachusettsMA | 19 | 166,122 | 2.6% |
| 14 | North CarolinaNC | 19 | 592,325 | 2.6% |
| 15 | ArizonaAZ | 18 | 2,000,267 | 2.5% |
| 16 | New JerseyNJ | 18 | 62,728,463 | 2.5% |
| 17 | MissouriMO | 17 | 9,634,054 | 2.3% |
| 18 | ColoradoCO | 16 | 5,461,990 | 2.2% |
| 19 | MarylandMD | 15 | 3,686,818 | 2.1% |
| 20 | VirginiaVA | 14 | 2,063,602 | 1.9% |
| 21 | UtahUT | 12 | 4,420,709 | 1.7% |
| 22 | IndianaIN | 11 | 72,594 | 1.5% |
| 23 | LouisianaLA | 11 | 2,992,496 | 1.5% |
| 24 | WisconsinWI | 11 | 345,229 | 1.5% |
| 25 | AlabamaAL | 10 | 313,708 | 1.4% |
| 26 | KansasKS | 9 | 211,504 | 1.2% |
| 27 | OklahomaOK | 9 | 332,710 | 1.2% |
| 28 | South CarolinaSC | 9 | 363,505 | 1.2% |
| 29 | ConnecticutCT | 8 | 1,399,488 | 1.1% |
| 30 | IowaIA | 8 | 1,022,654 | 1.1% |
| 31 | OregonOR | 8 | 28,425 | 1.1% |
| 32 | MaineME | 7 | 154,210 | 1% |
| 33 | NebraskaNE | 7 | 240,135 | 1% |
| 34 | NevadaNV | 7 | 1,331,138 | 1% |
| 35 | IdahoID | 6 | 653,536 | 0.8% |
| 36 | KentuckyKY | 5 | 184,937 | 0.7% |
| 37 | MississippiMS | 5 | 288,315 | 0.7% |
| 38 | New MexicoNM | 5 | 106,753 | 0.7% |
| 39 | ArkansasAR | 4 | 216,199 | 0.6% |
| 40 | New HampshireNH | 4 | 74,821 | 0.6% |
| 41 | Rhode IslandRI | 4 | 234,076 | 0.6% |
| 42 | Unspecified / territory | 3 | 117,806 | 0.4% |
| 43 | AlaskaAK | 3 | 74,163 | 0.4% |
| 44 | HawaiiHI | 3 | 32,177 | 0.4% |
| 45 | West VirginiaWV | 3 | 6,395 | 0.4% |
| 46 | District of ColumbiaDC | 2 | 37,892 | 0.3% |
| 47 | DelawareDE | 1 | 14,095 | 0.1% |
| 48 | MontanaMT | 1 | 21,243 | 0.1% |
| 49 | South DakotaSD | 1 | 25,398 | 0.1% |
| 50 | VermontVT | 1 | 5,892 | 0.1% |
Source: U.S. HHS Office for Civil Rights — HIPAA Breach Reporting Portal (HIPAA Cases Currently Under Investigation (breaches affecting 500+ individuals)), under HITECH Act s.13402(e)(4); HIPAA Breach Notification Rule. This is a work of the U.S. federal government in the public domain. Figures are record counts and reported affected-individual totals for 2023-10-12 to 2026-06-16, retrieved 2026-06-27. Presented neutrally; this is statistics, not legal advice.
What to do: prevention by breach type
Each step below targets a breach type in this dataset. The breach count next to each is the 2023-10-12 to 2026-06-16 total for the type it addresses.
Defend against hacking and IT incidents
644 breachesHacking/IT incidents are by far the largest category in this data. Enforce multi-factor authentication everywhere, patch internet-facing systems promptly, segment networks, keep tested offline backups, and run phishing-awareness training. Most reported hacks start with a stolen credential or an unpatched edge device.
Lock down unauthorized access and disclosure
75 breachesApply least-privilege access, log and alert on unusual record access, and add recipient-verification and redaction checks before any disclosure of protected health information. Many incidents in this category are avoidable internal process failures, not external attacks.
Prevent device and record theft
6 breachesEncrypt every laptop, phone and removable drive that can hold protected health information so a stolen device is not a reportable breach, and keep physical records in access-controlled storage. Under the HIPAA Breach Notification Rule, properly encrypted data is generally not "unsecured".
Dispose of data securely
1 breachesShred paper records and cryptographically wipe or destroy storage media before disposal, and keep a documented chain of custody. Improper disposal is a small but entirely preventable category.
US healthcare data breaches FAQ
- What is a U.S. healthcare data breach under HIPAA?
- Under the HIPAA Breach Notification Rule (HITECH Act s.13402), a breach is an impermissible acquisition, access, use, or disclosure of unsecured protected health information (PHI). Covered entities and their business associates must notify affected individuals, the Secretary of HHS, and — for breaches affecting 500 or more individuals — must report to HHS within 60 days, after which the breach is published on the HHS Office for Civil Rights public portal. Properly encrypted PHI is generally not "unsecured", so an encrypted lost laptop usually is not a reportable breach.
- How many U.S. healthcare data breaches were reported to HHS OCR in 2023-10-12 to 2026-06-16?
- HHS OCR's portal lists 726 breaches of unsecured protected health information affecting 500 or more individuals for 2023-10-12 to 2026-06-16, collectively affecting 356,175,086 individuals. Each record is one breach reported by a covered entity or business associate. The figures on this page are taken directly from the HHS OCR HIPAA Breach Reporting Portal.
- What is the most common type of US healthcare data breach?
- By a wide margin the largest category is hacking/it incident, accounting for 644 of the 726 breaches (88.7%) in 2023-10-12 to 2026-06-16. The shift toward hacking and IT incidents — rather than lost or stolen devices — is the defining trend in HIPAA breach reporting.
- Which states report the most healthcare data breaches?
- The highest-volume states in 2023-10-12 to 2026-06-16 were California (63 breaches), Texas (57 breaches), Florida (56 breaches). Volume largely tracks the number of healthcare organizations in a state, so a higher count is not on its own evidence of weaker security.
- Do I have to report a healthcare data breach to HHS?
- Yes. Covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovery. Breaches affecting 500 or more individuals must also be reported to HHS and prominent media outlets within 60 days; smaller breaches are reported to HHS in an annual log. Business associates must notify the covered entity. A tested incident-response process is what makes the 60-day clock manageable.
- How can a healthcare organization reduce its data-breach risk?
- Because hacking/IT incidents and unauthorized access dominate this data, the controls with the biggest effect are practical: multi-factor authentication and least-privilege access, prompt patching of internet-facing systems, encryption of PHI at rest and in transit, tested offline backups, phishing training, and a rehearsed breach-response plan. A structured compliance audit maps your data flows against the HIPAA Security Rule and produces a prioritized remediation plan.
Data retrieved 2026-06-27 · reporting window 2023-10-12 to 2026-06-16.
Harden your data protection before it becomes a breach report
The overwhelming majority of the breaches in this data are hacking/IT incidents and unauthorized access — both reducible with basic access, email and backup controls. GeraCompliance's fixed-scope compliance sprint maps your data flows, hardens the controls behind these breach types, and leaves you with a tested incident-response plan — in days, not months.