Theft breaches reported to HHS OCR
A breach categorised as Theft is one HHS OCR recorded under that heading on its HIPAA Breach Reporting Portal. In 2023-10-12 to 2026-06-16 there were 6 such breaches affecting 500+ individuals — 0.8% of all reported breaches, ranking it #3 of 4 types by volume, and affecting 25,044 individuals.
Quick answer
In 2023-10-12 to 2026-06-16, HHS OCR recorded 6 theft breaches of unsecured protected health information affecting 500+ individuals, which is 0.8% of the 726 breaches reported across all types and makes it the #3 most common of 4. These breaches affected 25,044 individuals in total.
Source: U.S. HHS Office for Civil Rights — HIPAA Breach Reporting Portal (HIPAA Cases Currently Under Investigation (breaches affecting 500+ individuals)), under HITECH Act s.13402(e)(4); HIPAA Breach Notification Rule. This is a work of the U.S. federal government in the public domain. Figures are record counts and reported affected-individual totals for 2023-10-12 to 2026-06-16, retrieved 2026-06-27. Presented neutrally; this is statistics, not legal advice.
Recent theft breaches
The 6 most recent breaches of this type in 2023-10-12 to 2026-06-16, exactly as reported to HHS OCR.
| Date | Covered entity / business associate | State | Individuals |
|---|---|---|---|
| 03/16/2026 | Renovo Chiropractic & Wellness | WA | 538 |
| 11/05/2025 | Tampa Bay Treatment Associates | FL | 3,682 |
| 03/06/2025 | SCLARC | CA | 722 |
| 02/28/2025 | East Hawaii Rehab, Inc. DBA Lehua Physical Therapy and Rehab | HI | 8,472 |
| 02/14/2025 | Children's Dental Center at Preston Trail, P.C. d/b/a Park Place Pediatric Dentistry (Arlington, TX) | TN | 1,690 |
| 06/28/2024 | Georgia Kidney Associates, Inc. | GA | 9,940 |
Other breach types
Compare with every other breach type's reported volume in 2023-10-12 to 2026-06-16.
Or return to the US healthcare data breaches hub for the full breakdown by state and the 356,175,086 individuals affected overall.
FAQ
- How many theft healthcare breaches were reported to HHS OCR in 2023-10-12 to 2026-06-16?
- HHS OCR's portal lists 6 breaches categorised as theft affecting 500 or more individuals in 2023-10-12 to 2026-06-16, collectively affecting 25,044 individuals. That is 0.8% of the 726 breaches reported across all types, ranking theft #3 of 4 categories by volume. Figures are taken directly from the HHS OCR HIPAA Breach Reporting Portal.
- What does "Theft" mean on the HHS breach portal?
- HHS categorises a breach as Theft when devices or physical records holding unsecured protected health information were stolen — a laptop, phone, backup drive, or paper files. Encrypting devices generally removes them from the "unsecured" definition.
- How can a healthcare organization prevent theft breaches?
- Because theft accounts for 0.8% of reported breaches in this data, the most effective controls are practical: multi-factor authentication and least-privilege access, prompt patching of internet-facing systems, encryption of protected health information at rest and in transit, tested offline backups, redaction and recipient checks before disclosure, and a rehearsed 60-day breach-response process. A structured compliance audit maps your data flows against the HIPAA Security Rule.
Data retrieved 2026-06-27 · reporting window 2023-10-12 to 2026-06-16.
Harden your data protection before it becomes a breach report
The overwhelming majority of the breaches in this data are hacking/IT incidents and unauthorized access — both reducible with basic access, email and backup controls. GeraCompliance's fixed-scope compliance sprint maps your data flows, hardens the controls behind these breach types, and leaves you with a tested incident-response plan — in days, not months.