Unauthorized Access/Disclosure breaches reported to HHS OCR
A breach categorised as Unauthorized Access/Disclosure is one HHS OCR recorded under that heading on its HIPAA Breach Reporting Portal. In 2023-10-12 to 2026-06-16 there were 75 such breaches affecting 500+ individuals — 10.3% of all reported breaches, ranking it #2 of 4 types by volume, and affecting 770,002 individuals.
Quick answer
In 2023-10-12 to 2026-06-16, HHS OCR recorded 75 unauthorized access/disclosure breaches of unsecured protected health information affecting 500+ individuals, which is 10.3% of the 726 breaches reported across all types and makes it the #2 most common of 4. These breaches affected 770,002 individuals in total.
Source: U.S. HHS Office for Civil Rights — HIPAA Breach Reporting Portal (HIPAA Cases Currently Under Investigation (breaches affecting 500+ individuals)), under HITECH Act s.13402(e)(4); HIPAA Breach Notification Rule. This is a work of the U.S. federal government in the public domain. Figures are record counts and reported affected-individual totals for 2023-10-12 to 2026-06-16, retrieved 2026-06-27. Presented neutrally; this is statistics, not legal advice.
Recent unauthorized access/disclosure breaches
The 25 most recent breaches of this type in 2023-10-12 to 2026-06-16, exactly as reported to HHS OCR.
| Date | Covered entity / business associate | State | Individuals |
|---|---|---|---|
| 06/11/2026 | Chickasaw Nation Department of Health | OK | 1,607 |
| 06/02/2026 | Lincoln National Corporation d/b/a Lincoln Financial | IN | 3,070 |
| 05/18/2026 | Jefferson Health Plans | PA | 1,855 |
| 05/15/2026 | Liberty Solutions, Inc. | NY | 7,329 |
| 05/13/2026 | Trinity Health | MI | 5,905 |
| 05/01/2026 | University of Michigan/Michigan Medicine | MI | 551 |
| 04/30/2026 | Ouster, Inc. | CA | 574 |
| 04/17/2026 | NJ Division of Developmental Disabilities - Hunterdon Developmental Center | NJ | 807 |
| 04/14/2026 | City Health, a medical corporation | CA | 65,000 |
| 04/14/2026 | Defense Health Agency | VA | 1,300 |
| 04/09/2026 | CardioFit Medical Group, Inc. | CA | 7,243 |
| 03/28/2026 | University Medical Center of Southern Nevada | NV | 1,221 |
| 03/14/2026 | UPMC | PA | 687 |
| 03/13/2026 | Trinity Health | MI | 2,740 |
| 02/23/2026 | Weill Cornell Medicine | NY | 516 |
| 01/16/2026 | Minnesota Department of Human Services | MN | 303,965 |
| 01/13/2026 | TMG Health, Inc. | TX | 2,076 |
| 12/26/2025 | BlueCross BlueShield of Tennessee, Inc. | TN | 780 |
| 12/26/2025 | CareOregon | OR | 6,988 |
| 12/15/2025 | FPMCM LLC | TN | 2,072 |
| 12/12/2025 | OCAT, LLC dba Evoke Wellness at Hilliard | OH | 1,629 |
| 11/26/2025 | Henry Ford Health | MI | 1,984 |
| 11/25/2025 | Tanner Medical Center | GA | 1,000 |
| 11/18/2025 | Marrs Ear, Nose & Throat, PA | FL | 6,376 |
| 10/28/2025 | Better Vision Eyecare, LLC | AZ | 501 |
Other breach types
Compare with every other breach type's reported volume in 2023-10-12 to 2026-06-16.
Or return to the US healthcare data breaches hub for the full breakdown by state and the 356,175,086 individuals affected overall.
FAQ
- How many unauthorized access/disclosure healthcare breaches were reported to HHS OCR in 2023-10-12 to 2026-06-16?
- HHS OCR's portal lists 75 breaches categorised as unauthorized access/disclosure affecting 500 or more individuals in 2023-10-12 to 2026-06-16, collectively affecting 770,002 individuals. That is 10.3% of the 726 breaches reported across all types, ranking unauthorized access/disclosure #2 of 4 categories by volume. Figures are taken directly from the HHS OCR HIPAA Breach Reporting Portal.
- What does "Unauthorized Access/Disclosure" mean on the HHS breach portal?
- HHS categorises a breach as Unauthorized Access/Disclosure when protected health information was accessed, used, or disclosed without permission — for example an employee viewing records they should not, a misdirected mailing, or records shown to the wrong patient. Many incidents in this category are internal process failures rather than external attacks.
- How can a healthcare organization prevent unauthorized access/disclosure breaches?
- Because unauthorized access/disclosure accounts for 10.3% of reported breaches in this data, the most effective controls are practical: multi-factor authentication and least-privilege access, prompt patching of internet-facing systems, encryption of protected health information at rest and in transit, tested offline backups, redaction and recipient checks before disclosure, and a rehearsed 60-day breach-response process. A structured compliance audit maps your data flows against the HIPAA Security Rule.
Data retrieved 2026-06-27 · reporting window 2023-10-12 to 2026-06-16.
Harden your data protection before it becomes a breach report
The overwhelming majority of the breaches in this data are hacking/IT incidents and unauthorized access — both reducible with basic access, email and backup controls. GeraCompliance's fixed-scope compliance sprint maps your data flows, hardens the controls behind these breach types, and leaves you with a tested incident-response plan — in days, not months.