Skip to main content

Unauthorized Access/Disclosure breaches reported to HHS OCR

A breach categorised as Unauthorized Access/Disclosure is one HHS OCR recorded under that heading on its HIPAA Breach Reporting Portal. In 2023-10-12 to 2026-06-16 there were 75 such breaches affecting 500+ individuals — 10.3% of all reported breaches, ranking it #2 of 4 types by volume, and affecting 770,002 individuals.

Quick answer

In 2023-10-12 to 2026-06-16, HHS OCR recorded 75 unauthorized access/disclosure breaches of unsecured protected health information affecting 500+ individuals, which is 10.3% of the 726 breaches reported across all types and makes it the #2 most common of 4. These breaches affected 770,002 individuals in total.

75
Reported breaches
770,002
Individuals affected
10.3%
Share of all breaches
10,267
Avg. per breach

Source: U.S. HHS Office for Civil Rights — HIPAA Breach Reporting Portal (HIPAA Cases Currently Under Investigation (breaches affecting 500+ individuals)), under HITECH Act s.13402(e)(4); HIPAA Breach Notification Rule. This is a work of the U.S. federal government in the public domain. Figures are record counts and reported affected-individual totals for 2023-10-12 to 2026-06-16, retrieved 2026-06-27. Presented neutrally; this is statistics, not legal advice.

Recent unauthorized access/disclosure breaches

The 25 most recent breaches of this type in 2023-10-12 to 2026-06-16, exactly as reported to HHS OCR.

DateCovered entity / business associateStateIndividuals
06/11/2026Chickasaw Nation Department of HealthOK1,607
06/02/2026Lincoln National Corporation d/b/a Lincoln FinancialIN3,070
05/18/2026Jefferson Health PlansPA1,855
05/15/2026Liberty Solutions, Inc.NY7,329
05/13/2026Trinity HealthMI5,905
05/01/2026University of Michigan/Michigan MedicineMI551
04/30/2026Ouster, Inc.CA574
04/17/2026NJ Division of Developmental Disabilities - Hunterdon Developmental CenterNJ807
04/14/2026City Health, a medical corporationCA65,000
04/14/2026Defense Health AgencyVA1,300
04/09/2026CardioFit Medical Group, Inc.CA7,243
03/28/2026University Medical Center of Southern NevadaNV1,221
03/14/2026UPMCPA687
03/13/2026Trinity HealthMI2,740
02/23/2026Weill Cornell MedicineNY516
01/16/2026Minnesota Department of Human ServicesMN303,965
01/13/2026TMG Health, Inc.TX2,076
12/26/2025BlueCross BlueShield of Tennessee, Inc.TN780
12/26/2025CareOregonOR6,988
12/15/2025FPMCM LLCTN2,072
12/12/2025OCAT, LLC dba Evoke Wellness at HilliardOH1,629
11/26/2025Henry Ford HealthMI1,984
11/25/2025Tanner Medical CenterGA1,000
11/18/2025Marrs Ear, Nose & Throat, PAFL6,376
10/28/2025Better Vision Eyecare, LLCAZ501

Other breach types

Compare with every other breach type's reported volume in 2023-10-12 to 2026-06-16.

Or return to the US healthcare data breaches hub for the full breakdown by state and the 356,175,086 individuals affected overall.

FAQ

How many unauthorized access/disclosure healthcare breaches were reported to HHS OCR in 2023-10-12 to 2026-06-16?
HHS OCR's portal lists 75 breaches categorised as unauthorized access/disclosure affecting 500 or more individuals in 2023-10-12 to 2026-06-16, collectively affecting 770,002 individuals. That is 10.3% of the 726 breaches reported across all types, ranking unauthorized access/disclosure #2 of 4 categories by volume. Figures are taken directly from the HHS OCR HIPAA Breach Reporting Portal.
What does "Unauthorized Access/Disclosure" mean on the HHS breach portal?
HHS categorises a breach as Unauthorized Access/Disclosure when protected health information was accessed, used, or disclosed without permission — for example an employee viewing records they should not, a misdirected mailing, or records shown to the wrong patient. Many incidents in this category are internal process failures rather than external attacks.
How can a healthcare organization prevent unauthorized access/disclosure breaches?
Because unauthorized access/disclosure accounts for 10.3% of reported breaches in this data, the most effective controls are practical: multi-factor authentication and least-privilege access, prompt patching of internet-facing systems, encryption of protected health information at rest and in transit, tested offline backups, redaction and recipient checks before disclosure, and a rehearsed 60-day breach-response process. A structured compliance audit maps your data flows against the HIPAA Security Rule.

Data retrieved 2026-06-27 · reporting window 2023-10-12 to 2026-06-16.

Harden your data protection before it becomes a breach report

The overwhelming majority of the breaches in this data are hacking/IT incidents and unauthorized access — both reducible with basic access, email and backup controls. GeraCompliance's fixed-scope compliance sprint maps your data flows, hardens the controls behind these breach types, and leaves you with a tested incident-response plan — in days, not months.