A round-up of data breaches recently announced by 9 HIPAA-regulated entities: University of Nebraska Medical Center, Singing River Health System, Tampa Bay Dental Implants & Prosthetics, Aligned Orthopedic Partners, South Alabama Regional Planning Commission, Pivot Health, LHC Group, Mays Housecall Home Health, and the World Trade Center Health Program.
University of Nebraska Medical Center
University of Nebraska Medical Center (UNMC) has discovered that a vulnerability in a third-party software application has been exploited by a threat actor, exposing patient information. UNMC learned about the vulnerability in the REDCap software application in February 2026. REDCap software is used by UNMC to support its research studies and public health activities. When UNMC learned about the vulnerability, the software was taken offline, and an investigation was launched to determine if the vulnerability had already been exploited. Assisted by third-party cybersecurity experts, UNMC determined that the vulnerability had been exploited on September 20, 2023, and access remained possible until February 3, 2026.
The data review confirmed that the system contained a range of sensitive data, which varied from individual to individual depending on the nature of the research study/public health activities. That information may have included names, dates of birth, addresses, phone numbers, email addresses, medical record numbers, and information created or collected in connection with a research study. Such information may have included visit dates, diagnoses, medications, laboratory results, imaging or procedure information, questionnaire responses, or other health-related information. A subset of individuals also had their Social Security numbers exposed. In total, 26,937 individuals had data exposed. Individuals whose Social Security numbers were impacted have been offered complimentary credit monitoring services.
Singing River Health System
Singing River Health System, a non-profit health system with three hospitals and more than 50 clinics serving the Mississippi Gulf Coast, has started notifying patients about a hacking incident identified on or around December 21, 2025. The forensic investigation confirmed unauthorized access to its computer network between December 19, 2025, and December 21, 2025, and on February 10, 2026, it was confirmed that files containing patient information were viewed and potentially copied.
Data exposed varied from individual to individual and may have included names in combination with one or more of the following: contact information, Social Security numbers, driver’s license numbers, dates of birth, bank account information, health insurance information, provider names, internal patient identification numbers, dates of service, medication information, and treatment and/or diagnostic information.
Singing River Health System said, “We will continue to implement and evaluate enhanced safeguards and security measures to further protect our systems and continue to provide security training to our employees.” The affected individuals have been advised to monitor their accounts and explanation of benefits statements for data misuse. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many individuals have been affected.
Tampa Bay Dental Implants & Prosthetics
Tampa Bay Dental Implants & Prosthetics, which also does business as Tampa Bay Dental Implants, Periodontics & Oral Surgery, a dental care provider serving the St. Petersburg and Tampa Bay area in Florida, has recently disclosed a data breach affecting 6,400 individuals. Tampa Bay Dental discovered unauthorized access to its network on January 19, 2026, when ransomware was used to encrypt files. The attack affected a legacy server that contained a backup of electronic medical records.
The file review confirmed that patient data was exposed, including names, contact information, birth dates, treatment notes, and clinical histories, and for a limited number of individuals, Social Security numbers. Tampa Bay Dental has implemented additional security measures to prevent similar incidents in the future, including enhancing its security logging, strengthening server encryption, and updating access controls. Credit monitoring and identity theft protection services do not appear to have been offered to the affected individuals.
World Trade Center Health Program
The World Trade Center (WTC) Health Program, which provides no-cost healthcare services to individuals harmed by the 9/11 attack on the World Trade Center, has reported a data security incident to the HHS’ Office for Civil Rights affecting 1,071 individuals. Highly sensitive data was compromised in the incident, which occurred at a vendor, Managed Care Advisors/Sedgwick Government Solutions.
Hackers accessed a server containing files associated with the WTC Health Program and exfiltrated sensitive data before encrypting files. The TridentLocker ransomware group claimed responsibility for the attack. The attack was detected by Managed Care Advisors/Sedgwick Government Solutions on December 4, 2025, and the forensic investigation confirmed that the server was first breached on November 16, 2025. Data compromised in the incident includes names, addresses, Social Security numbers, dates of birth, and protected health information. TridentLocker proceeded to leak the stolen data on its dark web data site when the ransom was not paid. The affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months.
Aligned Orthopedic Partners
Bethesda, Maryland-based ASC Ortho Management Company, LLC, doing business as Aligned Orthopedic Partners, has discovered unauthorized access to its email environment and the exposure of the protected health information of 7,213 individuals. The forensic investigation determined unauthorized access occurred between November 16, 2025, and December 16, 2025, during which time, emails and files may have been accessed or acquired.
The file review determined on February 17, 2026, that the exposed data included names in combination with one or more of the following: date of birth, Social Security number, driver’s license or state identification number, Medicaid or Medicare number, financial account number, date(s) of service, medical provider name, mental or physical condition, medical treatment information, diagnosis or clinical information, prescription information, health insurance information, patient account number, and or medical record number. The affected individuals were notified on April 17, 2026, and complimentary identity protection services have been made available. Aligned Orthopedic Partners said steps have been taken to augment security to prevent similar incidents in the future.
Pivot Health
Pivot Health, a health insurance company specializing in short-term and supplemental health insurance products, has identified unauthorized access to its Amazon Web Services cloud environment. The unauthorized access was detected and blocked on March 13, 2026. The investigation confirmed that its AWS environment was accessed by an unauthorized third party at various points over a two-week period between February 26, 2026, and March 13, 2026. During that time, files containing member data were viewed or copied.
The digital forensic investigation confirmed that the exposed data included names, birth dates, member identification numbers, person identification, certificate identification, coverage identification, insurance billing and payment information, and, for certain individuals, financial account information. Data security policies and procedures are being reviewed, and additional cybersecurity protections have been implemented. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected, although the Texas Attorney General was informed that 1,172 Texas residents had their data exposed in the incident.
LHC Group / Mays Housecall Home Health
Two more healthcare providers have notified patients that some of their protected health information was compromised in a security incident at vendor Doctor Alliance: The home healthcare providers LHC Group in Louisiana and Mays Housecall Home Health, an Oklahoma-based provider of community and home health care services throughout Oklahoma, Kansas, and Texas.
The data breach did not involve unauthorized access to the home healthcare providers’ systems, as the incident was confined to the web-based portal used in connection with the services provided by their technology vendor. Doctor Alliance provides a platform that physicians and healthcare providers use to exchange and sign documentation related to patient care. The Doctor Alliance web portal was accessed by an unauthorized third party between October 31, 2026, and November 17, 2026. Doctor Alliance discovered the unauthorized access on November 12, 2025.
LHC Group said 8,644 individuals were affected and had the following types of information exposed: names, dates of birth, demographic information, health information, including clinical summaries and diagnosis codes, provider information, and health insurance information. Mays Housecall Home Health said 5,208 individuals were affected. Data compromised in the incident included names, demographic information, dates of birth, clinical information, diagnosis information, physician information, insurance-related information, and other information related to patient care documentation.
No data misuse has been detected. Both home healthcare providers are conducting additional oversight and review procedures related to third-party providers, and Doctor Alliance has implemented additional security safeguards and monitoring capabilities.
The South Alabama Regional Planning Commission
The South Alabama Regional Planning Commission has reported a data breach to the HHS’ Office for Civil Rights involving unauthorized access to the protected health information of 3,043 individuals. The substitute data breach notice does not state when the unauthorized access was detected, nor when its systems were accessed by unauthorized individuals, only that the investigation determined on August 6, 2025, that certain files were copied from its systems.
The files were reviewed and found to contain client names, Medicaid numbers, Social Security numbers, and medical information related to eligible services. The Alabama Department of Senior Services was notified about the breach on January 28, 2026, and the HHS’ Office for Civil Rights was notified on March 18, 2026. Notification letters have now been mailed to the affected individuals, and complimentary credit monitoring services have been offered.
The post May 2026 Data Breach Round Up: Data Breaches Affect 9 HIPAA-regulated Entities appeared first on The HIPAA Journal.