January 2026 Healthcare Data Breach Report

Posted by Steve Alder

The HHS’ Office for Civil Rights (OCR) healthcare data breach portal shows a slight month-over-month decline in large healthcare data breaches, which fell by 13.2% from December 2025 to 46 data breaches in January 2026.

Healthcare data breaches in the past 12 months - January 2026

The OCR breach portal lists healthcare data breaches affecting 500 or more individuals, which have been reported far less frequently during the past 5 months than in the first half of 2025. From September 2025 to January 2026, an average of 46.2 large data breaches were reported to OCR each month, compared to an average of 68.6 breaches per month in the preceding 5 months (April to August). Should this trend continue, 2026 could well see the lowest number of data breaches reported for several years.

We previously suggested that there may be a delay in adding data breaches to the OCR breach portal due to the government shutdown in late 2025, which lasted for 43 days between October 1 and November 12, 2025, during which time no healthcare data breaches were added to the OCR data breach portal. Since we last compiled breach data in January, a further two breaches have been added for October, and 7 data breaches for November. Since relatively few data breaches have been added for those months, it suggests that OCR has largely cleared the backlog of breach reports. The reason for the decline in large data breaches since September 2025 is unclear. Data breaches are also down compared to previous years, with this year’s total being the lowest January total since 2023.

January healthcare data breaches - 2022-2026

Across the 46 large healthcare data breaches reported in January, the protected health information of 1,441,182 individuals was exposed or impermissibly disclosed. While that represents a 178% increase in affected individuals compared to December 2025, January’s total is well below the 12-month average of 5,107,388 affected individuals per month, and it is the lowest January total since 2020.

Individuals affected by healthcare data breaches in the past 12 months - January 2026

In addition to reduced breach numbers, there has also been a reduction in data breach size over the past 5 months. In the 5 months from April 2025 to August 2025, 48.1 million individuals had their health information exposed or impermissibly disclosed in healthcare data breaches. During the following 5 months from September 2025 to January 2026, only 7.2 million individuals had data exposed or impermissibly disclosed, an 85% reduction from the preceding 5 months.

Individuals affected by January healthcare data breaches - 2022-2026

While the reduction in affected individuals is good news, two massive healthcare data breaches occurred last year at business associates of HIPAA-covered entities that are not yet reflected in the OCR breach data. A data breach at Trizetto Provider Solutions last year is now known to have affected at least 3.6 million individuals, and a far worse data breach was experienced by Conduent Business Solutions. According to breach reports to state Attorneys General, at least 25 million individuals were affected by that breach in Oregon and Texas alone. Given the fact that Condusent overrated in many U.S. states, the data breach is likely to have affected many more individuals, and it could rank as one of the top 3 healthcare data breaches of all time.

Biggest Healthcare Data Breaches Reported in January 2026

In January, 11 healthcare data breaches were reported to OCR that affected 10,000 or more individuals. Those 11 data breaches accounted for 92.5% of the affected individuals in January. While data breaches of 10,000 or more records are usually mostly due to hacking and other IT incidents, three of the four largest data breaches of the month were unauthorized access/disclosure incidents, and the top two breaches occurred at state Departments of Human Services.

The largest data breach was reported by the Illinois Department of Human Services, which exposed the protected health information of more than 700K state residents. A website created for internal use to help with resource allocation and decision-making was inadvertently made accessible over the public Internet. The second-largest data breach was reported by the Minnesota Department of Human Services, which affected more than 303K individuals. The breach involved unauthorized access to its MnChoices system, which is used by counties, Tribal Nations, and managed care organizations to support their assessment and planning work for state residents requiring long-term services and support. The system was accessed by a user associated with a licensed healthcare provider, who had no legitimate reason to access the data.

As the table below shows, ransomware groups continue to target the healthcare industry and were behind 6 of the top 11 data breaches in January.

HIPAA-Regulated Entity State Covered Entity Type Individuals Affected Data Breach Cause
Illinois Department of Human Services IL Health Plan 705,017 An internal website was inadvertently accessible over the public internet
Minnesota Department of Human Services MN Health Plan 303,965 Unauthorized access to an internal resource by a user associated with a licensed healthcare provider.
Clinic Service Corporation CO Business Associate 82,331 Hacking incident
LifeLong Medical Care CA Healthcare Provider 70,000 Hacking incident at business associate (Trizetto Provider Solutions)
Avosina Healthcare Solutions VA Business Associate 44,425 Ransomware attack (Qilin)
Wakefield & Associates, LLC TN Business Associate 31,751 Ransomware attack (Akira)
Jefferson-Blount-St. Clair Mental Health Authority AL Healthcare Provider 30,434 Ransomware attack (Medusa)
Mid Michigan Medical Billing Service, Inc. MI Business Associate 28,185 Ransomware attack (Qilin)
Pecan Tree Dental, PLLC TX Healthcare Provider 13,300 Ransomware attack (Sinobi)
Central Ozarks Medical Center MO Healthcare Provider 11,818 Hacking incident
360 Dental PC PA Healthcare Provider 11,273 Ransomware attack

The HIPAA Breach Notification Rule requires HIPAA-covered entities to report data breaches to the OCR within 60 days of discovery. If the number of affected individuals is not known by the reporting deadline, an estimate of the number of affected individuals should be provided to OCR. It is common for estimates of 500 or 501 affected individuals to be used as placeholders in such cases. In January, three such breaches were reported. The number of affected individuals could be substantially higher for these data breaches.

Regulated Entity State Covered Entity Type Individuals Affected Type of Breach
Precipio, Inc. CT Healthcare Provider 501 Hacking/IT Incident
Middlesex Sheriff’s Office MA Healthcare Provider 501 Hacking/IT Incident
Central Texas MHMR Center dba Center for Life Resource TX Healthcare Provider 501 Hacking/IT Incident

Causes of January 2025 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports and were listed as the cause of 36 of the month’s 46 data breaches (78.3%). The protected health information of 343,359 individuals was exposed or stolen in those incidents. Atypically, the number of individuals affected by those incidents was relatively low, as they accounted for just 23.8% of the month’s breach victims. The average breach size was 9,810 individuals, and the median breach size was 3,722 individuals.

Causes of January 2026 healthcare data breaches

While there were only 10 unauthorized access/disclosure incidents in January (21.7%), those incidents accounted for 76.1% of the month’s breach victims. The average breach size was 109,700 individuals, and the median breach size was 3,188 individuals. One loss incident was reported involving the paper records of 821 individuals, but there were no theft or improper disposal incidents. The most common location of breached protected health information in January was network servers (30 incidents), followed by email accounts (8 incidents).

Location of breached PHI in January 2026 healthcare data breaches

HIPAA-Regulated Entities Affected by Data Breaches

The OCR breach portal data includes 36 data breaches reported by healthcare providers (236,462 affected individuals), 6 data breaches were reported by business associates (190,015 affected individuals), and four data breaches were reported by health plans (1,014,705 affected individuals).

When a data breach occurs at a business associate, it is ultimately the responsibility of each affected HIPAA-covered entity to ensure that the breach is reported in compliance with the HIPAA Breach Notification Rule. Covered entities may delegate the responsibility of reporting the data breach to the business associate, or they may choose to report the breach themselves.

That means that data breaches at business associates are often underrepresented in healthcare data breach reports. The charts below show where the data breaches occurred rather than the reporting entity. As you can see, there is a stark difference this month, as 21 of the month’s data breaches occurred at business associates of HIPAA-covered entities.

Healthcare data breaches at HIPAA-regulated entities in January 2026

Individuals affected by data breaches at HIPAA-regulated entities - January 2026

Geographical Distribution of Healthcare Data Breaches

In January, HIPAA-regulated entities in 24 U.S. states reported data breaches affecting 500 or more individuals. California topped the list with 8 data breaches, although 7 of those breach reports related to the same incident – The data breach at Trizetto Provider Solutions, which was a business associate or subcontractor of the business associate OCHIN.

State Breaches
California 8
Maryland & Texas 4
Alabama & Indiana 3
Idaho, Illinois, Michigan, Oregon & Tennessee 2
Alaska, Colorado, Connecticut, Florida, Kentucky, Louisiana, Massachusetts, Minnesota, Missouri, New Jersey, New York, Pennsylvania, South Carolina & Virginia 1

While California topped the list for data breaches, Illinois and Minnesota were the worst-affected states in terms of affected individuals.

State Individuals Affected
Illinois 705,638
Minnesota 303,965
California 98,241
Colorado 82,331
Virginia 44,425
Alabama 39,287
Tennessee 33,092
Michigan 31,907
Texas 17,951
Missouri 11,818
Pennsylvania 11,273
Idaho 9,721
New Jersey 9,526
Maryland 8,134
Kentucky 7,990
South Carolina 7,020
Lopuisiana 6,530
New York 4,725
Oregon 2,781
Indiana 2,481
Florida 821
Alaska 523
Connecticut 501
Massachusetts 501

HIPAA Enforcement Activity in January 2025

Two enforcement actions were announced in January to resolve alleged violations of the HIPAA Rules. The HHS’ Office for Civil Rights announced a settlement with Top of the World Ranch Treatment Center to resolve an alleged HIPAA Security Rule violation. The behavioral healthcare provider was investigated over a phishing attack that exposed the protected health information of 1,980 individuals.

OCR determined that Top of the World Ranch Treatment Center had not complied with the risk analysis provision of the HIPAA Security Rule, which requires a comprehensive and accurate risk analysis to be conducted to identify risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. The case was resolved with a $103,000 financial penalty, and Top of the World Ranch Treatment Center agreed to adopt a corrective action plan. This was the 11th HIPAA case to be resolved with a financial penalty under OCR’s risk analysis enforcement initiative.

OCR Director Paula M. Stannard has confirmed that the risk analysis enforcement initiative will continue in 2026 and will be expanded to also cover risk management. The enforcement initiative targeting noncompliance with the HIPAA Right of Access will also continue this year.

The other penalty was imposed following an investigation by the Massachusetts Attorney General, in partnership with the Connecticut Attorney General. Comstar LLC, a Massachusetts-based ambulance billing and collections company, was investigated over a March 2022 cyberattack and data breach that affected 585,621 individuals.

The investigation determined that Comstar had violated the HIPAA Security Rule and the Massachusetts Data Security Regulations by failing to maintain an adequate Written Information Security Program (WISP). The case was resolved with a $515,000 financial penalty, which will be shared between the two states. The settlement also includes several cybersecurity requirements. Comstar had previously settled an OCR HIPAA investigation launched in response to the same data breach and paid a $75,000 financial penalty.

The post January 2026 Healthcare Data Breach Report appeared first on The HIPAA Journal.

Apex Spine & Neurosurgery & North Central Behavioral Health Systems Announce Data Breaches

Posted by Steve Alder

Data breaches have been announced by Apex Spine & Neurosurgery in Georgia and North Central Behavioral Health Systems in Illinois.

Apex Spine & Neurosurgery

Apex Spine & Neurosurgery in Georgia has notified 2,500 individuals that some of their electronic protected health information has likely been stolen in a ransomware attack. Apex Spine & Neurosurgery said it learned on December 23, 2025, that a cyber threat actor had accessed its network and used ransomware to encrypt files. The forensic investigation confirmed that the cyber actor accessed its network and copied files on December 9, 2025; however, its electronic medical record system was not involved, as it is maintained in a logically separate computer environment.

The stolen files are still being reviewed; however, they contained information such as names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, other government identifiers, location of health services, dates of service, treatment or condition information, diagnosis/diagnosis codes, prescription information, history information, assigned physician names; health services payment information, such as financial account number without a security code, access code, or password to access an account, patient account numbers, and health insurance information subscriber or identification numbers. The information copied in the attack varies from individual to individual. Apex Spine & Neurosurgery said it is evaluating further technical safeguards to better protect sensitive data on its network.

The affected individuals have been advised to remain vigilant against identity theft and fraud by monitoring their accounts and explanation of benefits statements for suspicious activity. While the ransomware group was not mentioned in the breach notice, the Interlock ransomware group claimed responsibility for the attack and said 20 GB of data was exfiltrated. Interlock proceeded to leak the stolen data as the ransom was not paid. Apex Spine & Neurosurgery said it was able to securely recover the encrypted data from backups.

North Central Behavioral Health Systems

North Central Behavioral Health Systems, a mental health and substance abuse treatment center with locations in La Salle and Ottawa, Illinois, has identified unauthorized access to an employee’s email account. Suspicious activity was identified in a single email account on or around December 2, 2025. The account was secured to prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the activity.

The investigation confirmed that the breach was limited to a single email account. The account is currently being reviewed to determine the types of information involved and the individuals affected. Notification letters will be mailed to the affected individuals as soon as the review is concluded. Currently, no misuse of patient data has been identified; however, patients have been advised to remain vigilant against data misuse by monitoring their bank accounts and financial statements for suspicious activity. Email security has been enhanced in response to the incident, and complimentary credit monitoring and identity theft protection services are being offered to the affected individuals.

The post Apex Spine & Neurosurgery & North Central Behavioral Health Systems Announce Data Breaches appeared first on The HIPAA Journal.

HHS Issues RFI Seeking Input on AI Tools and Methodologies for Healthcare Fraud Prevention

Posted by Steve Alder

The U.S. Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) plans to use artificial intelligence (AI) tools to identify fraudulent claims before they are paid.

While estimates of total losses from healthcare fraud vary, around $60 billion is thought to be lost to Medicare fraud each year. In 2023, the HHS Office of Inspector General (HHS-OIG), the primary agency responsible for tackling Medicare and Medicaid fraud, identified more than $100 billion in improper payments across the Medicare and Medicaid programs. Estimates suggest that between 3% and 10% of total healthcare spending is being lost to fraud. While HHS-OIG, in conjunction with the Department of Justice and the CMS, investigates fraud and prosecutes fraudsters, only a fraction of fraudulently paid funds is recovered.

In a February 25, 2026, press release, Vice President J.D. Vance, Secretary of Health and Human Services (HHS) Robert F. Kennedy, Jr., and CMS Administrator Dr. Mehmet Oz announced some of the new steps that are being taken to crack down on healthcare fraud as part of a broader effort by the Trump to improve affordability, protect patients, and reduce the burden on taxpayers, who ultimately foot the bill for healthcare fraud.

“For decades, Medicare fraud has drained billions from American taxpayers—that ends now,” said Secretary Kennedy. “We are replacing the old ‘pay and chase’ model with a real-time ‘detect and deploy’ strategy, using advanced AI tools to identify fraud instantly and stop improper payments before they go out the door.”

In the press release, the HHS confirmed that one of the actions is deferring $259.5 million of quarterly federal Medicaid funding in Minnesota while further investigations are conducted into fraudulent or unsupported claims, along with a nationwide moratorium on Medicare enrollment for certain Durable Medical Equipment, Prosthetics, Orthotics and Supplies (DMEPOS), which has historically been an area of major healthcare fraud.  The HHS has also issued a call to action for Americans to support fraud prevention, including seeking stakeholder input on ways the CMS can expand and strengthen its fraud prevention efforts.

“CMS is done trying to catch fraudsters with their hands in the cookie jar—instead, we’re padlocking the jar and letting them starve,” said Administrator Oz. “This proactive approach will help us crush fraud, protect taxpayer dollars, and make sure the vulnerable Americans who depend on our programs get the care they need.”

As part of the healthcare fraud prevention drive, the HHS and CMS issued a Request for Information (RFI) seeking input from a broad range of stakeholders on ways to strengthen the ability of the CMS to prevent, detect, and respond to fraud, waste, and abuse in Medicare, Medicaid, The Children’s Health Insurance Program (CHIP), and the Health Insurance Marketplace. That includes input on analytics, methodologies, data-driven approaches, and AI tools that would be most effective at identifying indicators of potential healthcare fraud, waste, or abuse.

The feedback will inform future rulemaking, including a potential “Comprehensive Regulations to Uncover Suspicious Healthcare (CRUSH) proposed rule, and other programmatic changes for tackling healthcare fraud. While the CMS and the HHS-OIG have long been using predictive modelling and data analytics to identify fraud and waste, the HHS recognizes the potential of AI tools for identifying fraud before claims are paid.

The CMS has asked for suggestions on how AI can be incorporated into Medicare Advantage coding oversight and hospital billing. Specifically, the types of AI solutions, including off-the-shelf products, that are most effective and efficient for assisting human coders with large volumes of records.

The CMS has asked stakeholders to share information on the key features and learning capabilities required in AI solutions to improve accuracy and prevent errors, the lessons learned when implementing AI solutions, how AI could be used to improve efficiency and accuracy of hospital billing, solutions that could help address coding issues related to overpayments, underpayments, and suggestions on how AI solutions can be used for compliance oversight.

While there is tremendous potential for AI tools to be used in fraud prevention and detection, they must not come at the expense of the privacy of Medicare and Medicaid beneficiaries. There will also need to be robust safeguards and oversight to ensure that legitimate and necessary medical care for law-abiding Americans is not put at risk.

The post HHS Issues RFI Seeking Input on AI Tools and Methodologies for Healthcare Fraud Prevention appeared first on The HIPAA Journal.