May 2026 Healthcare Data Breach Report

Based on the current data on the HHS’ Office for Civil Rights (OCR) breach portal, 61 healthcare data breaches affecting 500 or more individuals were reported in May 2026. May’s current total represents a 27.1% month-over-month increase in data breaches. Over the past 12 months, an average of 64 large healthcare data breaches were reported each month.

Healthcare data breaches in the past 12 months - May 2026

From January 1, 2026, to May 31, 2026, 319 data breaches affecting 500 or more individuals have been reported to OCR. This time last year, the total stood at 342 large data breaches.

HEalthcare data breaches - January 1 - May 31 - 2022-2026

While data breaches increased from April, the number of affected individuals fell by 34.8% to 879,447 individuals. In May, an average of 14,417 individuals were affected by healthcare data breaches, down from an average of 28,116 individuals in April. Over the past 12 months, an average of 10.6 million individuals have been affected by healthcare data breaches each month.

Individuals affected by healthcare data breaches in the past 12 months - May 2026

Data breaches are down slightly year-over-year, but there has been a massive reduction in the number of affected individuals. Very large data breaches have not been reported to OCR in the numbers seen in previous years. From January 1, 2026, to May 31, 2026, across the 319 data breaches, at least 21,085,405 individuals have been affected. The OCR breach portal shows that from January 2025 to May 2025, 33,116,809 individuals were affected by data breaches.

Individuals affected by healthcare data breaches - jan 1 - May 31, 2022-2026

Biggest Healthcare Data Breaches of May 2026

In May 2026, 17 data breaches affecting 10,000 or more individuals were reported to OCR, all of which were hacking incidents. The biggest data breach of the month was reported by Radiology Associates of Richmond, affecting more than 266,000 individuals, followed by a hacking incident at Western Orthopaedics which affected more than 113,000 individuals.

Regulated Entity State Covered Entity Type Individuals Affected Cause of Breach
Radiology Associates of Richmond VA Healthcare Provider 266,183 Hacking incident
Western Orthopaedics, P.C. CO Healthcare Provider 113,330 Hacking incident
ERMI LLC GA Healthcare Provider 74,074 Hacking incident
Singing River Health System MS Healthcare Provider 53,888 Hacking incident
Southern Illinois Ob-Gyn Associates, S.C. IL Healthcare Provider 38,700 Hacking incident
Gastro Health FL Healthcare Provider 35,632 Unauthorized access to email accounts
Eyemart Express, LLC TX Healthcare Provider 25,000 Hacking incident
Connecticut Department of Social Services CT Health Plan 22,500 Unauthorized access to provider portal website
Bridle Trails Family Dentistry WA Healthcare Provider 20,976 Unauthorized access to email account
Community Connections DC Healthcare Provider 18,943 Ransomware attack (INCRansom)
Virta Medical PC CO Healthcare Provider 14,636 Hacking incident (Lapsus$)
Saurabh N. Patel, M.D – Florida Retina Center LA Healthcare Provider 13,652 Hacking incident
Greenbaum Rowe Smith & Davis LLP NJ Business Associate 12,801 Hacking incident
Wellpoint Washington, Inc. IN Health Plan 12,020 Unauthorized access to email account
Defense Health Agency (TriWest) VA Health Plan 11,848 Hacking incident
IKRON Corporation OH Healthcare Provider 11,845 Hacking incident
Elara Caring TX Healthcare Provider 10,490 Hacking incident at third-party vendor

May’s total number of affected individuals may increase considerably over the coming weeks and months, as healthcare organizations complete their data breach investigations. HIPAA-regulated entities have 60 days from the date of discovery of a data breach to issue notifications to the HHS’ Office for Civil Rights and the affected individuals. HIPAA requires OCR to be notified even if the total number of individuals has yet to be determined by the 60-day deadline. In such cases, an estimate should be provided. Many regulated entities use a placeholder estimate of 500 or 501 individuals in such cases, and in May, 7 regulated entities appear to have used these placeholder figures.

Regulated Entity State Covered Entity Type Individuals Affected Cause of Breach
United Medical Doctors CA Healthcare Provider 501 Hacking/IT Incident
NJ Pain Care Specialists, LLC NJ Healthcare Provider 501 Hacking/IT Incident
Palomar Health Medical Group CA Healthcare Provider 501 Hacking/IT Incident
Aroostook Mental Health Center ME Healthcare Provider 501 Hacking/IT Incident
Campbell University NC Healthcare Provider 500 Hacking/IT Incident
BAYADA Home Health Care, Inc. NJ Healthcare Provider 500 Hacking/IT Incident
Integrated Pain Associates TX Healthcare Provider 500 Hacking/IT Incident

Causes of May 2026 Healthcare Data Breaches

Hacking and other IT incidents dominated the breach reports in May, as has been the case each month for several years. Out of the month’s 61 large healthcare data breaches, 54 were classed as hacking/IT incidents – 88.5% of the month’s data breaches. Across those incidents, the protected health information of 853,532 individuals was compromised- 88.5% of the month’s total affected individuals. On average, hacking/IT incidents affected 15,806 individuals in May, with a median breach size of 3,619 individuals.

Causes of May 2026 healthcare data breaches

There were 7 data breaches classed as unauthorized access/disclosure incidents, representing 11.5% of the month’s breaches. Across those incidents, the protected health information of 25,915 individuals was unlawfully accessed or disclosed. On average, 3,702 individuals were affected by each incident in May. The median breach size was 3,086 individuals. There were no reported theft, loss, or improper disposal incidents in May.

Given the large number of hacking incidents, it is no surprise that the most common location of breached protected health information was network servers. Email incidents were also reported in high numbers.

Location of breached PHI in May 2026 healthcare data breaches

States Affected by May 2026 Healthcare Data Breaches

Large healthcare data breaches were reported by HIPAA-regulated entities in 26 U.S. states and the District of Columbia. California was the worst affected state with 6 breaches.

State Breaches
California 6
Florida, New Jersey, New York, North Carolina, Ohio, Texas & Virginia 4
Colorado 3
Indiana, Maine, Michigan, Pennsylvania, South Carolina & the District of Columbia 2
Arizona, Connecticut, Georgia, Illinois, Iowa, Louisiana, Massachusetts, Mississippi, Oregon, Tennessee, Washington & Wisconsin 1

In terms of affected individuals, Virginia topped the list with almost 300,000 state residents affected.

State Individuals Affected State Individuals Affected
Virginia 290,254 Louisiana 13,652
Colorado 128,661 Pennsylvania 7,095
Georgia 74,074 South Carolina 6,946
Mississippi 53,888 Iowa 6,666
Florida 44,649 Michigan 6,456
Texas 40,045 California 5,303
Illinois 38,700 North Carolina 4,949
Ohio 28,540 Massachusetts 3,086
Connecticut 22,500 Maine 3,024
Washington 20,976 Oregon 2,856
District of Columbia 20,014 Arizona 2,316
New York 19,674 Tennessee 1,807
Indiana 17,325 Wisconsin 1,080
New Jersey 14,911

Data Breaches at HIPAA -Regulated Entities

In May 2026, 42 data breaches were reported by healthcare providers, 9 breaches were reported by health plans, and 10 data breaches were reported by business associates. When a breach occurs at a business associate, the affected covered entities must be informed. Each covered entity may delegate the breach notification responsibilities to the business associate, but it is ultimately the responsibility of each covered entity to ensure that breach notifications are issued. In many cases, a breach at a business associate is reported by the covered entity.

The pie charts below show where the data breach occurred, rather than the reporting entity, which shows that 22 of the 61 breaches (rather than 10) occurred at business associates in May.

May 2026 data breaches at HIPAA-regulated entities

Individuasl affected by data breaches at HIPAA-regulated entities in May 2026

HIPAA Enforcement Activity in May 2026

No enforcement actions were announced by OCR or state attorneys general in May.

The post May 2026 Healthcare Data Breach Report appeared first on The HIPAA Journal.

Lucent Health Solutions to Pay Up to 1.95M to Settle Data Breach Litigation

A settlement has been agreed to resolve a class action lawsuit against the Nashville, TN-based health plan administration service provider, Lucent Health Solutions. The litigation stems from an October 2023 phishing attack that allowed a threat actor to obtain credentials for an email account.

Lucent Health Solutions said the threat actor only had a 90-minute window to access the account, and no evidence was found of data theft; however, the account contained the protected health information of approximately 37,000 individuals, including their names, dates of birth, Social Security numbers, and health, dental, and vision group and/or plan numbers.  The affected individuals were notified about the data breach in  January 2025, 15 months after the breach occurred.

A putative class action lawsuit was filed by plaintiff Royal Corralejo – Royal Corralejo v. Lucent Health Solutions, LLC Litigation – in the Circuit Court for Davidson County, Tennessee, which was removed to the United States District Court for the Middle District of Tennessee. The lawsuit alleged that the defendant had failed to implement reasonable and appropriate cybersecurity measures, resulting in the data breach. The defendant denies all claims and contentions in the lawsuit and maintains that there was no wrongdoing.

After considering the costs and risks associated with a trial and related appeals, all parties agreed to discuss settling the lawsuit. During mediation on August 29, 2025, the material terms of a settlement were agreed by all parties, with no admission of liability or wrongdoing by the defendant. The settlement provides several benefits for the class members. Class members may submit a claim for reimbursement of documented, unreimbursed ordinary losses due to the data breach up to a maximum of $550 per class member, and a claim for up to $5,500 reimbursement for extraordinary losses from fraud or identity theft. A claim may also be submitted for up to 5 hours of lost time at $25 per hour.

Individuals who chose not to claim those benefits may instead claim a one-time cash payment of $80. Regardless of whether a claim is submitted for reimbursement of losses or the cash payment, class members may also claim a three-year membership to the CyEx Medical Shield Complete medical data monitoring service.

The defendant has agreed to pay up to $1,950,000 to resolve the lawsuit, which includes attorneys’ fees and expenses, settlement administration and notification costs, and a service award for the plaintiff. Should claims exceed that total, claims will be subject to a pro rata reduction. The deadline for objection and opting out of the settlement is August 21, 2026. The deadline for submitting a claim is September 5, 2026, and the final fairness hearing has been scheduled for September 9, 2026.

The post Lucent Health Solutions to Pay Up to 1.95M to Settle Data Breach Litigation appeared first on The HIPAA Journal.