April 2026 Healthcare Data Breach Report – The HIPAA Journal
April 2026 Healthcare Data Breach Report The HIPAA Journal
April 2026 Healthcare Data Breach Report
In April 2026, 47 healthcare data breaches affecting 500 or more individuals were reported to the HHS’ Office for Civil Rights (OCR). That represents a 33.8% reduction in large healthcare data breaches from the 71 large data breaches reported in March 2026, and well below the 12-month average of 62.4 data breaches per month.
The year-to-date figures also show a reduction in large healthcare data breaches. From January 1 to April 30, 252 large healthcare data breaches have been reported by HIPAA-regulated entities, compared to 276 (-8.7%) for the corresponding period in 2025 and 299 (-15.7%) for the corresponding period in 2024.
Across the 47 data breaches, the protected health information of 1,336,264 individuals was exposed or impermissibly disclosed – the second lowest monthly total in the past 12 months, and currently an 84.9% reduction from March 2026. The number of affected individuals is likely to increase, as some regulated entities have reported breaches with placeholder estimates of 500 or 501 affected individuals.
The year-to-date figures for affected individuals are encouraging. From January 1 to April 30, the protected health information of 20.1 million individuals has been breached, and while that is a sizeable figure, it is a reduction of 25.5% from the corresponding period in 2025 and a reduction of 48.8% from the corresponding period in 2024.
The Biggest Healthcare Data Breaches Reported in April 2026
In April, 15 data breaches affecting 10,000 or more individuals were reported to the HHS’ Office for Civil Rights, all but one of which were hacking incidents. The biggest data breach of the month was reported by the medical group Florida Physician Specialists, involving unauthorized access to the protected health information of 276,498 individuals. Two of the 15 data breaches were confirmed ransomware attacks, and one incident involved unauthorized access by “a business counterparty” after access was thought to have been terminated.
| Regulated Entity | State | Covered Entity Type | Individuals Affected | Type of Breach | Location of Breached Information | Cause of Breach |
| Florida Physician Specialists | FL | Healthcare Provider | 276,498 | Hacking/IT Incident | Network Server | Hacking incident – Data theft confirmed |
| Southern Illinois Dermatology | IL | Healthcare Provider | 160,312 | Hacking/IT Incident | Network Server | Hacking incident |
| Laurel Eye Clinic | PA | Healthcare Provider | 145,221 | Hacking/IT Incident | Network Server | Hacking incident – Data theft confirmed |
| Innovative Scientific Solutions, LLC | SC | Healthcare Provider | 143,842 | Hacking/IT Incident | Network Server | Hacking incident |
| Hospital Caribbean Medical Center | PR | Healthcare Provider | 92,000 | Hacking/IT Incident | Network Server | Ransomware attack (The Gentlemen) – Data theft confirmed |
| Tri-Cities Gastroenterology | TN | Healthcare Provider | 67,115 | Hacking/IT Incident | Network Server | Hacking incident – Data theft confirmed |
| City Health, a medical corporation | CA | Healthcare Provider | 65,000 | Unauthorized Access/Disclosure | Electronic Medical Record | Access to its electronic medical record system by a former business counterparty after termination |
| Hematology Oncology Consultants | MI | Healthcare Provider | 62,972 | Hacking/IT Incident | Network Server | Hacking incident – Data theft likely |
| GrayRobinson, P.A. | FL | Business Associate | 54,131 | Hacking/IT Incident | Network Server | Hacking incident – Data theft confirmed |
| Rocky Mountain Associated Physicians, P.C. | UT | Healthcare Provider | 50,640 | Hacking/IT Incident | Network Server | Hacking incident |
| Heart South Cardiovascular Group | AL | Healthcare Provider | 46,666 | Hacking/IT Incident | Network Server | Hacking incident |
| Mt. Spokane Pediatrics | WA | Healthcare Provider | 32,021 | Hacking/IT Incident | Network Server | Hacking incident – Data theft confirmed |
| University of Nebraska Medical Center | NE | Healthcare Provider | 26,937 | Hacking/IT Incident | Network Server | Hacking of a third-party software application |
| Liberty Bankers Life Ins. Co. | TX | Health Plan | 20,202 | Hacking/IT Incident | Network Server | Hacking incident at a business associate |
| Bayside Dental | WA | Healthcare Provider | 10,216 | Hacking/IT Incident | Network Server | Ransomware attack (Sinobi) – Data theft claimed |
Three data breaches were reported in April before data reviews had been completed. Placeholder figures of 500 or 501 affected individuals were used and will be updated when the file reviews are concluded.
| Regulated Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| Spokane Digestive Disease Center, P.S. | WA | Healthcare Provider | 501 | Unauthorized access to its email environment |
| FMRS Health Systems, Inc. | WV | Healthcare Provider | 500 | Hacking incident – data theft confirmed |
| CARE Clinic | MN | Healthcare Provider | 500 | Unauthorized access to its email environment |
Causes of April 2026 Healthcare Data Breaches
Hacking and other types of IT incidents dominated the breach reports in April, accounting for 36 (76.6%) of the 47 reported large data breaches. Across those incidents, the protected health information of 1,240,571 individuals was exposed or impermissibly disclosed. Hacking/IT incidents accounted for 92.8% of the affected individuals in April. The average breach size was 32,883 individuals, and the median breach size was 4,547 individuals.
There were 9 unauthorized access/disclosure incidents in April, which accounted for 19.1% of the month’s data breaches. Across those incidents, the protected health information of 86,717 individuals was accessed without authorization or was impermissibly disclosed – 6.5% of the month’s affected individuals. The average breach size was 9,635 individuals, and the median breach size was 1,467 individuals. There were no loss, theft, or improper disposal incidents in April.
States Affected by April 2026 Healthcare Data Breaches
Data breaches were reported by HIPAA-regulated entities in 25 states, the District of Columbia, and Puerto Rico in April. California was the worst-affected state in terms of data breaches, while Florida was the worst-affected state in terms of the number of individuals affected.
April 2026 Healthcare Data Breaches
| State | Breaches |
| California | 6 |
| Texas & Washington | 4 |
| Florida & Virginia | 3 |
| Illinois, Minnesota, Oklahoma, Pennsylvania & West Virginia | 2 |
| Alabama, Delaware, Iowa, Indiana, Kentucky, Maryland, Michigan, Missouri, Nebraska, New Jersey, New York, South Carolina, Tennessee, Utah, Vermont, the District of Columbia & Puerto Rico | 1 |
Individuals Affected by April 2026 Healthcare Data Breaches
| State | Individuals Affected | State | Individuals Affected |
| Florida | 331,316 | Oklahoma | 8,233 |
| Illinois | 162,203 | Maryland | 7,213 |
| Pennsylvania | 145,976 | Iowa | 6,717 |
| South Carolina | 143,842 | Indiana | 5,900 |
| Pouerto Rico | 92,000 | Vermont | 5,892 |
| California | 78,846 | Minnesota | 5,885 |
| Tennessee | 67,115 | Kentucky | 3,677 |
| Michigan | 62,972 | Virginia | 2,552 |
| Utah | 50,640 | New York | 2,123 |
| Alabama | 46,666 | Missouri | 2,027 |
| Washington | 46,202 | West Virginia | 1,500 |
| Nebraska | 26,937 | District of Columbia | 1,467 |
| Texas | 26,648 | ||
April 2026 Data Breaches at HIPAA Regulated Entities
In April 2026, 36 data breaches were reported by healthcare providers, 8 breaches were reported by health plans, and 3 data breaches were reported by business associates. When a breach occurs at a business associate, the affected covered entities must be informed. Each covered entity may delegate the breach notification responsibilities to the business associate, but it is ultimately the responsibility of each covered entity to ensure that breach notifications are issued. In many cases, a breach at a business associate is reported by the covered entity.
The pie charts below show where the data breach occurred, rather than the reporting entity, which shows that 11 of the 47 breaches (rather than 3) occurred at business associates in April.
HIPAA Enforcement Activity in April 2026
The HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, announced 4 settlements with HIPAA-regulated entities in April to resolve alleged violations of the HIPAA Rules. When alleged HIPAA violations are settled, the settlement agreement includes a corrective action plan to address the areas of noncompliance identified by OCR. When a civil monetary penalty is imposed, OCR cannot compel the regulated entity to adopt a corrective action plan.
All four of the settlements related to ransomware attacks, and in all cases, OCR identified a risk analysis failure. The HIPAA Security Rule requires regulated entities to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to electronic protected health information. It is the most commonly identified HIPAA Security Rule violation. You can read more about each enforcement action in this post. No state attorneys general announced any HIPAA penalties in April.
| HIPAA -Regulated Entity | Entity Type | Reason for Investigation | Alleged HIPAA violation(s) | Settlement Amount |
| Regional Women’s Health Group (Axia Women’s Health) | Healthcare Provider | Reported ransomware attack involving the protected health information of 37,989 individuals | Risk analysis failure; impermissible disclosure of ePHI | $320,000 |
| Assured Imaging Affiliated Covered Entities | Healthcare Provider | Reported ransomware attack involving the protected health information of 244,813 individuals | Risk analysis failure (never conducted); breach notification failure | $375,000 |
| Consociate, Inc. (Consociate Health) | Business Associate | Reported ransomware attack involving the protected health information of 136,539 individuals | Risk analysis failure | $225,000 |
| Star Group, L.P. Health Benefits Plan | Health Plan | Reported ransomware attack involving the protected health information of 9,316 individuals | Risk analysis failure | $245,000 |
The post April 2026 Healthcare Data Breach Report appeared first on The HIPAA Journal.
Columbus Regional Health; St. Joseph Hospital Settle Pixel Privacy Lawsuits – The HIPAA Journal
Free Webinar: AI + HIPAA: Innovating in Healthcare Without Leaving Compliance Behind
Artificial intelligence has tremendous potential in healthcare, and healthcare organizations have embraced AI tools in all areas of their operation; however, there are compliance risks associated with AI when tools engage with health information protected under the Health Insurance Portability and Accountability Act (HIPAA). Incorporating AI tools while complying with all HIPAA Privacy and Security Rule implementation specifications can be challenging, especially when there is limited guidance on how HIPAA applies to AI.
Fortunately, help is at hand. On July 8, 2026, the HIPAA-compliant communication platform provider Paubox is hosting a webinar where healthcare organizations can learn from a diverse panel of experts about AI-related HIPAA compliance challenges and receive invaluable advice on how to keep innovating without leaving HIPAA compliance behind.
During the webinar, attendees will learn about how real-world healthcare teams are developing and implementing AI tools and the challenges they have faced, the specific questions you need to be asking any AI vendor before you sign and handle business associate agreements (BAAs), what responsible use of AI with PHI looks like, and what the future holds, and what you need to do right now. At the end of the webinar, there will be time allocated for a Q&A with the panel to get answers to your questions.
Speakers:
|
|
Heather Phillips – Advisory Committee Member, FoXX Health |
 |
Tim Gutwald – Partner, Elevare Law |
 |
Brittany Sigler – DrPH, Founder & Product Leader, Bright Signal Consulting |
 |
Mike Maseda – Head of Sales & Ops, GenHealth.ai |
Webinar Details
AI + HIPAA: Innovating in Healthcare Without Leaving Compliance Behind
July 8, 2026
1.00 p.m. ET | 12.00 p.m. CT | 11.00 a.m. MT | 10:00 a.m. PT
Click Here to Register for the Webinar
Can’t attend on the day? Register to receive a link to the recording!
This webinar is eligible for 1 self-reported CPE
The post Free Webinar: AI + HIPAA: Innovating in Healthcare Without Leaving Compliance Behind appeared first on The HIPAA Journal.
Columbus Regional Health; St. Joseph Hospital Settle Pixel Privacy Lawsuits
Settlements have been agreed to resolve class action lawsuits against two healthcare providers over their use of website tracking technologies. The lawsuits alleged that the deployment of these tools caused the personal and protected health information of patients to be disclosed to third parties without patients’ knowledge or consent.
Website tracking tools, such as pixels, are installed on websites across the internet for tracking the actions of website users. They can record a range of information about user interactions, such as the pages visited, time spent on each page, how the user navigated to the website, and other information. That information may be sent to the third-party providers of the tools, allowing the user to be tracked as they navigate to other webpages. They may then be served targeted advertisements across the internet based on their actions on a website where the tools were installed. For instance, if an individual visited a page related to obesity, they may be served adverts related to weight loss medications.
Many lawsuits have been filed against healthcare providers over website tracking tools, alleging privacy violations. Two of the latest lawsuits to be settled were filed against Bartholomew County Public Hospital d/b/a Columbus Regional Health and St. Joseph Hospital of Nashua, N.H. In both cases, the defendants maintain that there was no wrongdoing, no laws were violated, and there is no liability; however, settlements were agreed to avoid the cost, distraction, and risks of continuing with the litigation.
Columbus Regional Health Pixel Settlement
Bartholomew County Public Hospital d/b/a Columbus Regional Health is a non-profit regional health system that includes a 225-bed Columbus hospital serving patients in southeastern Indiana. Columbus Regional Health was alleged to have collected and transmitted patient data to Meta (Facebook) via Meta Pixel and other tracking tools on its website without the knowledge or permission of website users. The first lawsuit was filed in May 2023 – Brian Elkins and Annie Elkins v. Bartholomew County Public Hospital d/b/a Columbus Regional Health – in Marion County Superior Court, with a further three plaintiffs joining the action after filing similar complaints.
The consolidated lawsuit asserted claims for negligence, negligence per se, invasion of privacy—intrusion upon seclusion, invasion of privacy—public disclosure of private facts; breach of implied contract; unjust enrichment; breach of fiduciary duty; and violation of the Indiana Deceptive Consumer Sales Act.
Settlement Terms
Claims may be submitted for a one-time cash payment of $25.50, and class members will be automatically enrolled in a 12-month membership to the CyEx Privacy Shield Pro digital privacy and identity protection service. The defendant has agreed to cover the cost of attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the 5 class representatives. The deadline for opting out and exclusion has passed.
Eligibility: Individuals who resided in Indiana and completed a registration for access to their electronic records or logged into the patient portal between November 1, 2017, and June 30, 2022.
Claims deadline: September 19, 2026
Final approval hearing: July 22, 2026
Further information: https://columbusregionalsettlement.com/
St. Joseph Hospital of Nashua, N.H. Pixel Settlement
St. Joseph Hospital Corporate Services, Inc. is a New Hampshire healthcare corporation that operates the 208-bed St. Joseph Hospital in Nashua. The hospital is alleged to have used tracking technologies on its website that disclosed website users’ sensitive information to Microsoft, without their knowledge or consent. The plaintiffs alleged that the data collected via the tools was used to enhance Microsoft’s advertising technology and serve targeted advertisements to patients based on the information disclosed on the defendant’s website.
The first lawsuit was filed in the Superior Court of Hillsborough County, New Hampshire, which was later amended, due to an inaccuracy in the defendant’s corporate entity – Fiorillo, et al., v. St. Joseph Hospital of Nashua, N.H. The lawsuit asserted claims including negligence, invasion of privacy – intrusion upon seclusion, and unjust enrichment.
Settlement Terms
Claims may be submitted for a one-time cash payment of $50 per class member. The defendant has also agreed to pay attorneys’ fees and expenses, settlement administration and notification costs, and service awards to the class representatives.
Eligibility: Individuals who used the MyChart patient portal associated with St. Joseph Hospital from January 1, 2023, to the present.
Opt out and exclusion deadline: July 30, 2026
Claims deadline: August 14, 2026
Final approval hearing: September 14, 2026
Further information: https://columbusregionalsettlement.com/
The post Columbus Regional Health; St. Joseph Hospital Settle Pixel Privacy Lawsuits appeared first on The HIPAA Journal.
LifePoint Health; Southwest Behavioral & Health Services; Nottingham Village Report Data Breaches – The HIPAA Journal
LifePoint Health; Southwest Behavioral & Health Services; Nottingham Village Report Data Breaches
Data breaches have been announced by Lifepoint Health, Southwest Behavioral & Health Services, and Nottingham Village.
Lifepoint Health
Lifepoint Health Inc., a healthcare delivery network that operates more than 60 hospital campuses in 28 U.S. states, more than 30 rehabilitation and behavioral health hospitals, and over 170 acute rehabilitation units, discovered unauthorized activity within its network on February 23, 2026. The forensic investigation traced the activity to a compromised user account. Assisted by third-party cybersecurity experts, Lifepoint Health determined that an unauthorized third party gained limited access to certain internal databases on February 22, 2026. The incident was fully contained within 24 hours.
Lifepoint Health determined that the data breach was limited in scope and was restricted to employees of contracted vendors. Direct employees of the company and patients were not affected. The affected employees had their names, addresses, phone numbers, dates of birth, and Social Security numbers compromised in the incident. Notification letters were sent to those individuals on April 23, 2026, and complimentary credit monitoring and identity theft protection services have been made available.
Southwest Behavioral & Health Services
Southwest Behavioral & Health Services, a Phoenix, AZ-based non-profit behavioral health organization, has identified a breach of its email environment. Suspicious activity was identified within its email environment on April 1, 2026, and the forensic investigation determined that six employee email accounts were compromised.
The review of the affected email accounts was completed on April 30, 2026, and notification letters have now been sent to the 2,316 affected individuals. Southwest Behavioral & Health Services has published a substitute breach notice on its website, but it does not state the types of information exposed in the incident. No evidence has been identified to suggest any misuse of the exposed data; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services, and steps have been taken to improve email security to prevent similar incidents in the future.
Nottingham Village
Nottingham Village, a skilled nursing and assisted living facility in Northumberland, Pennsylvania, has notified 5,240 individuals about a security incident that was identified on November 9, 2025. After securing its network, an investigation was launched, and on May 12, 2026, it was confirmed that the exposed data included names, birth dates, Social Security numbers, driver’s license numbers/state government IDs, financial account information, medical information, and health insurance information. Nottingham Village said it continually evaluates and modifies its security practices and will continue to do so in the future.
The post LifePoint Health; Southwest Behavioral & Health Services; Nottingham Village Report Data Breaches appeared first on The HIPAA Journal.
Cash-only telehealth may carry unexpected privacy concerns – The Business Journals
Cash-only telehealth may carry unexpected privacy concerns The Business Journals
Xsolis Data Breach Affects 1.4M Individuals – The HIPAA Journal
Xsolis Data Breach Affects 1.4M Individuals The HIPAA Journal