May 2026 Healthcare Data Breach Report – The HIPAA Journal
May 2026 Healthcare Data Breach Report
Based on the current data on the HHS’ Office for Civil Rights (OCR) breach portal, 61 healthcare data breaches affecting 500 or more individuals were reported in May 2026. May’s current total represents a 27.1% month-over-month increase in data breaches. Over the past 12 months, an average of 64 large healthcare data breaches were reported each month.

From January 1, 2026, to May 31, 2026, 319 data breaches affecting 500 or more individuals have been reported to OCR. This time last year, the total stood at 342 large data breaches.
While data breaches increased from April, the number of affected individuals fell by 34.8% to 879,447 individuals. In May, an average of 14,417 individuals were affected by healthcare data breaches, down from an average of 28,116 individuals in April. Over the past 12 months, an average of 10.6 million individuals have been affected by healthcare data breaches each month.

Data breaches are down slightly year-over-year, but there has been a massive reduction in the number of affected individuals. Very large data breaches have not been reported to OCR in the numbers seen in previous years. From January 1, 2026, to May 31, 2026, across the 319 data breaches, at least 21,085,405 individuals have been affected. The OCR breach portal shows that from January 2025 to May 2025, 33,116,809 individuals were affected by data breaches.
Biggest Healthcare Data Breaches of May 2026
In May 2026, 17 data breaches affecting 10,000 or more individuals were reported to OCR, all of which were hacking incidents. The biggest data breach of the month was reported by Radiology Associates of Richmond, affecting more than 266,000 individuals, followed by a hacking incident at Western Orthopaedics which affected more than 113,000 individuals.
| Regulated Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| Radiology Associates of Richmond | VA | Healthcare Provider | 266,183 | Hacking incident |
| Western Orthopaedics, P.C. | CO | Healthcare Provider | 113,330 | Hacking incident |
| ERMI LLC | GA | Healthcare Provider | 74,074 | Hacking incident |
| Singing River Health System | MS | Healthcare Provider | 53,888 | Hacking incident |
| Southern Illinois Ob-Gyn Associates, S.C. | IL | Healthcare Provider | 38,700 | Hacking incident |
| Gastro Health | FL | Healthcare Provider | 35,632 | Unauthorized access to email accounts |
| Eyemart Express, LLC | TX | Healthcare Provider | 25,000 | Hacking incident |
| Connecticut Department of Social Services | CT | Health Plan | 22,500 | Unauthorized access to provider portal website |
| Bridle Trails Family Dentistry | WA | Healthcare Provider | 20,976 | Unauthorized access to email account |
| Community Connections | DC | Healthcare Provider | 18,943 | Ransomware attack (INCRansom) |
| Virta Medical PC | CO | Healthcare Provider | 14,636 | Hacking incident (Lapsus$) |
| Saurabh N. Patel, M.D – Florida Retina Center | LA | Healthcare Provider | 13,652 | Hacking incident |
| Greenbaum Rowe Smith & Davis LLP | NJ | Business Associate | 12,801 | Hacking incident |
| Wellpoint Washington, Inc. | IN | Health Plan | 12,020 | Unauthorized access to email account |
| Defense Health Agency (TriWest) | VA | Health Plan | 11,848 | Hacking incident |
| IKRON Corporation | OH | Healthcare Provider | 11,845 | Hacking incident |
| Elara Caring | TX | Healthcare Provider | 10,490 | Hacking incident at third-party vendor |
May’s total number of affected individuals may increase considerably over the coming weeks and months, as healthcare organizations complete their data breach investigations. HIPAA-regulated entities have 60 days from the date of discovery of a data breach to issue notifications to the HHS’ Office for Civil Rights and the affected individuals. HIPAA requires OCR to be notified even if the total number of individuals has yet to be determined by the 60-day deadline. In such cases, an estimate should be provided. Many regulated entities use a placeholder estimate of 500 or 501 individuals in such cases, and in May, 7 regulated entities appear to have used these placeholder figures.
| Regulated Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| United Medical Doctors | CA | Healthcare Provider | 501 | Hacking/IT Incident |
| NJ Pain Care Specialists, LLC | NJ | Healthcare Provider | 501 | Hacking/IT Incident |
| Palomar Health Medical Group | CA | Healthcare Provider | 501 | Hacking/IT Incident |
| Aroostook Mental Health Center | ME | Healthcare Provider | 501 | Hacking/IT Incident |
| Campbell University | NC | Healthcare Provider | 500 | Hacking/IT Incident |
| BAYADA Home Health Care, Inc. | NJ | Healthcare Provider | 500 | Hacking/IT Incident |
| Integrated Pain Associates | TX | Healthcare Provider | 500 | Hacking/IT Incident |
Causes of May 2026 Healthcare Data Breaches
Hacking and other IT incidents dominated the breach reports in May, as has been the case each month for several years. Out of the month’s 61 large healthcare data breaches, 54 were classed as hacking/IT incidents – 88.5% of the month’s data breaches. Across those incidents, the protected health information of 853,532 individuals was compromised- 88.5% of the month’s total affected individuals. On average, hacking/IT incidents affected 15,806 individuals in May, with a median breach size of 3,619 individuals.
There were 7 data breaches classed as unauthorized access/disclosure incidents, representing 11.5% of the month’s breaches. Across those incidents, the protected health information of 25,915 individuals was unlawfully accessed or disclosed. On average, 3,702 individuals were affected by each incident in May. The median breach size was 3,086 individuals. There were no reported theft, loss, or improper disposal incidents in May.
Given the large number of hacking incidents, it is no surprise that the most common location of breached protected health information was network servers. Email incidents were also reported in high numbers.
States Affected by May 2026 Healthcare Data Breaches
Large healthcare data breaches were reported by HIPAA-regulated entities in 26 U.S. states and the District of Columbia. California was the worst affected state with 6 breaches.
| State | Breaches |
| California | 6 |
| Florida, New Jersey, New York, North Carolina, Ohio, Texas & Virginia | 4 |
| Colorado | 3 |
| Indiana, Maine, Michigan, Pennsylvania, South Carolina & the District of Columbia | 2 |
| Arizona, Connecticut, Georgia, Illinois, Iowa, Louisiana, Massachusetts, Mississippi, Oregon, Tennessee, Washington & Wisconsin | 1 |
In terms of affected individuals, Virginia topped the list with almost 300,000 state residents affected.
| State | Individuals Affected | State | Individuals Affected |
| Virginia | 290,254 | Louisiana | 13,652 |
| Colorado | 128,661 | Pennsylvania | 7,095 |
| Georgia | 74,074 | South Carolina | 6,946 |
| Mississippi | 53,888 | Iowa | 6,666 |
| Florida | 44,649 | Michigan | 6,456 |
| Texas | 40,045 | California | 5,303 |
| Illinois | 38,700 | North Carolina | 4,949 |
| Ohio | 28,540 | Massachusetts | 3,086 |
| Connecticut | 22,500 | Maine | 3,024 |
| Washington | 20,976 | Oregon | 2,856 |
| District of Columbia | 20,014 | Arizona | 2,316 |
| New York | 19,674 | Tennessee | 1,807 |
| Indiana | 17,325 | Wisconsin | 1,080 |
| New Jersey | 14,911 | ||
Data Breaches at HIPAA -Regulated Entities
In May 2026, 42 data breaches were reported by healthcare providers, 9 breaches were reported by health plans, and 10 data breaches were reported by business associates. When a breach occurs at a business associate, the affected covered entities must be informed. Each covered entity may delegate the breach notification responsibilities to the business associate, but it is ultimately the responsibility of each covered entity to ensure that breach notifications are issued. In many cases, a breach at a business associate is reported by the covered entity.
The pie charts below show where the data breach occurred, rather than the reporting entity, which shows that 22 of the 61 breaches (rather than 10) occurred at business associates in May.
HIPAA Enforcement Activity in May 2026
No enforcement actions were announced by OCR or state attorneys general in May.
The post May 2026 Healthcare Data Breach Report appeared first on The HIPAA Journal.
Lucent Health Solutions to Pay Up to 1.95M to Settle Data Breach Litigation – The HIPAA Journal
Lucent Health Solutions to Pay Up to 1.95M to Settle Data Breach Litigation
A settlement has been agreed to resolve a class action lawsuit against the Nashville, TN-based health plan administration service provider, Lucent Health Solutions. The litigation stems from an October 2023 phishing attack that allowed a threat actor to obtain credentials for an email account.
Lucent Health Solutions said the threat actor only had a 90-minute window to access the account, and no evidence was found of data theft; however, the account contained the protected health information of approximately 37,000 individuals, including their names, dates of birth, Social Security numbers, and health, dental, and vision group and/or plan numbers. The affected individuals were notified about the data breach in January 2025, 15 months after the breach occurred.
A putative class action lawsuit was filed by plaintiff Royal Corralejo – Royal Corralejo v. Lucent Health Solutions, LLC Litigation – in the Circuit Court for Davidson County, Tennessee, which was removed to the United States District Court for the Middle District of Tennessee. The lawsuit alleged that the defendant had failed to implement reasonable and appropriate cybersecurity measures, resulting in the data breach. The defendant denies all claims and contentions in the lawsuit and maintains that there was no wrongdoing.
After considering the costs and risks associated with a trial and related appeals, all parties agreed to discuss settling the lawsuit. During mediation on August 29, 2025, the material terms of a settlement were agreed by all parties, with no admission of liability or wrongdoing by the defendant. The settlement provides several benefits for the class members. Class members may submit a claim for reimbursement of documented, unreimbursed ordinary losses due to the data breach up to a maximum of $550 per class member, and a claim for up to $5,500 reimbursement for extraordinary losses from fraud or identity theft. A claim may also be submitted for up to 5 hours of lost time at $25 per hour.
Individuals who chose not to claim those benefits may instead claim a one-time cash payment of $80. Regardless of whether a claim is submitted for reimbursement of losses or the cash payment, class members may also claim a three-year membership to the CyEx Medical Shield Complete medical data monitoring service.
The defendant has agreed to pay up to $1,950,000 to resolve the lawsuit, which includes attorneys’ fees and expenses, settlement administration and notification costs, and a service award for the plaintiff. Should claims exceed that total, claims will be subject to a pro rata reduction. The deadline for objection and opting out of the settlement is August 21, 2026. The deadline for submitting a claim is September 5, 2026, and the final fairness hearing has been scheduled for September 9, 2026.
The post Lucent Health Solutions to Pay Up to 1.95M to Settle Data Breach Litigation appeared first on The HIPAA Journal.





