HIPAA Breach News

AdaptHealth Reports Material Cybersecurity Incident and Theft of Patient Data

AdaptHealth, a publicly traded healthcare company that provides home medical equipment, diabetes supplies, and sleep therapy products, has informed the U.S. Securities and Exchange Commission (SEC) that it is investigating a material cybersecurity incident involving unauthorized access to patient data.

According to the company’s Form 8-K filing, a threat actor contacted the company on June 15, 2026, claiming to have obtained files containing patient data. AdaptHealth launched an investigation, engaged third-party cybersecurity experts, and notified law enforcement. AdaptHealth has determined that certain cloud-based business applications were accessed by the threat actor, including internal patient management systems and document storage platforms. Files containing patients’ personally identifiable information (PII) and protected health information were exfiltrated by the threat actor.

The investigation is ongoing; however, AdaptHealth has determined that the unauthorized access occurred as a result of a response to a social engineering attack on a third-party contractor, which allowed the contractor’s credentials to be obtained. The threat actor obtained a stored password file tied to insurance billing and access to external electronic health record portals.

The affected account has been disabled, credentials have been reset, and additional access controls have been implemented. The incident has not had an impact on its operations or patient services, and a review is ongoing to determine the extent of data theft. The types of data involved have yet to be determined, and the number of affected individuals is currently unknown. AdaptHealth said it does not collect patients’ Social Security numbers, and financial account information and payment card information are not stored in the compromised systems.

AdaptHealth said it considers this to be a material cybersecurity incident due to the nature and potential volume of data at risk. The financial impact of the incident is still being assessed, with the company potentially having to cover costs associated with forensics, breach notification, legal and regulatory responses, and any remediation measures. The company holds a cybersecurity insurance policy, which may cover certain losses associated with the incident.

While AdaptHealth has not named the threat actor behind the attack, this appears to have been a data theft and extortion attempt by the ShinyHunters threat group. ShinyHunters added AdaptHealth to its data leak site and has threatened to leak the stolen data if the ransom is not paid, giving the company a final warning to pay or face a data leak.

The post AdaptHealth Reports Material Cybersecurity Incident and Theft of Patient Data appeared first on The HIPAA Journal.

Delaware & Florida Women’s Health Centers Announce Data Breaches

Two women’s healthcare providers have announced data privacy incidents. Women’s Wellness of Southern Delaware recently learned about unauthorized retention of patient data by a former provider of aesthetic services, and Women’s Center for Radiology has identified a hacking incident.

Women’s Wellness of Southern Delaware

Women’s Wellness of Southern Delaware, a Lewes, DE-based provider of obstetrics, gynecology, and facial aesthetic services, has recently learned that a former provider who rendered aesthetic services for the practice retained the protected health information of patients after engagement with the practice had terminated. Women’s Wellness of Southern Delaware was made aware of the data retention on April 28, 2026. The provider retained patients’ contact information and other patient-related information and is believed to have contacted certain patients to offer similar services at a new practice.

The information retained relates to certain recipients of aesthetic services and clinical services patients. For the aesthetic services patients, the information included their name, birth date, gender, email address, physical address, phone number, allergies, medications, supplements, and information related to the services received, which may include photographs, intake records, aesthetics-related medical history, face maps, dates of services and purchases, and descriptions of services or items purchased. For the clinical services recipients, the impacted data included name, phone number, dates of purchases, and descriptions of the items/medications purchased. The former provider did not have access to electronic medical records.

Women’s Wellness of Southern Delaware said it is in communication with the former provider and is seeking to obtain assurances that the data is returned or destroyed, and steps have been taken to enhance its data privacy and security measures to prevent similar incidents in the future. The incident is not currently shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Women’s Center for Radiology

Women’s Center for Radiology, a provider of medical imaging services at three locations in Orlando, Florida, has identified unauthorized access to parts of its network containing patient data. The unauthorized access was identified on or around April 28, 2026, and the forensic investigation determined that an unauthorized third party gained access to a limited part of its computer network. Files containing patient information were viewed or downloaded by the unauthorized third party.

Assisted by third-party specialists, Women’s Center for Radiology determined that the exposed files contained patient information such as names, addresses, dates of birth, contact information, diagnosis or condition, lab results, treating physician, medical record number, health insurance information, and driver’s license numbers.

Women’s Center for Radiology has started notifying the affected individuals, who have been offered complimentary credit monitoring and identity theft protection services. Women’s Center for Radiology is reviewing its policies, procedures, and protocols related to data privacy and security. Regulators have been notified about the incident; however, the number of affected individuals has not yet been publicly disclosed.

The post Delaware & Florida Women’s Health Centers Announce Data Breaches appeared first on The HIPAA Journal.

Data Breaches Reported by Amicus Solutions: Huntsville Hospital Health System

Amicus Solutions (Fedora Solutions) has been affected by a cybersecurity incident, and Huntsville Hospital has confirmed it was affected by a January 2025 breach at Cerner (Oracle Health).

Amicus Solutions

Amicus Solutions, Inc., doing business as Fedora Solutions, a provider of managed IT and revenue cycle management services, has experienced a cybersecurity incident involving the protected health information of 1,137 individuals. According to the breach notification to the Massachusetts Office of Consumer Affairs and Business Regulation, the breach affected patients of medical practices managed by OneOncology, LLC, including New York Cancer and Blood Specialists.

Suspicious activity was identified within the Amicus Solutions network on April 2, 2026, with the unauthorized access believed to have occurred between February 2, 2026, and February 18, 2026. During that time, a threat actor exfiltrated data from its systems, and some of that data was posted to the threat actor’s website, including personally identifiable information and protected health information.

The data review confirmed that the threat actor obtained patient data such as first and last names, phone numbers, email addresses, birth dates, gender information, Social Security numbers, medical information, and health insurance information. Amicus Solutions confirmed that there was no unauthorized access to its clients’ networks. No misuse of that data had been identified at the time of issuing notifications. Amicus Solutions said additional safeguards have been implemented to harden security, and 24 months of complementary credit monitoring and identity theft protection services have been offered to the affected individuals.

Huntsville Hospital

Huntsville Hospital Health System in Alabama has recently announced that it has been affected by the January 2025 data breach at electronic health record vendor Cerner, now Oracle Health. The data breach affected approximately 90 healthcare providers, and many of those providers announced the data breach last year. Hackers gained access to two legacy Cerner servers as early as January 22, 2025, and Huntsville Hospital was informed that it was affected on August 12, 2025. The hospital said law enforcement requested delaying notifying the affected individuals and additional providers so as not to impede the investigation.

According to the hospital, the breach was confined to Cerner systems, which contained names, Social Security numbers, and details from medical records, including medical record numbers, doctors’ names, diagnoses, medications, test results, images, and treatment information. The affected individuals have been offered complementary credit monitoring services for 24 months. It is currently unclear how many Huntsville Hospital patients have been affected.

The post Data Breaches Reported by Amicus Solutions: Huntsville Hospital Health System appeared first on The HIPAA Journal.

Washington Dept. Health & Social Services Insider Breach Affects 8,600 Individuals

The Washington Department of Social and Health Services (DSHS) has identified an insider data breach involving unauthorized access to the protected health information of approximately 8,600 individuals.

Insider threats are a major problem in healthcare, more so than in other sectors. While most insider incidents are unintentional, and snooping on medical records is a common cause of healthcare data breaches. Patient records may also be obtained for financial gain. Regular workforce HIPAA training is important to remind employees of their responsibilities with respect to patient privacy, and employee access logs should be routinely monitored. Without active monitoring, these privacy violations can persist for long periods before unauthorized access is identified.

In this case, a DSHS employee was discovered to have accessed a DSHS internal client data system without authorization and viewed records containing full names, dates of birth, Social Security numbers, DSHS client numbers, and information about DSHS program enrollment.

The DSHS investigation found no evidence that health information was accessed, such as diagnoses, test results, treatments, claims, or chart notes. The DSHS said the employee was found to have accessed records for “reasons unrelated to their job duties,” but did not elaborate further on the individual’s reasons for access. It is also unclear when the unauthorized access was detected, or for how long the employee had been accessing records for non-work purposes.

DSHS confirmed that action was immediately taken when the privacy violations were identified, preventing further unauthorized access. DSHS has confirmed that the individual is no longer working for the department. It is unclear whether the employee was terminated over the HIPAA violation or if they left voluntarily.

DSHS said it is issuing notification letters by mail to all affected individuals and encourages them to monitor their account statements and credit reports for unauthorized activity. DSHS is cooperating with state and local law enforcement in their ongoing investigation. DSHS said steps are being taken to implement additional safeguards, and internal policies and procedures related to data privacy and security are being reviewed.

The post Washington Dept. Health & Social Services Insider Breach Affects 8,600 Individuals appeared first on The HIPAA Journal.

South Florida Injury Centers; Chickasaw Nation Department of Health Report Data Breaches

A hacking incident has been reported by South Florida Injury Centers, and Chickasaw Nation Department of Health has discovered that an employee accessed patient data without authorization.

South Florida Injury Centers

South Florida Injury Centers, Inc., a medical practice with locations in Tamarac and Port Saint Lucie that specializes in treating patients injured in automobile accidents, has recently reported a hacking-related data breach to the HHS’ Office for Civil Rights that has affected up to 1,525 patients.

While few details have been released about the incident, this appears to have been a cyberattack by the threat actor Kairos. Kairos is a financially motivated threat group that engages in data theft and extortion, breaching networks, exfiltrating data, and demanding payment to prevent the data from being leaked online. The group has conducted attacks on several healthcare organizations and claims to have exfiltrated 45 GB of data from South Florida Injury Centers.

South Florida Injury Centers was added to its dark web data leak site on April 7, 2026, along with samples of the stolen data, which appear to contain redacted patient information such as names, contact information, driver’s license numbers, Social Security numbers, and medical histories. Kairos proceeded to leak the stolen data, indicating that the ransom was not paid.

Chickasaw Nation Department of Health, Oklahoma

Chickasaw Nation Department of Health in Oklahoma has identified an insider patient privacy incident that was first identified on April 22, 2026. An investigation was promptly initiated when unauthorized access to patient records was identified, and immediate steps were taken to prevent further unauthorized access.

The review of access logs confirmed that the privacy breach was due to the actions of a single employee, who had accessed patient records without authorization between December 1, 2025, and April 22, 2026. During that time, the records of 1,607 patients may have been accessed without authorization.

The information viewed included patient names, ages, dates of service, tribal affiliations, reasons for visits, and clinical information such as lab and radiology orders. No evidence was found to indicate that full Social Security numbers were viewed. The website notification about the privacy incident does not state the actions that have been taken against the employee over the privacy breach.

The post South Florida Injury Centers; Chickasaw Nation Department of Health Report Data Breaches appeared first on The HIPAA Journal.

Colorado Health Network; Kentucky Mountain Health Alliance Announce Data Breaches

Data security incidents have been announced by the Colorado Health Network and Kentucky Mountain Health Alliance. In both cases, only limited information has been released about the nature of the incidents.

Colorado Health Network

Colorado Health Network Inc., a nonprofit organization that provides health and support services to individuals with HIV/AIDS across Colorado, has recently disclosed a data security incident. The breach notification does not state when the breach was detected or for how long the threat actors had access to its network, only that an unauthorized third-party accessed and removed files from its systems.

The files have been reviewed and found to contain patient names in combination with one or more of the following: Social Security number, driver’s license/state identification card number, passport number, financial account information, debit/credit card information, health insurance information (which may include Medicaid/Medicare information), and medical information. The medical information may include, but is not limited to, diagnosis, diagnosis code, mental/physical condition, prescription information, and provider’s/location.

Colorado Health Network started mailing notification letters to the affected individuals on June 18, 2026, and said it has received no reports to suggest that any of the exposed or copied information has been misused. The affected individuals have been advised to monitor their account statements, free credit reports, and explanation of benefits statements for suspicious activity, and to sign up for the complimentary credit monitoring and identity theft protection services that have been offered.

This appears to have been a ransomware attack by the Cephalus ransomware group. Cephalus claimed on its dark web data leak site on August 28, 2025, that it was behind the attack and obtained more than 900 GB of data. The group’s data leak site is not currently accessible, so it is unclear whether the data was leaked online.

The Texas attorney general was informed that 257 Texas residents were affected by the breach. Given that the primary location of business is Colorado, that would suggest that the incident affected more than 500 individuals and should have been reported to the HHS’ Office for Civil Rights (OCR) and added to the OCR data breach portal; however, it is not currently shown on the breach portal.

Kentucky Mountain Health Alliance

Kentucky Mountain Health Alliance, a Hazard, KY-based nonprofit organization that provides primary and specialty care to the homeless, has disclosed a data breach that involved unauthorized access to patient data, some of which was copied in the incident.

While data breach notices should be placed in a prominent location on the home page of the provider’s website under HIPAA, users are required to click on the “more” section and then select the notice from the drop-down menu. The notice states that the information compromised in the includes names plus one or more of the following: Social Security numbers, driver’s license numbers/state identification numbers, passport numbers, financial account information, debit/credit card information, health insurance information, and medical information such as diagnosis, diagnosis code, mental/physical condition, prescription information, provider’s name and location, and health insurance information. Notification letters were issued to the affected individuals on June 12, 2026.

As with the data breach at Colorado Health Network (above), the breach notifications do not elaborate further on the nature of the incident, such as who potentially accessed the data (internal/external), when the incident was detected, or for how long the data was exposed. The website notice makes no mention of credit monitoring services; however, the notice issued to the Massachusetts Office of Consumer Affairs and Business Regulation states that 24 months of complimentary credit monitoring and identity theft protection services are being provided through Epiq. The number of affected individuals has yet to be publicly disclosed.

The post Colorado Health Network; Kentucky Mountain Health Alliance Announce Data Breaches appeared first on The HIPAA Journal.

Minnesota Epilepsy Group; Campbell University; City of Middletown Announce Data Breaches

Data breaches have been announced by Minnesota Epilepsy Group, Campbell University, and the City of Middletown, Ohio.

Minnesota Epilepsy Group

Minnesota Epilepsy Group, the largest epilepsy center in the Midwest, has started notifying current and former patients about a recent cybersecurity incident that may have resulted in unauthorized access to the protected health information of current and former patients. Suspicious network activity was identified on April 7, 2026, and an investigation was launched to determine the nature and scope of the activity. The investigation confirmed that an unauthorized third party had accessed its network at various times between March 16, 2026, and April 10, 2026.

The parts of the network that were accessed contained files that included patient data. The file review concluded on May 18, 2026, and determined that the exposed information included names, addresses, dates of birth, Social Security numbers, medical treatment information, and health insurance information. The types of information exposed varied from patient to patient.

Notification letters started to be mailed to the affected individuals on June 5, 2026, and complimentary credit monitoring and identity theft protection services have been offered to individuals whose Social Security numbers were exposed. Minnesota Epilepsy Group confirmed that it has taken steps to enhance its technical security measures to prevent similar incidents in the future.

City of Middletown, Ohio

The City of Middletown in Ohio has started notifying individuals about a cybersecurity incident that occurred last year that resulted in unauthorized access to sensitive personal and protected health information. The incident was first identified on August 17, 2025, and the forensic investigation determined that its network was accessed by an unauthorized third party between July 29, 2025, and August 17, 2025, during which time files containing sensitive information may have been accessed or acquired.

The data review concluded on May 18, 2026, and determined that data compromised in the incident included names, addresses, Social Security numbers, driver’s license or government identification, financial account information, medical information, and health insurance information. Notification letters were mailed to the individuals with a complete address on file on June 3, 2026. City of Middletown officials have confirmed that steps are being taken to augment security. The HHS’ Office for Civil Rights was informed that the protected health information of 20,608 individuals was compromised in the incident.

This appears to have been a ransomware attack by the SafePay ransomware group, which added the City of Middletown to its dark web data leak site on September 12, 2025, then proceeded to leak the stolen data.

Campbell University, North Carolina

Campbell University in North Carolina is investigating a cybersecurity incident that was first identified on April 1, 2026. The incident involved unauthorized access to one of its cloud-based data storage platforms between March 31, 2026, and April 1, 2026. The university explained that due to its security protections, the incident was contained to a single platform.

The investigation and data review are ongoing, and as such, the total number of affected individuals has yet to be determined. The HHS’ Office for Civil Rights has been informed that the protected health information of at least 500 individuals was involved. The total will be updated when the data review is concluded. The specific type of information involved has not yet been determined, but general categories of data involved have been disclosed. In addition to their name, individuals may have had one or more of the following exposed or stolen in the incident:

Address, date of birth, admission/discharge/death date, medical record number, provider/facility name, medical condition, diagnosis and/or treatment information, lab results, prescriptions and/or medications, personal history, mental health information, insurance/payment amount history information, date of service, payment card information, and/or any information on an individual that was created, used, or disclosed in the course of providing health care services, and Social Security number, driver’s license or state identification number, passport number, student identification number, other government identification number, financial account information, debit/credit card information, health insurance information, medical information, individual taxpayer identification number, identity protection PIN issued by the IRS, parent’s legal surname prior to marriage, digital signature, geolocation, and/or user name and access information for a non-financial account.

Campbell University said it has reset passwords, set up a new instance of the affected platform, strengthened data access policies, and implemented additional technical safeguards.

The post Minnesota Epilepsy Group; Campbell University; City of Middletown Announce Data Breaches appeared first on The HIPAA Journal.

Data Breaches Announced by Florida Retina Center; Acadia Healthcare Company

Florida Retina Center has identified unauthorized access to systems containing the protected health information of more than 13,600 patients. Acadia Healthcare Company has experienced a breach affecting 1,800 patients.

Florida Retina Center

Bonita Springs-based Florida Retina Center has announced a cybersecurity incident that was first identified on January 30, 2026. Immediate action was taken to secure its network, and an investigation was launched to determine the nature and scope of the unauthorized activity. On May 19, 2026, Florida Retina Center confirmed unauthorized access to parts of its network containing patient data.

The file review confirmed that the data of 13,652 patients was exposed and potentially acquired in the incident. The exposed data included names, dates of birth, Social Security numbers, driver’s license numbers, and medical information. Notification letters have been mailed to the affected individuals, and 12 months of complimentary credit monitoring and identity theft protection services have been made available. At the time of issuing notification letters, no misuse of the affected data had been identified.

Acadia Healthcare Company

Franklin, Tennessee-based Acadia Healthcare Company, Inc., a provider of psychiatric and chemical dependency services, has announced a data breach affecting 1,807 individuals. Unusual activity was identified within an employee’s email account on March 25, 2026. The account was secured, and an investigation was launched, which confirmed unauthorized access to a single employee’s email account and associated SharePoint files between March 21, 2026, and March 25, 2026. There was no unauthorized access to any other email accounts, other systems, or the electronic medical record system.

The types of data involved varied from individual to individual, and for the majority of affected individuals, involved one or more of the following data elements in addition to their names: address, date of birth, treatment information, dates of treatment, type of treatment, and health insurance information. Certain individuals also had their Medicare Health Insurance Claim Number (HICN) exposed, which may include their Social Security number. Notification letters were mailed to the affected individuals on May 22, 2026, and additional safeguards have been implemented to prevent similar incidents in the future.

The post Data Breaches Announced by Florida Retina Center; Acadia Healthcare Company appeared first on The HIPAA Journal.

April 2026 Healthcare Data Breach Report

In April 2026, 47 healthcare data breaches affecting 500 or more individuals were reported to the HHS’ Office for Civil Rights (OCR). That represents a 33.8% reduction in large healthcare data breaches from the 71 large data breaches reported in March 2026, and well below the 12-month average of 62.4 data breaches per month.

healthcare data breaches in the past 12 months - April 2026

The year-to-date figures also show a reduction in large healthcare data breaches. From January 1 to April 30, 252 large healthcare data breaches have been reported by HIPAA-regulated entities, compared to 276 (-8.7%) for the corresponding period in 2025 and 299 (-15.7%) for the corresponding period in 2024.

Healthcare data breaches - January 1 to April 30 (2022-2026)

Across the 47 data breaches, the protected health information of 1,336,264 individuals was exposed or impermissibly disclosed – the second lowest monthly total in the past 12 months, and currently an 84.9% reduction from March 2026. The number of affected individuals is likely to increase, as some regulated entities have reported breaches with placeholder estimates of 500 or 501 affected individuals.

Individuals affected by healthcare data breaches in the past 12 months (April 2026)

The year-to-date figures for affected individuals are encouraging. From January 1 to April 30, the protected health information of 20.1 million individuals has been breached, and while that is a sizeable figure, it is a reduction of 25.5% from the corresponding period in 2025 and a reduction of 48.8% from the corresponding period in 2024.

Individuals affected by healthcare data breaches - january 1 to April 30 (2022-2026)

The Biggest Healthcare Data Breaches Reported in April 2026

In April, 15 data breaches affecting 10,000 or more individuals were reported to the HHS’ Office for Civil Rights, all but one of which were hacking incidents. The biggest data breach of the month was reported by the medical group Florida Physician Specialists, involving unauthorized access to the protected health information of 276,498 individuals.  Two of the 15 data breaches were confirmed ransomware attacks, and one incident involved unauthorized access by “a business counterparty” after access was thought to have been terminated.

Regulated Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information Cause of Breach
Florida Physician Specialists FL Healthcare Provider 276,498 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed
Southern Illinois Dermatology IL Healthcare Provider 160,312 Hacking/IT Incident Network Server Hacking incident
Laurel Eye Clinic PA Healthcare Provider 145,221 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed
Innovative Scientific Solutions, LLC SC Healthcare Provider 143,842 Hacking/IT Incident Network Server Hacking incident
Hospital Caribbean Medical Center PR Healthcare Provider 92,000 Hacking/IT Incident Network Server Ransomware attack (The Gentlemen) – Data theft confirmed
Tri-Cities Gastroenterology TN Healthcare Provider 67,115 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed
City Health, a medical corporation CA Healthcare Provider 65,000 Unauthorized Access/Disclosure Electronic Medical Record Access to its electronic medical record system by a former business counterparty after termination
Hematology Oncology Consultants MI Healthcare Provider 62,972 Hacking/IT Incident Network Server Hacking incident – Data theft likely
GrayRobinson, P.A. FL Business Associate 54,131 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed
Rocky Mountain Associated Physicians, P.C. UT Healthcare Provider 50,640 Hacking/IT Incident Network Server Hacking incident
Heart South Cardiovascular Group AL Healthcare Provider 46,666 Hacking/IT Incident Network Server Hacking incident
Mt. Spokane Pediatrics WA Healthcare Provider 32,021 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed
University of Nebraska Medical Center NE Healthcare Provider 26,937 Hacking/IT Incident Network Server Hacking of a third-party software application
Liberty Bankers Life Ins. Co. TX Health Plan 20,202 Hacking/IT Incident Network Server Hacking incident at a business associate
Bayside Dental WA Healthcare Provider 10,216 Hacking/IT Incident Network Server Ransomware attack (Sinobi) – Data theft claimed

Three data breaches were reported in April before data reviews had been completed. Placeholder figures of 500 or 501 affected individuals were used and will be updated when the file reviews are concluded.

Regulated Entity State Covered Entity Type Individuals Affected Cause of Breach
Spokane Digestive Disease Center, P.S. WA Healthcare Provider 501 Unauthorized access to its email environment
FMRS Health Systems, Inc. WV Healthcare Provider 500 Hacking incident – data theft confirmed
CARE Clinic MN Healthcare Provider 500 Unauthorized access to its email environment

Causes of April 2026 Healthcare Data Breaches

Hacking and other types of IT incidents dominated the breach reports in April, accounting for 36 (76.6%) of the 47 reported large data breaches. Across those incidents, the protected health information of 1,240,571 individuals was exposed or impermissibly disclosed. Hacking/IT incidents accounted for 92.8% of the affected individuals in April. The average breach size was 32,883 individuals, and the median breach size was 4,547 individuals.

Causes of APril 2026 healthcare data breaches

There were 9 unauthorized access/disclosure incidents in April, which accounted for 19.1% of the month’s data breaches. Across those incidents, the protected health information of 86,717 individuals was accessed without authorization or was impermissibly disclosed – 6.5% of the month’s affected individuals. The average breach size was 9,635 individuals, and the median breach size was 1,467 individuals. There were no loss, theft, or improper disposal incidents in April.

Location of breached PHI in April 2026

States Affected by April 2026 Healthcare Data Breaches

Data breaches were reported by HIPAA-regulated entities in 25 states, the District of Columbia, and Puerto Rico in April. California was the worst-affected state in terms of data breaches, while Florida was the worst-affected state in terms of the number of individuals affected.

April 2026 Healthcare Data Breaches

State Breaches
California 6
Texas & Washington 4
Florida & Virginia 3
Illinois, Minnesota, Oklahoma, Pennsylvania & West Virginia 2
Alabama, Delaware, Iowa, Indiana, Kentucky, Maryland, Michigan, Missouri, Nebraska, New Jersey, New York, South Carolina, Tennessee, Utah, Vermont, the District of Columbia & Puerto Rico 1

Individuals Affected by April 2026 Healthcare Data Breaches

State Individuals Affected State Individuals Affected
Florida 331,316 Oklahoma 8,233
Illinois 162,203 Maryland 7,213
Pennsylvania 145,976 Iowa 6,717
South Carolina 143,842 Indiana 5,900
Pouerto Rico 92,000 Vermont 5,892
California 78,846 Minnesota 5,885
Tennessee 67,115 Kentucky 3,677
Michigan 62,972 Virginia 2,552
Utah 50,640 New York 2,123
Alabama 46,666 Missouri 2,027
Washington 46,202 West Virginia 1,500
Nebraska 26,937 District of Columbia 1,467
Texas 26,648

April 2026 Data Breaches at HIPAA Regulated Entities

In April 2026, 36 data breaches were reported by healthcare providers, 8 breaches were reported by health plans, and 3 data breaches were reported by business associates. When a breach occurs at a business associate, the affected covered entities must be informed. Each covered entity may delegate the breach notification responsibilities to the business associate, but it is ultimately the responsibility of each covered entity to ensure that breach notifications are issued. In many cases, a breach at a business associate is reported by the covered entity.

The pie charts below show where the data breach occurred, rather than the reporting entity, which shows that 11 of the 47 breaches (rather than 3) occurred at business associates in April.

Data breaches at HIPAA-regulated entities in April 2026

Individuals affected by healthcare data breaches at HIPAA-regulated entities in April 2026

HIPAA Enforcement Activity in April 2026

The HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, announced 4 settlements with HIPAA-regulated entities in April to resolve alleged violations of the HIPAA Rules. When alleged HIPAA violations are settled, the settlement agreement includes a corrective action plan to address the areas of noncompliance identified by OCR. When a civil monetary penalty is imposed, OCR cannot compel the regulated entity to adopt a corrective action plan.

All four of the settlements related to ransomware attacks, and in all cases, OCR identified a risk analysis failure. The HIPAA Security Rule requires regulated entities to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to electronic protected health information. It is the most commonly identified HIPAA Security Rule violation.  You can read more about each enforcement action in this post. No state attorneys general announced any HIPAA penalties in April.

HIPAA -Regulated Entity Entity Type Reason for Investigation Alleged HIPAA violation(s) Settlement Amount
Regional Women’s Health Group (Axia Women’s Health) Healthcare Provider Reported ransomware attack involving the protected health information of 37,989 individuals Risk analysis failure; impermissible disclosure of ePHI $320,000
Assured Imaging Affiliated Covered Entities Healthcare Provider Reported ransomware attack involving the protected health information of 244,813 individuals Risk analysis failure (never conducted); breach notification failure $375,000
Consociate, Inc. (Consociate Health) Business Associate Reported ransomware attack involving the protected health information of 136,539 individuals Risk analysis failure $225,000
Star Group, L.P. Health Benefits Plan Health Plan Reported ransomware attack involving the protected health information of 9,316 individuals Risk analysis failure $245,000

 

The post April 2026 Healthcare Data Breach Report appeared first on The HIPAA Journal.