In April 2026, 47 healthcare data breaches affecting 500 or more individuals were reported to the HHS’ Office for Civil Rights (OCR). That represents a 33. 8% reduction in large healthcare data breaches from the 71 large data breaches reported in March 2026 , and well below the 12-month average of 62.
4 data breaches per month. The year-to-date figures also show a reduction in large healthcare data breaches. From January 1 to April 30, 252 large healthcare data breaches have been reported by HIPAA-regulated entities, compared to 276 (-8.
7%) for the corresponding period in 2025 and 299 (-15. 7%) for the corresponding period in 2024. Across the 47 data breaches, the protected health information of 1,336,264 individuals was exposed or impermissibly disclosed – the second lowest monthly total in the past 12 months, and currently an 84.
9% reduction from March 2026. The number of affected individuals is likely to increase, as some regulated entities have reported breaches with placeholder estimates of 500 or 501 affected individuals. The year-to-date figures for affected individuals are encouraging.
From January 1 to April 30, the protected health information of 20. 1 million individuals has been breached, and while that is a sizeable figure, it is a reduction of 25. 5% from the corresponding period in 2025 and a reduction of 48.
8% from the corresponding period in 2024. The Biggest Healthcare Data Breaches Reported in April 2026 In April, 15 data breaches affecting 10,000 or more individuals were reported to the HHS’ Office for Civil Rights, all but one of which were hacking incidents. The biggest data breach of the month was reported by the medical group Florida Physician Specialists, involving unauthorized access to the protected health information of 276,498 individuals.
Two of the 15 data breaches were confirmed ransomware attacks, and one incident involved unauthorized access by “a business counterparty” after access was thought to have been terminated. Regulated Entity State Covered Entity Type Individuals Affected Type of Breach Location of Breached Information Cause of Breach Florida Physician Specialists FL Healthcare Provider 276,498 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed Southern Illinois Dermatology IL Healthcare Provider 160,312 Hacking/IT Incident Network Server Hacking incident Laurel Eye Clinic PA Healthcare Provider 145,221 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed Innovative Scientific Solutions, LLC SC Healthcare Provider 143,842 Hacking/IT Incident Network Server Hacking incident Hospital Caribbean Medical Center PR Healthcare Provider 92,000 Hacking/IT Incident Network Server Ransomware attack (The Gentlemen) – Data theft confirmed Tri-Cities Gastroenterology TN Healthcare Provider 67,115 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed City Health, a medical corporation CA Healthcare Provider 65,000 Unauthorized Access/Disclosure Electronic Medical Record Access to its electronic medical record system by a former business counterparty after termination Hematology Oncology Consultants MI Healthcare Provider 62,972 Hacking/IT Incident Network Server Hacking incident – Data theft likely GrayRobinson, P.
A. FL Business Associate 54,131 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed Rocky Mountain Associated Physicians, P. C.
UT Healthcare Provider 50,640 Hacking/IT Incident Network Server Hacking incident Heart South Cardiovascular Group AL Healthcare Provider 46,666 Hacking/IT Incident Network Server Hacking incident Mt. Spokane Pediatrics WA Healthcare Provider 32,021 Hacking/IT Incident Network Server Hacking incident – Data theft confirmed University of Nebraska Medical Center NE Healthcare Provider 26,937 Hacking/IT Incident Network Server Hacking of a third-party software application Liberty Bankers Life Ins.
Co. TX Health Plan 20,202 Hacking/IT Incident Network Server Hacking incident at a business associate Bayside Dental WA Healthcare Provider 10,216 Hacking/IT Incident Network Server Ransomware attack (Sinobi) – Data theft claimed Three data breaches were reported in April before data reviews had been completed. Placeholder figures of 500 or 501 affected individuals were used and will be updated when the file reviews are concluded.
Regulated Entity State Covered Entity Type Individuals Affected Cause of Breach Spokane Digestive Disease Center, P. S. WA Healthcare Provider 501 Unauthorized access to its email environment FMRS Health Systems, Inc.
WV Healthcare Provider 500 Hacking incident – data theft confirmed CARE Clinic MN Healthcare Provider 500 Unauthorized access to its email environment Causes of April 2026 Healthcare Data Breaches Hacking and other types of IT incidents dominated the breach reports in April, accounting for 36 (76. 6%) of the 47 reported large data breaches. Across those incidents, the protected health information of 1,240,571 individuals was exposed or impermissibly disclosed.
Hacking/IT incidents accounted for 92. 8% of the affected individuals in April. The average breach size was 32,883 individuals, and the median breach size was 4,547 individuals.
There were 9 unauthorized access/disclosure incidents in April, which accounted for 19. 1% of the month’s data breaches. Across those incidents, the protected health information of 86,717 individuals was accessed without authorization or was impermissibly disclosed – 6.
5% of the month’s affected individuals. The average breach size was 9,635 individuals, and the median breach size was 1,467 individuals. There were no loss, theft, or improper disposal incidents in April.
States Affected by April 2026 Healthcare Data Breaches Data breaches were reported by HIPAA-regulated entities in 25 states, the District of Columbia, and Puerto Rico in April.
Originally published at hipaajournal.com
