Utopia Tech
Healthcare4 min read

May 2026 Healthcare Data Breach Report

Based on the current data on the HHS’ Office for Civil Rights (OCR) breach portal, 61 healthcare data breaches affecting 500 or more individuals were reported in May 2026. May’s current total represents a 27.1% month-over-month increase in data breaches. Over the past 12 months, an average of 64 large healthcare data breaches were reported each month. From January 1, 2026, to M

UT

Utopia Tech

July 14, 2026 · 4 min read

Share

Based on the current data on the HHS’ Office for Civil Rights (OCR) breach portal, 61 healthcare data breaches affecting 500 or more individuals were reported in May 2026. May’s current total represents a 27. 1% month-over-month increase in data breaches.

Over the past 12 months, an average of 64 large healthcare data breaches were reported each month. From January 1, 2026, to May 31, 2026, 319 data breaches affecting 500 or more individuals have been reported to OCR. This time last year, the total stood at 342 large data breaches.

While data breaches increased from April, the number of affected individuals fell by 34. 8% to 879,447 individuals. In May, an average of 14,417 individuals were affected by healthcare data breaches, down from an average of 28,116 individuals in April.

Over the past 12 months, an average of 10. 6 million individuals have been affected by healthcare data breaches each month. Data breaches are down slightly year-over-year, but there has been a massive reduction in the number of affected individuals.

Very large data breaches have not been reported to OCR in the numbers seen in previous years. From January 1, 2026, to May 31, 2026, across the 319 data breaches, at least 21,085,405 individuals have been affected. The OCR breach portal shows that from January 2025 to May 2025, 33,116,809 individuals were affected by data breaches.

Biggest Healthcare Data Breaches of May 2026 In May 2026, 17 data breaches affecting 10,000 or more individuals were reported to OCR, all of which were hacking incidents. The biggest data breach of the month was reported by Radiology Associates of Richmond, affecting more than 266,000 individuals, followed by a hacking incident at Western Orthopaedics which affected more than 113,000 individuals.

Regulated Entity State Covered Entity Type Individuals Affected Cause of Breach Radiology Associates of Richmond VA Healthcare Provider 266,183 Hacking incident Western Orthopaedics, P. C. CO Healthcare Provider 113,330 Hacking incident ERMI LLC GA Healthcare Provider 74,074 Hacking incident Singing River Health System MS Healthcare Provider 53,888 Hacking incident Southern Illinois Ob-Gyn Associates, S.

C. IL Healthcare Provider 38,700 Hacking incident Gastro Health FL Healthcare Provider 35,632 Unauthorized access to email accounts Eyemart Express, LLC TX Healthcare Provider 25,000 Hacking incident Connecticut Department of Social Services CT Health Plan 22,500 Unauthorized access to provider portal website Bridle Trails Family Dentistry WA Healthcare Provider 20,976 Unauthorized access to email account Community Connections DC Healthcare Provider 18,943 Ransomware attack (INCRansom) Virta Medical PC CO Healthcare Provider 14,636 Hacking incident (Lapsus$) Saurabh N.

Patel, M. D – Florida Retina Center LA Healthcare Provider 13,652 Hacking incident Greenbaum Rowe Smith & Davis LLP NJ Business Associate 12,801 Hacking incident Wellpoint Washington, Inc. IN Health Plan 12,020 Unauthorized access to email account Defense Health Agency (TriWest) VA Health Plan 11,848 Hacking incident IKRON Corporation OH Healthcare Provider 11,845 Hacking incident Elara Caring TX Healthcare Provider 10,490 Hacking incident at third-party vendor May’s total number of affected individuals may increase considerably over the coming weeks and months, as healthcare organizations complete their data breach investigations.

HIPAA-regulated entities have 60 days from the date of discovery of a data breach to issue notifications to the HHS’ Office for Civil Rights and the affected individuals. HIPAA requires OCR to be notified even if the total number of individuals has yet to be determined by the 60-day deadline. In such cases, an estimate should be provided.

Many regulated entities use a placeholder estimate of 500 or 501 individuals in such cases, and in May, 7 regulated entities appear to have used these placeholder figures. Regulated Entity State Covered Entity Type Individuals Affected Cause of Breach United Medical Doctors CA Healthcare Provider 501 Hacking/IT Incident NJ Pain Care Specialists, LLC NJ Healthcare Provider 501 Hacking/IT Incident Palomar Health Medical Group CA Healthcare Provider 501 Hacking/IT Incident Aroostook Mental Health Center ME Healthcare Provider 501 Hacking/IT Incident Campbell University NC Healthcare Provider 500 Hacking/IT Incident BAYADA Home Health Care, Inc.

NJ Healthcare Provider 500 Hacking/IT Incident Integrated Pain Associates TX Healthcare Provider 500 Hacking/IT Incident Causes of May 2026 Healthcare Data Breaches Hacking and other IT incidents dominated the breach reports in May, as has been the case each month for several years. Out of the month’s 61 large healthcare data breaches, 54 were classed as hacking/IT incidents – 88.

5% of the month’s data breaches. Across those incidents, the protected health information of 853,532 individuals was compromised- 88. 5% of the month’s total affected individuals.

On average, hacking/IT incidents affected 15,806 individuals in May, with a median breach size of 3,619 individuals. There were 7 data breaches classed as unauthorized access/disclosure incidents, representing 11. 5% of the month’s breaches.

Across those incidents, the protected health information of 25,915 individuals was unlawfully accessed or disclosed. On average, 3,702 individuals were affected by each incident in May. The median breach size was 3,086 individuals.

There were no reported theft, loss, or improper disposal incidents in May. Given the large number of hacking incidents, it is no surprise that the most common location of breached protected health information was network servers. Email incidents were also reported in high numbers.

States Affected by May 2026 Healthcare Data Breaches Large healthcare data breaches were reported by HIPAA-regulated entities in 26 U. S. states and the District of Columbia.

California was the worst affected state with 6 breaches.

Originally published at hipaajournal.com

Share
▸ Want a deeper look?

Talk to an architect about applying this to your stack.

60-minute technical evaluation, no obligation. We'll map the ideas in this article to your environment.

Skip to main content