April 2026 Healthcare Data Breach Report
In April 2026, 47 healthcare data breaches affecting 500 or more individuals were reported to the HHS’ Office for Civil Rights (OCR). That represents a 33.8% reduction in large healthcare data breaches from the 71 large data breaches reported in March 2026, and well below the 12-month average of 62.4 data breaches per month.
The year-to-date figures also show a reduction in large healthcare data breaches. From January 1 to April 30, 252 large healthcare data breaches have been reported by HIPAA-regulated entities, compared to 276 (-8.7%) for the corresponding period in 2025 and 299 (-15.7%) for the corresponding period in 2024.
Across the 47 data breaches, the protected health information of 1,336,264 individuals was exposed or impermissibly disclosed – the second lowest monthly total in the past 12 months, and currently an 84.9% reduction from March 2026. The number of affected individuals is likely to increase, as some regulated entities have reported breaches with placeholder estimates of 500 or 501 affected individuals.
The year-to-date figures for affected individuals are encouraging. From January 1 to April 30, the protected health information of 20.1 million individuals has been breached, and while that is a sizeable figure, it is a reduction of 25.5% from the corresponding period in 2025 and a reduction of 48.8% from the corresponding period in 2024.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The Biggest Healthcare Data Breaches Reported in April 2026
In April, 15 data breaches affecting 10,000 or more individuals were reported to the HHS’ Office for Civil Rights, all but one of which were hacking incidents. The biggest data breach of the month was reported by the medical group Florida Physician Specialists, involving unauthorized access to the protected health information of 276,498 individuals. Two of the 15 data breaches were confirmed ransomware attacks, and one incident involved unauthorized access by “a business counterparty” after access was thought to have been terminated.
| Regulated Entity | State | Covered Entity Type | Individuals Affected | Type of Breach | Location of Breached Information | Cause of Breach |
| Florida Physician Specialists | FL | Healthcare Provider | 276,498 | Hacking/IT Incident | Network Server | Hacking incident – Data theft confirmed |
| Southern Illinois Dermatology | IL | Healthcare Provider | 160,312 | Hacking/IT Incident | Network Server | Hacking incident |
| Laurel Eye Clinic | PA | Healthcare Provider | 145,221 | Hacking/IT Incident | Network Server | Hacking incident – Data theft confirmed |
| Innovative Scientific Solutions, LLC | SC | Healthcare Provider | 143,842 | Hacking/IT Incident | Network Server | Hacking incident |
| Hospital Caribbean Medical Center | PR | Healthcare Provider | 92,000 | Hacking/IT Incident | Network Server | Ransomware attack (The Gentlemen) – Data theft confirmed |
| Tri-Cities Gastroenterology | TN | Healthcare Provider | 67,115 | Hacking/IT Incident | Network Server | Hacking incident – Data theft confirmed |
| City Health, a medical corporation | CA | Healthcare Provider | 65,000 | Unauthorized Access/Disclosure | Electronic Medical Record | Access to its electronic medical record system by a former business counterparty after termination |
| Hematology Oncology Consultants | MI | Healthcare Provider | 62,972 | Hacking/IT Incident | Network Server | Hacking incident – Data theft likely |
| GrayRobinson, P.A. | FL | Business Associate | 54,131 | Hacking/IT Incident | Network Server | Hacking incident – Data theft confirmed |
| Rocky Mountain Associated Physicians, P.C. | UT | Healthcare Provider | 50,640 | Hacking/IT Incident | Network Server | Hacking incident |
| Heart South Cardiovascular Group | AL | Healthcare Provider | 46,666 | Hacking/IT Incident | Network Server | Hacking incident |
| Mt. Spokane Pediatrics | WA | Healthcare Provider | 32,021 | Hacking/IT Incident | Network Server | Hacking incident – Data theft confirmed |
| University of Nebraska Medical Center | NE | Healthcare Provider | 26,937 | Hacking/IT Incident | Network Server | Hacking of a third-party software application |
| Liberty Bankers Life Ins. Co. | TX | Health Plan | 20,202 | Hacking/IT Incident | Network Server | Hacking incident at a business associate |
| Bayside Dental | WA | Healthcare Provider | 10,216 | Hacking/IT Incident | Network Server | Ransomware attack (Sinobi) – Data theft claimed |
Three data breaches were reported in April before data reviews had been completed. Placeholder figures of 500 or 501 affected individuals were used and will be updated when the file reviews are concluded.
| Regulated Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| Spokane Digestive Disease Center, P.S. | WA | Healthcare Provider | 501 | Unauthorized access to its email environment |
| FMRS Health Systems, Inc. | WV | Healthcare Provider | 500 | Hacking incident – data theft confirmed |
| CARE Clinic | MN | Healthcare Provider | 500 | Unauthorized access to its email environment |
Causes of April 2026 Healthcare Data Breaches
Hacking and other types of IT incidents dominated the breach reports in April, accounting for 36 (76.6%) of the 47 reported large data breaches. Across those incidents, the protected health information of 1,240,571 individuals was exposed or impermissibly disclosed. Hacking/IT incidents accounted for 92.8% of the affected individuals in April. The average breach size was 32,883 individuals, and the median breach size was 4,547 individuals.
There were 9 unauthorized access/disclosure incidents in April, which accounted for 19.1% of the month’s data breaches. Across those incidents, the protected health information of 86,717 individuals was accessed without authorization or was impermissibly disclosed – 6.5% of the month’s affected individuals. The average breach size was 9,635 individuals, and the median breach size was 1,467 individuals. There were no loss, theft, or improper disposal incidents in April.
States Affected by April 2026 Healthcare Data Breaches
Data breaches were reported by HIPAA-regulated entities in 25 states, the District of Columbia, and Puerto Rico in April. California was the worst-affected state in terms of data breaches, while Florida was the worst-affected state in terms of the number of individuals affected.
April 2026 Healthcare Data Breaches
| State | Breaches |
| California | 6 |
| Texas & Washington | 4 |
| Florida & Virginia | 3 |
| Illinois, Minnesota, Oklahoma, Pennsylvania & West Virginia | 2 |
| Alabama, Delaware, Iowa, Indiana, Kentucky, Maryland, Michigan, Missouri, Nebraska, New Jersey, New York, South Carolina, Tennessee, Utah, Vermont, the District of Columbia & Puerto Rico | 1 |
Individuals Affected by April 2026 Healthcare Data Breaches
| State | Individuals Affected | State | Individuals Affected |
| Florida | 331,316 | Oklahoma | 8,233 |
| Illinois | 162,203 | Maryland | 7,213 |
| Pennsylvania | 145,976 | Iowa | 6,717 |
| South Carolina | 143,842 | Indiana | 5,900 |
| Pouerto Rico | 92,000 | Vermont | 5,892 |
| California | 78,846 | Minnesota | 5,885 |
| Tennessee | 67,115 | Kentucky | 3,677 |
| Michigan | 62,972 | Virginia | 2,552 |
| Utah | 50,640 | New York | 2,123 |
| Alabama | 46,666 | Missouri | 2,027 |
| Washington | 46,202 | West Virginia | 1,500 |
| Nebraska | 26,937 | District of Columbia | 1,467 |
| Texas | 26,648 | ||
April 2026 Data Breaches at HIPAA Regulated Entities
In April 2026, 36 data breaches were reported by healthcare providers, 8 breaches were reported by health plans, and 3 data breaches were reported by business associates. When a breach occurs at a business associate, the affected covered entities must be informed. Each covered entity may delegate the breach notification responsibilities to the business associate, but it is ultimately the responsibility of each covered entity to ensure that breach notifications are issued. In many cases, a breach at a business associate is reported by the covered entity.
The pie charts below show where the data breach occurred, rather than the reporting entity, which shows that 11 of the 47 breaches (rather than 3) occurred at business associates in April.
HIPAA Enforcement Activity in April 2026
The HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, announced 4 settlements with HIPAA-regulated entities in April to resolve alleged violations of the HIPAA Rules. When alleged HIPAA violations are settled, the settlement agreement includes a corrective action plan to address the areas of noncompliance identified by OCR. When a civil monetary penalty is imposed, OCR cannot compel the regulated entity to adopt a corrective action plan.
All four of the settlements related to ransomware attacks, and in all cases, OCR identified a risk analysis failure. The HIPAA Security Rule requires regulated entities to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to electronic protected health information. It is the most commonly identified HIPAA Security Rule violation. You can read more about each enforcement action in this post. No state attorneys general announced any HIPAA penalties in April.
| HIPAA -Regulated Entity | Entity Type | Reason for Investigation | Alleged HIPAA violation(s) | Settlement Amount |
| Regional Women’s Health Group (Axia Women’s Health) | Healthcare Provider | Reported ransomware attack involving the protected health information of 37,989 individuals | Risk analysis failure; impermissible disclosure of ePHI | $320,000 |
| Assured Imaging Affiliated Covered Entities | Healthcare Provider | Reported ransomware attack involving the protected health information of 244,813 individuals | Risk analysis failure (never conducted); breach notification failure | $375,000 |
| Consociate, Inc. (Consociate Health) | Business Associate | Reported ransomware attack involving the protected health information of 136,539 individuals | Risk analysis failure | $225,000 |
| Star Group, L.P. Health Benefits Plan | Health Plan | Reported ransomware attack involving the protected health information of 9,316 individuals | Risk analysis failure | $245,000 |
