Healthcare Data Breach Statistics – Updated for 2026
The HIPAA Journal has compiled healthcare data breach statistics from October 2009, when the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) started publishing summaries of healthcare data breaches on its website. This page is regularly updated to reflect the latest healthcare data breach statistics. These statistics and graphs were last updated on June 19, 2026, and are based on breach data obtained from OCR up to and including May 19, 2026. Check back regularly to get the latest healthcare data breach statistics and healthcare data breach trends. You can view our 2025 healthcare data breach report here. You can also receive a free copy of our HIPAA Compliance Checklist to understand your organization’s responsibilities under HIPAA. Trends In Healthcare Data Breach Statistics Our healthcare data breach statistics clearly show an upward trend in data breaches since 2009, when OCR first started publishing data breach summaries on its website, peaking in 2026, when 772 healthcare data breaches affecting 500 or more individuals were reported to OCR....
Compliancy Group Acquires Healthicity
Compliancy Group has acquired Healthicity in a deal that combines two healthcare compliance software companies and expands Compliancy Group’s platform to include healthcare compliance, workforce compliance, risk assessment, third-party risk management, incident management, provider auditing, coding auditing, and documentation auditing. The acquisition was announced on June 17, 2026. Financial terms of the transaction were not disclosed. Compliancy Group said the combined organization will serve more than 3,000 healthcare organizations across the United States and selected global markets. Healthicity provides healthcare compliance and medical auditing software and advisory services. Its products include Compliance Manager, Audit Manager+, and Compliance Advisory Services, which are used by health systems, hospitals, physician groups, and other healthcare organizations to manage compliance programs and auditing activities. Compliancy Group said the acquisition will allow healthcare organizations to manage more elements of their compliance programs through a single platform ecosystem....
Data Breaches Announced by Open Arms Care; Elmwood Home Care
Data breaches have been announced by the Tennessee-based disability care provider Open Arms Care Corporation and the Rhode Island and Massachusetts home healthcare provider, Elmwood Home Care. Open Arms Care, Tennessee Open Arms Care Corporation, a Brentwood, TN-based nonprofit provider of residential and therapeutic care services to individuals with disabilities, has recently disclosed a breach of its email tenant. Suspicious activity was identified in August 2025, indicative of unauthorized access to an email account. The forensic investigation confirmed that the account had been accessed by an unauthorized third party between June 2025 and August 2025. The account was reviewed to determine the individuals affected and the types of data involved, and that process was completed on April 30, 2026. Up-to-date contact information was obtained, and notification letters were mailed to the affected individuals on June 9, 2026. The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: Medical diagnosis,...
FMC Services Agrees to $2.15M Settlement to End Data Breach Lawsuit
FMC Services LLC, the operator of a network of primary care clinics in Amarillo and Canyon, Texas, experienced a cyberattack and data breach in 2022. The class action lawsuit that followed has recently been settled for $2.15 million. The cyberattack was detected on July 26, 2022, and the forensic investigation confirmed that files had been exposed containing names, addresses, dates of birth, Social Security numbers, and health information. The FMC Services data breach was reported to the HHS’ Office for Civil Rights as involving the protected health information of 233,948 individuals. Notification letters were mailed to 266,540 individuals. Four individuals filed class action lawsuits in response to the exposure of their personal and protected health information. The lawsuits made similar claims and were consolidated into a single action – Sharber, et al. v. FMC Services, LLC – in the District Court of Potter County, Texas. The consolidated lawsuit claimed that FMC Services had a duty to maintain reasonable and appropriate cybersecurity measures and breached that duty,...
Clinical Registry Solutions; Jason R Egbert OD PC; VNC Health Announce Data Breaches
Data breaches have been announced by Clinical Registry Solutions in New York, First Sight Family Vision in Washington, and VHC Health in Virginia. Clinical Registry Solutions, New York Clinical Registry Solutions, a Brooklyn, New York-based provider of clinical data abstraction and registry support services to healthcare providers, is notifying 8,545 patients of Dignity Health’s St. Mary’s Medical Center that some of their protected health information has potentially been compromised in an April 2026 cybersecurity incident. Suspicious activity was identified within its computer network on April 9, 2026. The forensic investigation identified unauthorized access to its computer network, and evidence was found indicating that files containing patient data were copied by the attackers. The data review determined that patient names, procedure dates, and medical record numbers were involved; however, Social Security numbers and diagnosis and treatment information were not involved. Company data was also stolen in the attack. Clinical Registry Solutions has not identified any misuse of...



