March 2026 Healthcare Data Breach Report
In March 2026, 66 healthcare data breaches affecting 500 or more individuals were reported to the HHS’ Office for Civil Rights (OCR). More than 8.7 million individuals had their personal and protected health information exposed, stolen, or otherwise impermissibly disclosed.
Under the HITECH Act of 2009, OCR is required to publish a summary of large healthcare data breaches – incidents involving the exposure, theft, or impermissible disclosure of the electronic protected health information of 500 or more individuals. OCR checks all breach reports submitted through its data breach portal, then adds the data breaches to the public-facing section of the portal. Typically, there is a delay of up to 2 weeks from the receipt of a breach report to its addition to the breach portal. During the month of March, no data breaches were added to the portal for March. March data breaches started to be added to the portal in mid-April, hence the delay in publication of this breach report. Since this breach report was first published on May 11, 2026, a further 22 data breaches were added to the breach report for March. As of May 22, 2026, the OCR breach portal shows 66 reported data breaches affecting 500 or more individuals for March, although there may be further additions over the coming weeks as OCR finalizes its checks.
The year-to-date figures show healthcare data breaches continuing to be reported in high numbers. Between January 1, 2026, and March 31, 2026, 200 healthcare data breaches were reported – the exact same number as in 2025, which was a record-breaking year for healthcare data breaches. Last year, 770 healthcare data breaches were reported to OCR, beating the previous record of 746 large healthcare data breaches set in 2023.
Across those 66 incidents, the protected health information of 8,743,739 individuals was exposed, stolen, or otherwise impermissibly disclosed – a slight increase from February 2026, although well above the average over the past 12 months of 6,561,861 affected individuals each month. The month’s total is likely to continue to grow, as several data breaches have been reported with placeholder figures of 500/501 affected individuals, as data breach investigations are still ongoing.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
While the number of reported healthcare data breaches is the same as this time last year, breach severity has increased. So far this year, 17,093,665 individuals have had their protected health information exposed or stolen – a 29.4% increase from this time last year.
Biggest Healthcare Data Breaches in March 2026
In March, 17 healthcare data breaches affecting 10,000 or more individuals were reported to OCR. Three mega data breaches were reported by HIPAA-regulated entities in March, each affecting more than a million individuals. Top of the list is a hacking incident at Nacogdoches Memorial Hospital in Texas that exposed the personal and health information of more than 2.5 million current and former patients. More than 2 million individuals were affected by a data breach at the employee benefits administrator Navia Benefits Solutions. Both of these hacking incidents were detected in January 2026. Close behind was the data breach at the New York public health system, New York City Health and Hospitals Corporation, which affected 1.8 million individuals. The hacking incident was identified in early February; however, the hackers had access to its systems for around 11 weeks before the breach was detected.
The telehealth platform provider OpenLoop Health also reported a significant breach. OpenLoop Health discovered the hacking incident in January 2026, and the investigation confirmed that a threat actor accessed its systems and exfiltrated patient data. A threat actor – Stuckin2019 – claimed responsibility for the attack and said the records of 1.6 million patients were exfiltrated, although OpenLoop Health reported the incident as affecting 716,000 individuals. While the breach was large and involved personal and health information, Social Security numbers and financial information were not stolen.
Erie Family Health Centers in Illinois reported a breach affecting 570,000 individuals. Hackers had access to its network from December 10, 2025, to January 27, 2026, and potentially exfiltrated patient data. North Texas Behavioral Health Authority (NTBHA), a provider of mental health and substance use treatment and services in Texas, experienced a hacking incident that exposed the protected health information of 285,086 individuals. Few details have been published about the nature of the incident, other than hackers breaching its network in October 2025.
Saint Anthony Hospital in Chicago reported a breach of its email system. The breach occurred on February 27, 2026, and the threat actor obtained unstructured data from its email system, including names, dates of birth, and Social Security numbers. More than 146,000 individuals had data stolen in the incident. The hacking incident at Defense Health Agency affected almost 100,000 individuals, but the HIPAA Journal has been unable to find any details about the data breach, other than what is shown on the HHS’ Office for Civil Rights breach portal. The portal states that a business associate was involved and that the breach involved unauthorized access to electronic medical records.
| Regulated Entity | State | Covered Entity Type | Individuals Affected | Cause of Incident |
| Nacogdoches Memorial Hospital | TX | Healthcare Provider | 2,507,073 | Hacking incident |
| Navia Benefits Solutions Inc. | IA | Business Associate | 2,151,330 | Hacking incident |
| New York Health and Hospitals Corporation | NY | Healthcare Provider | 1,800,000 | Hacking incident |
| OpenLoop Health, Inc. | IA | Business Associate | 716,000 | Hack and extortion incident – data theft confirmed |
| Erie Family Health Centers | IL | Healthcare Provider | 570,000 | Hacking incident |
| North Texas Behavioral Health Authority | TX | Healthcare Provider | 285,086 | Hacking incident |
| Saint Anthony Hospital | IL | Healthcare Provider | 146,108 | Unauthorized access to the email system |
| Coastal Carolina Health Care, PA | NC | Healthcare Provider | 110,304 | Hacking incident |
| Defense Health Agency | VA | Health Plan | 96,271 | Hacking of a third-party electronic medical record system |
| Exclusive Physicians PLLC | MI | Healthcare Provider | 58,000 | Hacking incident |
| Proxycare Inc. | FL | Healthcare Provider | 45,196 | Hacking incident |
| Woodfords Family Services | ME | Healthcare Provider | 38,061 | Ransomware attack |
| MedPeds Associates of Sarasota | FL | Healthcare Provider | 22,017 | Ransomware attack |
| Barrio Comprehensive Family Health Care Center | TX | Healthcare Provider | 19,971 | Unauthorized access to the email system |
| Longevity Health Plan | FL | Health Plan | 15,000 | Hacking incident |
| Cedar Valley Hospice | IA | Healthcare Provider | 10,666 | Hacking incident |
| Good Samaritan Health Center | GA | Healthcare Provider | 10,000 | Ransomware attack |
Seven incidents were reported to OCR using totals of 500 or 501 individuals. These figures are often used as “placeholder” estimates to meet the reporting requirements of the HIPAA Breach Notification Rule when investigations and data reviews are ongoing. These data breaches could turn out to affect substantially more individuals than the breach portal suggests.
| Regulated Entity | State | Covered Entity Type | Individuals Affected | Type of Breach |
| Community Health Action of Staten Island | NY | Healthcare Provider | 501 | Unauthorized Access to Email Accounts |
| Glendora Surgery Center | CA | Healthcare Provider | 501 | Hacking incident |
| Securian Financial | MN | Health Plan | 500 | Hacking incident at a business associate |
| Lumio Dental | OK | Business Associate | 500 | Hacking incident |
| Rocky Mountain Care | UT | Business Associate | 500 | Ransomware attack (Qilin) |
| New Horizons Behavioral Health | GA | Healthcare Provider | 500 | Hacking incident |
| Kin Counseling Services PLLC | CO | Healthcare Provider | 500 | Hacking incident |
Causes of March 2026 Healthcare Data Breaches
As has been the case for many months, most data breaches are due to hacking and other IT incidents, with hacking accounting for most of the reported data breaches. Unauthorized access/disclosure incidents are less common but a regular cause of data breaches, while loss, theft, and improper disposal incidents are now a rarity, typically being reported in extremely low numbers.
In March, 61 of the month’s 66 data breaches were hacking/IT incidents (92.4%), 4 were unauthorized access/disclosure incidents (6.1%), and there was one theft incident (1.5%). Across the 61 hacking incidents, 8,737,889 individuals had their protected health information exposed or stolen – 99.9% of all individuals affected by healthcare data breaches in March. The average breach size was 143,244 individuals (median: 5,086 individuals). The unauthorized access/disclosure incidents affected 5,312 individuals, 0.6% for the month’s affected individuals. The average breach size was 1,328 individuals (median: 985 individuals), and the theft incident affected 538 individuals, 0.006% of the month’s affected individuals.
States Affected by March 2026 Healthcare Data Breaches
Data breaches were reported by HIPAA-regulated entities in 26 U.S. states in March, with Texas and Florida the worst-affected states.
| State | Data Breaches |
| Texas | 9 |
| Florida | 6 |
| California | 5 |
| Oklahoma | 4 |
| Illinois, Massachusetts, Michigan, Minnesota, New York, North Carolina & Washington | 3 |
| Colorado, Georgia, Iowa, Louisiana & Utah | 2 |
| Alabama, Arizona, Indiana, Maryland, Ohio, Pennsylvania, Rhode Island, Tennessee, Virginia, Wisconsin & Puerto Rico | 1 |
In terms of affected individuals, Texas topped the list with more than 2.8 million affected individuals, followed by Washington and New York.
| State | Individuals Affected |
| Texas | 2,831,263 |
| Washington | 2,153,151 |
| New York | 1,805,587 |
| Iowa | 726,666 |
| Illinois | 722,194 |
| North Carolina | 112,849 |
| Virginia | 96,271 |
| Florida | 95,407 |
| Michigan | 69,740 |
| Puerto Rico | 24,236 |
| Louisiana | 17,755 |
| California | 14,344 |
| Georgia | 10,500 |
| Indiana | 8,941 |
| Massachusetts | 7,925 |
| Utah | 6,300 |
| Oklahoma | 6,277 |
| Rhode Island | 5,630 |
| Minnesota | 5,073 |
| Ohio | 4,234 |
| Tennessee | 3,171 |
| Alabama | 3,043 |
| Colorado | 2,563 |
| Wisconsin | 1,574 |
| Maryland | 1,524 |
| Arizona | 949 |
| Pennsylvania | 687 |
Data Breaches at HIPAA-Regulated Entities
In March, data breaches were reported by 49 healthcare providers (5,731,709 affected individuals), 8 health plans (127,307 affected individuals), and 9 business associates (2,884,723 affected individuals). When a data breach occurs at a business associate, the business associate must notify each affected entity, and then a decision must be made by the covered entity about who reports the data breach. The affected covered entity may choose to issue notifications – they are ultimately responsible for ensuring that notifications are issued – but many delegate that responsibility to the business associate. Taking that into account, the following charts show where the breach occurred rather than the reporting entity. All but one of the health plan breaches occurred at business associates, as did 18 of the data breaches reported by healthcare providers.
HIPAA Enforcement Activity in March 2026
OCR investigates all large healthcare data breaches to determine if they occurred as a result of HIPAA noncompliance. The OCR breach portal shows that the majority of data breach investigations are closed with no further action taken or with OCR providing technical assistance to address HIPAA noncompliance. OCR currently has two main enforcement initiatives in place, one targeting noncompliance with the HIPAA Right of Access, and one targeting noncompliance with the risk analysis/risk management requirements of the HIPAA Security Rule. Violations of these provisions are likely to result in financial penalties.
OCR announced one enforcement action in March involving a financial penalty, after OCR discovered multiple violations of the HIPAA Rules – A risk analysis failure, breach notification failure, and an impermissible disclosure of the electronic protected health information of 15 million individuals. MMG Fusion, a Maryland-based provider of software solutions to oral healthcare providers, settled the case and paid a $10,000 financial penalty – one of the lowest financial penalties ever imposed by OCR. OCR said that when determining the settlement amount, consideration was given to MMG’s financial position.
