25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

May 2026 Healthcare Data Breach Report

Based on the current data on the HHS’ Office for Civil Rights (OCR) breach portal, 61 healthcare data breaches affecting 500 or more individuals were reported in May 2026. May’s current total represents a 27.1% month-over-month increase in data breaches. Over the past 12 months, an average of 64 large healthcare data breaches were reported each month.

Healthcare data breaches in the past 12 months - May 2026

From January 1, 2026, to May 31, 2026, 319 data breaches affecting 500 or more individuals have been reported to OCR. This time last year, the total stood at 342 large data breaches.

HEalthcare data breaches - January 1 - May 31 - 2022-2026

While data breaches increased from April, the number of affected individuals fell by 34.8% to 879,447 individuals. In May, an average of 14,417 individuals were affected by healthcare data breaches, down from an average of 28,116 individuals in April. Over the past 12 months, an average of 10.6 million individuals have been affected by healthcare data breaches each month.

Individuals affected by healthcare data breaches in the past 12 months - May 2026

Data breaches are down slightly year-over-year, but there has been a massive reduction in the number of affected individuals. Very large data breaches have not been reported to OCR in the numbers seen in previous years. From January 1, 2026, to May 31, 2026, across the 319 data breaches, at least 21,085,405 individuals have been affected. The OCR breach portal shows that from January 2025 to May 2025, 33,116,809 individuals were affected by data breaches.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Individuals affected by healthcare data breaches - jan 1 - May 31, 2022-2026

Biggest Healthcare Data Breaches of May 2026

In May 2026, 17 data breaches affecting 10,000 or more individuals were reported to OCR, all of which were hacking incidents. The biggest data breach of the month was reported by Radiology Associates of Richmond, affecting more than 266,000 individuals, followed by a hacking incident at Western Orthopaedics which affected more than 113,000 individuals.

Regulated Entity State Covered Entity Type Individuals Affected Cause of Breach
Radiology Associates of Richmond VA Healthcare Provider 266,183 Hacking incident
Western Orthopaedics, P.C. CO Healthcare Provider 113,330 Hacking incident
ERMI LLC GA Healthcare Provider 74,074 Hacking incident
Singing River Health System MS Healthcare Provider 53,888 Hacking incident
Southern Illinois Ob-Gyn Associates, S.C. IL Healthcare Provider 38,700 Hacking incident
Gastro Health FL Healthcare Provider 35,632 Unauthorized access to email accounts
Eyemart Express, LLC TX Healthcare Provider 25,000 Hacking incident
Connecticut Department of Social Services CT Health Plan 22,500 Unauthorized access to provider portal website
Bridle Trails Family Dentistry WA Healthcare Provider 20,976 Unauthorized access to email account
Community Connections DC Healthcare Provider 18,943 Ransomware attack (INCRansom)
Virta Medical PC CO Healthcare Provider 14,636 Hacking incident (Lapsus$)
Saurabh N. Patel, M.D – Florida Retina Center LA Healthcare Provider 13,652 Hacking incident
Greenbaum Rowe Smith & Davis LLP NJ Business Associate 12,801 Hacking incident
Wellpoint Washington, Inc. IN Health Plan 12,020 Unauthorized access to email account
Defense Health Agency (TriWest) VA Health Plan 11,848 Hacking incident
IKRON Corporation OH Healthcare Provider 11,845 Hacking incident
Elara Caring TX Healthcare Provider 10,490 Hacking incident at third-party vendor

May’s total number of affected individuals may increase considerably over the coming weeks and months, as healthcare organizations complete their data breach investigations. HIPAA-regulated entities have 60 days from the date of discovery of a data breach to issue notifications to the HHS’ Office for Civil Rights and the affected individuals. HIPAA requires OCR to be notified even if the total number of individuals has yet to be determined by the 60-day deadline. In such cases, an estimate should be provided. Many regulated entities use a placeholder estimate of 500 or 501 individuals in such cases, and in May, 7 regulated entities appear to have used these placeholder figures.

Regulated Entity State Covered Entity Type Individuals Affected Cause of Breach
United Medical Doctors CA Healthcare Provider 501 Hacking/IT Incident
NJ Pain Care Specialists, LLC NJ Healthcare Provider 501 Hacking/IT Incident
Palomar Health Medical Group CA Healthcare Provider 501 Hacking/IT Incident
Aroostook Mental Health Center ME Healthcare Provider 501 Hacking/IT Incident
Campbell University NC Healthcare Provider 500 Hacking/IT Incident
BAYADA Home Health Care, Inc. NJ Healthcare Provider 500 Hacking/IT Incident
Integrated Pain Associates TX Healthcare Provider 500 Hacking/IT Incident

Causes of May 2026 Healthcare Data Breaches

Hacking and other IT incidents dominated the breach reports in May, as has been the case each month for several years. Out of the month’s 61 large healthcare data breaches, 54 were classed as hacking/IT incidents – 88.5% of the month’s data breaches. Across those incidents, the protected health information of 853,532 individuals was compromised- 88.5% of the month’s total affected individuals. On average, hacking/IT incidents affected 15,806 individuals in May, with a median breach size of 3,619 individuals.

Causes of May 2026 healthcare data breaches

There were 7 data breaches classed as unauthorized access/disclosure incidents, representing 11.5% of the month’s breaches. Across those incidents, the protected health information of 25,915 individuals was unlawfully accessed or disclosed. On average, 3,702 individuals were affected by each incident in May. The median breach size was 3,086 individuals. There were no reported theft, loss, or improper disposal incidents in May.

Given the large number of hacking incidents, it is no surprise that the most common location of breached protected health information was network servers. Email incidents were also reported in high numbers.

Location of breached PHI in May 2026 healthcare data breaches

States Affected by May 2026 Healthcare Data Breaches

Large healthcare data breaches were reported by HIPAA-regulated entities in 26 U.S. states and the District of Columbia. California was the worst affected state with 6 breaches.

State Breaches
California 6
Florida, New Jersey, New York, North Carolina, Ohio, Texas & Virginia 4
Colorado 3
Indiana, Maine, Michigan, Pennsylvania, South Carolina & the District of Columbia 2
Arizona, Connecticut, Georgia, Illinois, Iowa, Louisiana, Massachusetts, Mississippi, Oregon, Tennessee, Washington & Wisconsin 1

In terms of affected individuals, Virginia topped the list with almost 300,000 state residents affected.

State Individuals Affected State Individuals Affected
Virginia 290,254 Louisiana 13,652
Colorado 128,661 Pennsylvania 7,095
Georgia 74,074 South Carolina 6,946
Mississippi 53,888 Iowa 6,666
Florida 44,649 Michigan 6,456
Texas 40,045 California 5,303
Illinois 38,700 North Carolina 4,949
Ohio 28,540 Massachusetts 3,086
Connecticut 22,500 Maine 3,024
Washington 20,976 Oregon 2,856
District of Columbia 20,014 Arizona 2,316
New York 19,674 Tennessee 1,807
Indiana 17,325 Wisconsin 1,080
New Jersey 14,911

Data Breaches at HIPAA -Regulated Entities

In May 2026, 42 data breaches were reported by healthcare providers, 9 breaches were reported by health plans, and 10 data breaches were reported by business associates. When a breach occurs at a business associate, the affected covered entities must be informed. Each covered entity may delegate the breach notification responsibilities to the business associate, but it is ultimately the responsibility of each covered entity to ensure that breach notifications are issued. In many cases, a breach at a business associate is reported by the covered entity.

The pie charts below show where the data breach occurred, rather than the reporting entity, which shows that 22 of the 61 breaches (rather than 10) occurred at business associates in May.

May 2026 data breaches at HIPAA-regulated entities

Individuasl affected by data breaches at HIPAA-regulated entities in May 2026

HIPAA Enforcement Activity in May 2026

No enforcement actions were announced by OCR or state attorneys general in May.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist