May 2026 Healthcare Data Breach Report
Based on the current data on the HHS’ Office for Civil Rights (OCR) breach portal, 61 healthcare data breaches affecting 500 or more individuals were reported in May 2026. May’s current total represents a 27.1% month-over-month increase in data breaches. Over the past 12 months, an average of 64 large healthcare data breaches were reported each month.

From January 1, 2026, to May 31, 2026, 319 data breaches affecting 500 or more individuals have been reported to OCR. This time last year, the total stood at 342 large data breaches.
While data breaches increased from April, the number of affected individuals fell by 34.8% to 879,447 individuals. In May, an average of 14,417 individuals were affected by healthcare data breaches, down from an average of 28,116 individuals in April. Over the past 12 months, an average of 10.6 million individuals have been affected by healthcare data breaches each month.

Data breaches are down slightly year-over-year, but there has been a massive reduction in the number of affected individuals. Very large data breaches have not been reported to OCR in the numbers seen in previous years. From January 1, 2026, to May 31, 2026, across the 319 data breaches, at least 21,085,405 individuals have been affected. The OCR breach portal shows that from January 2025 to May 2025, 33,116,809 individuals were affected by data breaches.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Biggest Healthcare Data Breaches of May 2026
In May 2026, 17 data breaches affecting 10,000 or more individuals were reported to OCR, all of which were hacking incidents. The biggest data breach of the month was reported by Radiology Associates of Richmond, affecting more than 266,000 individuals, followed by a hacking incident at Western Orthopaedics which affected more than 113,000 individuals.
| Regulated Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| Radiology Associates of Richmond | VA | Healthcare Provider | 266,183 | Hacking incident |
| Western Orthopaedics, P.C. | CO | Healthcare Provider | 113,330 | Hacking incident |
| ERMI LLC | GA | Healthcare Provider | 74,074 | Hacking incident |
| Singing River Health System | MS | Healthcare Provider | 53,888 | Hacking incident |
| Southern Illinois Ob-Gyn Associates, S.C. | IL | Healthcare Provider | 38,700 | Hacking incident |
| Gastro Health | FL | Healthcare Provider | 35,632 | Unauthorized access to email accounts |
| Eyemart Express, LLC | TX | Healthcare Provider | 25,000 | Hacking incident |
| Connecticut Department of Social Services | CT | Health Plan | 22,500 | Unauthorized access to provider portal website |
| Bridle Trails Family Dentistry | WA | Healthcare Provider | 20,976 | Unauthorized access to email account |
| Community Connections | DC | Healthcare Provider | 18,943 | Ransomware attack (INCRansom) |
| Virta Medical PC | CO | Healthcare Provider | 14,636 | Hacking incident (Lapsus$) |
| Saurabh N. Patel, M.D – Florida Retina Center | LA | Healthcare Provider | 13,652 | Hacking incident |
| Greenbaum Rowe Smith & Davis LLP | NJ | Business Associate | 12,801 | Hacking incident |
| Wellpoint Washington, Inc. | IN | Health Plan | 12,020 | Unauthorized access to email account |
| Defense Health Agency (TriWest) | VA | Health Plan | 11,848 | Hacking incident |
| IKRON Corporation | OH | Healthcare Provider | 11,845 | Hacking incident |
| Elara Caring | TX | Healthcare Provider | 10,490 | Hacking incident at third-party vendor |
May’s total number of affected individuals may increase considerably over the coming weeks and months, as healthcare organizations complete their data breach investigations. HIPAA-regulated entities have 60 days from the date of discovery of a data breach to issue notifications to the HHS’ Office for Civil Rights and the affected individuals. HIPAA requires OCR to be notified even if the total number of individuals has yet to be determined by the 60-day deadline. In such cases, an estimate should be provided. Many regulated entities use a placeholder estimate of 500 or 501 individuals in such cases, and in May, 7 regulated entities appear to have used these placeholder figures.
| Regulated Entity | State | Covered Entity Type | Individuals Affected | Cause of Breach |
| United Medical Doctors | CA | Healthcare Provider | 501 | Hacking/IT Incident |
| NJ Pain Care Specialists, LLC | NJ | Healthcare Provider | 501 | Hacking/IT Incident |
| Palomar Health Medical Group | CA | Healthcare Provider | 501 | Hacking/IT Incident |
| Aroostook Mental Health Center | ME | Healthcare Provider | 501 | Hacking/IT Incident |
| Campbell University | NC | Healthcare Provider | 500 | Hacking/IT Incident |
| BAYADA Home Health Care, Inc. | NJ | Healthcare Provider | 500 | Hacking/IT Incident |
| Integrated Pain Associates | TX | Healthcare Provider | 500 | Hacking/IT Incident |
Causes of May 2026 Healthcare Data Breaches
Hacking and other IT incidents dominated the breach reports in May, as has been the case each month for several years. Out of the month’s 61 large healthcare data breaches, 54 were classed as hacking/IT incidents – 88.5% of the month’s data breaches. Across those incidents, the protected health information of 853,532 individuals was compromised- 88.5% of the month’s total affected individuals. On average, hacking/IT incidents affected 15,806 individuals in May, with a median breach size of 3,619 individuals.
There were 7 data breaches classed as unauthorized access/disclosure incidents, representing 11.5% of the month’s breaches. Across those incidents, the protected health information of 25,915 individuals was unlawfully accessed or disclosed. On average, 3,702 individuals were affected by each incident in May. The median breach size was 3,086 individuals. There were no reported theft, loss, or improper disposal incidents in May.
Given the large number of hacking incidents, it is no surprise that the most common location of breached protected health information was network servers. Email incidents were also reported in high numbers.
States Affected by May 2026 Healthcare Data Breaches
Large healthcare data breaches were reported by HIPAA-regulated entities in 26 U.S. states and the District of Columbia. California was the worst affected state with 6 breaches.
| State | Breaches |
| California | 6 |
| Florida, New Jersey, New York, North Carolina, Ohio, Texas & Virginia | 4 |
| Colorado | 3 |
| Indiana, Maine, Michigan, Pennsylvania, South Carolina & the District of Columbia | 2 |
| Arizona, Connecticut, Georgia, Illinois, Iowa, Louisiana, Massachusetts, Mississippi, Oregon, Tennessee, Washington & Wisconsin | 1 |
In terms of affected individuals, Virginia topped the list with almost 300,000 state residents affected.
| State | Individuals Affected | State | Individuals Affected |
| Virginia | 290,254 | Louisiana | 13,652 |
| Colorado | 128,661 | Pennsylvania | 7,095 |
| Georgia | 74,074 | South Carolina | 6,946 |
| Mississippi | 53,888 | Iowa | 6,666 |
| Florida | 44,649 | Michigan | 6,456 |
| Texas | 40,045 | California | 5,303 |
| Illinois | 38,700 | North Carolina | 4,949 |
| Ohio | 28,540 | Massachusetts | 3,086 |
| Connecticut | 22,500 | Maine | 3,024 |
| Washington | 20,976 | Oregon | 2,856 |
| District of Columbia | 20,014 | Arizona | 2,316 |
| New York | 19,674 | Tennessee | 1,807 |
| Indiana | 17,325 | Wisconsin | 1,080 |
| New Jersey | 14,911 | ||
Data Breaches at HIPAA -Regulated Entities
In May 2026, 42 data breaches were reported by healthcare providers, 9 breaches were reported by health plans, and 10 data breaches were reported by business associates. When a breach occurs at a business associate, the affected covered entities must be informed. Each covered entity may delegate the breach notification responsibilities to the business associate, but it is ultimately the responsibility of each covered entity to ensure that breach notifications are issued. In many cases, a breach at a business associate is reported by the covered entity.
The pie charts below show where the data breach occurred, rather than the reporting entity, which shows that 22 of the 61 breaches (rather than 10) occurred at business associates in May.
HIPAA Enforcement Activity in May 2026
No enforcement actions were announced by OCR or state attorneys general in May.








