25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Congress Members’ Prescription Information Compromised in RXNT Data Breach

Posted By on May 15, 2026

Further information has come to light about the RXNT data breach, reported by the HIPAA Journal on May 6, 2026. As detailed below, hackers had access to RXNT’s systems for two days in March and stole patient data. While the extent of the data breach has yet to be publicly disclosed, the breach is now known to have involved Congress members’ prescription data.

RXNT’s medical software is used by the Office of the Attending Physician (OAP) to manage care for members of Congress. The software is used to securely transmit prescription information to pharmacies for fulfillment, and some of that information was stolen in the attack, including names, addresses, dates of birth, physician names, and prescription and pharmacy information. Attending physician Brian Monahan has notified the affected members of Congress this week about the exposure of their personal and health data. Congress members’ medical records, Social Security numbers, and financial information were not involved, as the only information entered into the RXNT software is what is required for prescription fulfillment. While the types of information involved have been disclosed, OAP has yet to publicly announce how many individuals have been affected.

Under the HIPAA Breach Notification Rule, business associates such as RXNT have to notify the affected HIPAA-covered entity clients of a breach of unsecured electronic protected health information within 60 days of discovery. Only then does the clock start ticking for issuing individual notifications and notifying the HHS’ Office for Civil Rights. The affected covered entities are ultimately responsible for issuing notifications, which must be issued within 60 days of learning about a breach from their business associate. Covered entities must ensure that those notifications are issued within 60 days of being informed, although they may delegate that responsibility to the business associate. It could therefore take up to two months before the full scale of the data breach is known.

May 6, 2026: RXNT Notifies Customers About Cybersecurity Incident and Data Breach

Networking Technology, Inc., doing business as RXNT, a healthcare software technology company that provides electronic health record software, has started sending notification letters to organizations that use its software to inform them about a recent security incident that exposed patient data. A copy of one of the notification letters was shared with The HIPAA Journal, which states that unauthorized activity was identified within an RXNT solution used by some of its customers. An investigation was immediately launched to determine the nature and scope of the unauthorized activity, with assistance provided by third-party cybersecurity experts.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

RXNT has confirmed that an unauthorized actor accessed the solution between March 1, 2026, and March 3, 2026, and obtained a copy of the data stored within the system, which included patient data associated with its customers. The data was reviewed between March 3, 2026, and April 17, 2026, and RXNT can now confirm that patient names, dates of birth, and demographic information such as addresses, contact information, and patient IDs were stolen. Each customer was informed about how many patients were affected.

RXNT said it is taking steps to strengthen security to prevent similar incidents in the future and has offered to handle all breach reporting requirements on behalf of the affected clients (OCR notifications, media notices, individual notifications, and state attorneys general notifications). The affected clients have been given a rather short window to respond and sign up to receive further information about the cybersecurity incident. The notification letters are dated May 1, 2026, and providers are required to register by May 15, 2026. A website has been established specifically for that purpose – RXNTnotification[dot]com.

RXNT has only recently notified the affected organizations and offered to handle breach reporting requirements; therefore, the number of affected individuals has not yet been publicly disclosed. It is clear that multiple clients have been affected, and this has been a significant data breach.

This is a developing data breach story, and further information will be published on this page as it becomes available.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist