Healthcare Data Breach Report for March 2026

May 18, 2026 Christine Garcia HIPAA Enforcement News

March 2026 healthcare data breach reporting shows 44 healthcare data breaches affecting 500 or more individuals reported to the HHS Office for Civil Rights, with 1,523,376 individuals impacted through exposure, theft, or impermissible disclosure of protected health information (PHI) across regulated entities.

March 2026 Healthcare Data Breach Summary

March 2026 reporting to the HHS Office for Civil Rights reflects 44 healthcare data breaches affecting 500 or more individuals, with 1,523,376 individuals impacted across incidents involving PHI exposure, theft, or impermissible disclosure. The total represents the lowest monthly figure across the preceding 12 months, alongside an 81 percent reduction from February 2026, with figures subject to change as additional breach entries are added and investigations are finalized.

The reporting period includes incidents across healthcare providers, health plans, and business associates, with hacking incidents representing the dominant cause of reported breaches.

OCR Reporting Context and Timing

Healthcare data breaches affecting 500 or more individuals are published by the HHS Office for Civil Rights under requirements established by the HITECH Act of 2009. OCR maintains a public breach portal that summarizes reported incidents after conducting verification checks on submitted breach notifications.

During March 2026, no breach entries were initially added to the public-facing portal for March incidents. Entries began appearing in mid-April following processing delays of up to approximately two weeks between submission and publication. The current reporting set reflects 44 breaches, with the possibility of additional entries as OCR completes review processes.

Reported Incidents and Individuals Affected

Across 44 reported incidents, 1,523,376 individuals had PHI exposed, stolen, or otherwise impermissibly disclosed. The total includes individuals affected by hacking incidents, unauthorized access events, and a small number of theft cases.

Hacking and IT-related incidents accounted for 40 of the 44 reported breaches, representing 90.9 percent of all incidents for the month. Unauthorized access and disclosure incidents accounted for 3 incidents, representing 6.8 percent. One incident involved theft, representing 2.3 percent of reported cases.

The 40 hacking incidents accounted for 1,523,376 affected individuals, representing 99.7 percent of all individuals impacted during March. The unauthorized access and disclosure incidents affected 4,710 individuals, representing 0.3 percent of the total. The theft incident affected 538 individuals, representing 0.04 percent of total affected individuals.

The average breach size across all incidents was 37,953 individuals, with a median of 5,080 individuals. Hacking incidents drove the largest share of impacted records, while non-hacking incidents generally involved smaller populations.

Major Breach Incidents Reported in March 2026

Eleven incidents reported during March 2026 affected 10,000 or more individuals, including multiple large-scale hacking and ransomware events across healthcare providers, business associates, and health plans.

OpenLoop Health, a telehealth platform provider based in Iowa and classified as a business associate, reported the largest incident of the month. The organization discovered a hacking incident in January 2026. Investigation findings confirmed that a threat actor accessed systems and exfiltrated patient data. The incident was attributed to a threat actor known as Stuckin2019, which claimed responsibility and asserted access to 1.6 million patient records. OpenLoop Health reported the breach as affecting 716,000 individuals. The incident did not involve theft of Social Security numbers or financial data.

North Texas Behavioral Health Authority, a healthcare provider in Texas, reported a hacking incident affecting 285,086 individuals. The breach involved network access by threat actors in October 2025, with confirmation that PHI was exposed and may have been stolen.

Saint Anthony Hospital in Illinois reported unauthorized access to its email system following an incident on February 27, 2026. The threat actor obtained unstructured email data, including names, dates of birth, and Social Security numbers. The breach affected 146,108 individuals.

The Defense Health Agency in Virginia reported a hacking incident involving a third-party electronic medical record system. The incident affected 96,271 individuals and involved a business associate, with unauthorized access to electronic medical records reported through the OCR breach portal.

Additional incidents affecting 10,000 or more individuals included the following:

  1. Exclusive Physicians PLLC in Michigan with 58,000 individuals affected
  2. Woodfords Family Services in Maine with 38,061 individuals affected
  3. MedPeds Associates of Sarasota in Florida with 22,017 individuals affected
  4. Barrio Comprehensive Family Health Care Center in Texas with 19,971 individuals affected
  5. Longevity Health Plan in Florida with 15,000 individuals affected
  6. Cedar Valley Hospice in Iowa with 10,666 individuals affected
  7. Good Samaritan Health Center in Georgia with 10,000 individuals affected

Three additional incidents were reported with preliminary totals of 500 or 501 individuals:

  1. Community Health Action of Staten Island in New York with 501 individuals affected
  2. Securian Financial in Minnesota with 500 individuals affected involving a business associate hacking incident
  3. Kin Counseling Services PLLC in Colorado with 500 individuals affected.

Distribution by Breach Type

Hacking and IT-related incidents represented the dominant breach category in March 2026, with 40 reported incidents. These incidents affected 1,523,376 individuals and accounted for 99.7 percent of total impacted individuals.

Unauthorized access and disclosure incidents accounted for 3 breaches affecting 4,710 individuals. These incidents involved improper access or disclosure of protected health information and represented 0.3 percent of affected individuals.

One theft incident was reported, affecting 538 individuals and representing 0.04 percent of total impacted individuals. Loss, theft, and improper disposal incidents remain uncommon relative to hacking-related breaches.

Geographic Distribution of Affected Individuals and States

Healthcare data breaches were reported across 23 U.S. states during March 2026. Florida and Texas reported the highest number of incidents, with four breaches each.

States reporting three breaches included California, Massachusetts, Minnesota, and Oklahoma. States reporting two breaches included Colorado, Iowa, Illinois, Louisiana, Michigan, New York, and Washington. States reporting one breach included Arizona, Georgia, Indiana, Maine, North Carolina, Ohio, Pennsylvania, Tennessee, Virginia, and Wisconsin.

HIPAA-Regulated Entity Categories

Healthcare providers accounted for 33 of the reported breaches, affecting 672,387 individuals. Health plans accounted for 6 breaches, affecting 121,639 individuals. Business associates accounted for 5 breaches, affecting 729,350 individuals.

All six health plan breaches occurred at business associates. A portion of healthcare provider breaches also involved business associate environments. When breaches occur at business associates, notification responsibilities extend to covered entities, which may delegate reporting functions while retaining responsibility for ensuring required notifications are issued.

HIPAA Enforcement Activity

The HHS Office for Civil Rights reviews reported breaches to assess potential noncompliance with HIPAA requirements. Most investigations conclude without enforcement action or with technical assistance provided to address compliance issues.

OCR maintains enforcement focus areas involving HIPAA Right of Access requirements and risk analysis and risk management obligations under the HIPAA Security Rule. Noncompliance with these provisions may result in financial penalties.

During March 2026, OCR announced one enforcement action involving a financial penalty. The case involved MMG Fusion, a Maryland-based provider of software solutions for oral healthcare providers. The case involved multiple HIPAA violations, including failure to conduct a risk analysis, breach notification failure, and impermissible disclosure of electronic protected health information (ePHI) affecting 15 million individuals. The organization agreed to a settlement payment of $10,000 following resolution of the case.

About Christine Garcia 1262 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA
Twitter