February 2026 recorded 63 healthcare data breaches affecting 500 or more individuals, exposing the protected health information (PHI) of at least 8,134,378 individuals and reflecting both an increase in breach volume and a substantial rise in affected individuals.
Reported Breach Volume and Affected Individuals
In February 2026, 63 data breaches were reported to the Department of Health and Human Services Office for Civil Rights involving 500 or more individuals. This represents a 14.5 percent increase from January 2026 and is 12.5 percent higher than the average number of February breaches over the previous five years.
Across these 63 incidents, at least 8,134,378 individuals had PHI exposed or impermissibly disclosed. This figure reflects a 436 percent increase compared to the previous month and is 38.9 percent higher than the average number of affected individuals in the past 12 months.
Between January 1 and February 28, 2026, a total of 118 breaches affecting 500 or more individuals were reported, involving 9,651,076 individuals. The number of breaches declined by 10.6 percent compared to the prior year period, while the number of affected individuals increased by 44.7 percent.
Largest Reported Data Breaches
Two large-scale incidents accounted for a substantial portion of the individuals affected in February 2026.
TriZetto Provider Solutions reported a data breach affecting 3,433,965 individuals. The entity is a business associate providing administrative services to healthcare providers and health plans. The breach involved unauthorized access to a web portal used by clients to access systems. The attack was detected in October 2025, and the threat actor had access for nearly one year. The responsible threat group was not identified.
TriZetto operates as a subcontractor for OCHIN, a healthcare technology and data analytics company that provides electronic health record software. OCHIN reported that approximately 9 percent of its patient population, or around 700,000 patients, were impacted. A total of 44 HIPAA-covered entities have reported being affected, with the total number of impacted organizations not fully determined.
QualDerm Partners, LLC reported a data breach affecting 3,117,874 individuals. The incident involved confirmed data exfiltration following unauthorized access between December 23 and December 24, 2025. The intrusion was detected in December 2025. The responsible threat actor was not identified.
ApolloMD Business Services, LLC reported a ransomware incident affecting 626,540 individuals. The ransomware group Qilin claimed responsibility and reported exfiltration of patient data. The breach was detected in May 2025 and reported in February 2026.
The combined impact of these three incidents exceeded the number of individuals affected by all breaches reported to the Office for Civil Rights since mid-September 2025.
Additional Reported Breaches
Other reported breaches involved a range of entity types and causes.
Vikor Scientific, LLC reported a network server hacking incident affecting 139,964 individuals. The Office for Civil Rights provided technical assistance on HIPAA compliance.
IPPC Inc., IPPC of New York LLC, and Innovative Pharmacy LLC reported a hacking incident with confirmed data theft affecting 133,862 individuals.
Oscar Health reported an incident affecting 91,350 individuals involving an employee emailing electronic protected health information to incorrect recipients. The Office for Civil Rights provided technical assistance on HIPAA compliance.
National Association on Drug Abuse Problems reported a hacking incident affecting 90,000 individuals.
Counseling Center of Wayne and Holmes Counties reported a hacking incident with confirmed data theft affecting 83,354 individuals.
Academic Urology and Urogynecology of Arizona reported a hacking incident affecting 73,281 individuals.
Additional incidents included breaches at Lakeside Pediatrics and Adolescent Medicine, Emanuel Medical Center, Cedar Point Health, WIRX Pharmacy, Wendy Foster OD, and others, with varying numbers of affected individuals and primarily involving hacking incidents.
Several breaches were reported with placeholder figures of 500 or 501 individuals due to unknown impact at the time of reporting. Seven such cases were included in the February data.
Causes Of Data Breaches
Hacking and other information technology incidents were the dominant cause of breaches in February 2026.
A total of 57 of the 63 reported breaches were classified as hacking or IT incidents. These incidents affected 8,020,208 individuals, representing 98.6 percent of all affected individuals in February. The average breach size for these incidents was 140,705 individuals, and the median breach size was 2,908 individuals.
Six incidents were classified as unauthorized access or disclosure. These incidents affected 114,170 individuals. The average breach size for these incidents was 19,028 individuals, and the median breach size was 1,560 individuals.
The largest unauthorized access incident involved more than 91,000 individuals and resulted from an employee emailing electronic protected health information (ePHI) to an incorrect recipient.
No incidents involving loss or theft of devices or records were reported in February. No improper disposal incidents were reported.
The most common location of compromised PHI was network servers, followed by email accounts and disclosures.
Distribution By Entity Type
Data breaches in February 2026 were reported by multiple types of HIPAA-regulated entities.
Healthcare providers reported 49 breaches affecting 3,940,433 individuals.
Health plans reported 7 breaches affecting 116,690 individuals.
Business associates reported 7 breaches affecting 4,077,255 individuals.
The reporting structure reflects the entity submitting the report to the Office for Civil Rights, which may differ from the entity where the breach occurred. When recalculated based on the entity experiencing the breach, 25 incidents occurred at business associates.
The TriZetto Provider Solutions incident illustrates this distinction. While TriZetto reported the breach, multiple covered entities also submitted separate reports for the same incident.
Geographic Distribution
The February 2026 data breaches were reported across 32 states.
New York and Texas each reported 6 breaches.
California reported 4 breaches.
Georgia, Kansas, and Oregon each reported 3 breaches.
Multiple states reported 2 breaches each, including Arkansas, Illinois, Kentucky, Michigan, Missouri, North Carolina, New Jersey, Oklahoma, Pennsylvania, South Carolina, Tennessee, and Utah.
Several states reported 1 breach each, including Alabama, Arizona, Colorado, Florida, Idaho, Indiana, Massachusetts, Maryland, Maine, Minnesota, New Hampshire, Ohio, Virginia, and Washington.
In terms of affected individuals, Missouri reported 3,451,075 individuals affected, and Tennessee reported 3,119,544 individuals affected. Georgia reported 658,003 individuals affected, followed by New York with 210,655 and South Carolina with 140,465.
HIPAA Breach Notification Rule Requirements
The HIPAA Breach Notification Rule requires that data breaches affecting 500 or more individuals be reported to the Office for Civil Rights within 60 days of discovery.
When the number of affected individuals is not known at the time of reporting, entities may submit an estimate. Placeholder figures such as 500 or 501 individuals are commonly used in these cases. These figures may be updated following completion of investigations or data reviews.
Seven breaches reported in February 2026 used placeholder figures due to incomplete information at the time of submission.
HIPAA Enforcement Activity
No HIPAA enforcement actions were announced by the Office for Civil Rights or state attorneys general during February 2026.
The Office for Civil Rights confirmed an expansion of its risk analysis enforcement initiative to include risk management. During investigations, the Office for Civil Rights requests documentation demonstrating that an organization has conducted a comprehensive risk analysis and has managed identified risks to a reasonable and acceptable level within an appropriate timeframe.
A video presentation was released by the Office for Civil Rights addressing risk management requirements under the HIPAA Security Rule. The presentation was delivered by Nicholas Heesters, Senior Advisor for Cybersecurity, and included examples of violations identified during breach investigations.
Data Reporting and Portal Activity
Healthcare data breach reports are based on incidents submitted to the Office for Civil Rights, as regulated entities do not consistently disclose the number of affected individuals publicly.
The Office for Civil Rights has delayed adding breach reports to the “under investigation” section of its data breach portal. No breach reports submitted in March 2026 were added to that section during the same month. As of April 10, 2026, only two March breaches were listed.
At the same time, breach reports have been added to the “Archive” section at an accelerated rate. This reflects a shift in activity toward investigation and closure of cases.