Forty six large healthcare data breaches affecting 1,441,182 individuals were reported in January 2026 based on data listed on the U.S. Department of Health and Human Services Office for Civil Rights breach portal.
Reported Breach Volume and Impact
The Office for Civil Rights breach reporting portal recorded 46 healthcare data breaches impacting 500 or more individuals during January 2026. This total represented a 13.2 percent decrease compared with December 2025.
The breaches collectively exposed or impermissibly disclosed the protected health information (PHI) of 1,441,182 individuals. The number of affected individuals increased by 178 percent compared with December 2025. Despite that increase, the total number of affected individuals remained below the twelve month monthly average of 5,107,388 individuals.
The January total also represented the lowest number of affected individuals for the month of January since 2020. Reporting activity in recent months shows fewer large healthcare data breaches compared with earlier periods in 2025. From September 2025 through January 2026, the average number of large healthcare data breaches reported per month was 46.2.
During the earlier period between April and August 2025, the monthly average was 68.6 breaches.
The reason for the decline in large data breaches since September 2025 may be related to the time when the Office for Civil Rights breach portal experienced a delay in updates because of a federal government shutdown that lasted 43 days between October 1 and November 12, 2025. No healthcare data breaches were added to the portal during that shutdown period. Additional breach reports were later added for October and November following the shutdown.
Largest Healthcare Data Breaches Reported in January 2026
Eleven healthcare data breaches reported during January affected 10,000 or more individuals. These eleven incidents accounted for 92.5 percent of all affected individuals during the month.
The largest reported breach involved the Illinois Department of Human Services. The incident exposed PHI of more than 700,000 state residents. The breach occurred after a website created for internal use became accessible over the public internet.
The second largest breach was reported by the Minnesota Department of Human Services. This incident affected more than 303,000 individuals. The breach involved unauthorized access to the MnChoices system used by counties, Tribal Nations, and managed care organizations to conduct assessments and planning for state residents requiring long term services and support. The system was accessed by a user associated with a licensed healthcare provider who had no legitimate reason to access the data.
Additional incidents during January involved healthcare providers and business associates experiencing hacking incidents or ransomware attacks. Examples of affected entities include Clinic Service Corporation in Colorado, LifeLong Medical Care in California, Avosina Healthcare Solutions in Virginia, Wakefield and Associates in Tennessee, Jefferson-Blount-St. Clair Mental Health Authority in Alabama, Mid Michigan Medical Billing Service in Michigan, Pecan Tree Dental in Texas, Central Ozarks Medical Center in Missouri, and 360 Dental PC in Pennsylvania.
Breach Causes and Attack Methods
Hacking and other information technology incidents were reported as the cause of 36 of the 46 healthcare data breaches during January 2026. These incidents represented 78.3 percent of the month’s reported breaches. The hacking related incidents exposed or compromised PHI belonging to 343,359 individuals. The average and median breach sizes for hacking incidents was 9,810 and 3,722 individuals, respectively.
Unauthorized access or disclosure incidents represented 10 of the 46 breaches reported during January. These incidents accounted for 21.7 percent of the reported breaches. Unauthorized access or disclosure incidents affected 76.1 percent of all individuals impacted during the month. The average and median breach sizes for unauthorized access incidents was 109,700 and 3,188 individuals, respectively. One breach involved the loss of paper records affecting 821 individuals.
The most common location of compromised PHI during the month was network servers, which were involved in 30 incidents. Email accounts were the second most common location, involved in eight incidents.
Types of HIPAA Regulated Entities Reporting Breaches
Healthcare providers reported 36 of the 46 large healthcare data breaches recorded during January 2026. Those incidents affected 236,462 individuals. Business associates reported six breaches affecting 190,015 individuals. Health plans reported four breaches affecting 1,014,705 individuals.
Geographic Distribution of Breach Reports
Healthcare organizations in 24 U.S. states reported healthcare data breaches affecting 500 or more individuals during January 2026. California reported eight breaches. Seven of those eight breach reports were related to the same incident involving Trizetto Provider Solutions, which acted as a business associate or subcontractor of the business associate OCHIN.
Maryland and Texas each reported four breaches. Alabama and Indiana each reported three breaches. Other states reporting breaches included Idaho, Illinois, Michigan, Oregon, Tennessee, Alaska, Colorado, Connecticut, Florida, Kentucky, Louisiana, Massachusetts, Minnesota, Missouri, New Jersey, New York, Pennsylvania, South Carolina, and Virginia.
Illinois and Minnesota recorded the highest number of affected individuals among states during the month. Illinois recorded 705,638 affected individuals. Minnesota recorded 303,965 affected individuals. California recorded 98,241 affected individuals.
Cybersecurity Incidents and Ransomware Activity in January 2026
Cybersecurity monitoring reports identified multiple ransomware attacks and cyber incidents during January 2026 affecting organizations across several sectors. A ransomware attack on Covenant Health exposed personal data and PHI belonging to approximately 478,188 patients. The incident was attributed to the Qilin ransomware group. The breach disrupted hospital operations.
Another cybersecurity incident affected Sedgwick Government Solutions. The incident involved the theft of approximately 3.4 gigabytes of data from an isolated file transfer system. The attack was attributed to the TridentLocker ransomware group.
Other cyber incidents during January involved organizations including Kyowon Group, SoundCloud, and Marquis Health. The SoundCloud breach exposed personal and contact information of approximately 29.8 million user accounts. Marquis Health attributed a ransomware breach to the compromise of SonicWall cloud backup systems that enabled attackers to encrypt data and disrupt operations at its facilities.