98 HIPAA breaches in six weeks, 9.5M patients. What the HHS wall actually shows.

# 98 HIPAA breaches in six weeks, 9.5 million patients. Here is what the HHS wall actually shows in 2026.

The HHS Office for Civil Rights keeps a public list of every data breach of 500 or more individuals that a HIPAA-covered entity reports under the Breach Notification Rule. It is the most under-read dataset in healthcare security. Everyone cites "healthcare is the #1 ransomware target" without ever looking at the raw ledger that proves or refutes it.

We pulled the last six weeks of breaches off the portal on April 22 2026, 98 incidents covering 9,460,201 individuals. Here is what the data says.

#The shape of the current breach wave

At 9.46 million affected people across 98 breaches in six weeks, the per-breach average is 96,532. The distribution is as skewed as it sounds. The top ten incidents account for 85% of the affected population, and TriZetto Provider Solutions alone put 3.43 million people into the column on February 6. QualDerm Partners ran a close second with 3.12 million on February 22. After the top ten the numbers drop fast into the tens of thousands.

The mode, not the mean, tells the story for small covered entities. Most reported breaches affect 5,000 to 50,000 people. A dentist with 2,400 patient records who gets ransomware on their office server ends up in the same ledger as TriZetto, as long as they are above the 500-person threshold. Both are legal HIPAA breaches. Both get the same OCR investigation treatment.

#Breach type is not varied. It is one thing.

Of the 98 reported incidents, 90 (91%) are categorized as Hacking/IT Incident. 7 (7%) are Unauthorized Access/Disclosure. One (1%) is Loss of physical equipment. Zero Theft, zero Improper Disposal.

The practical reading is that in 2026 a HIPAA breach means ransomware or credential compromise hitting a network server. It does not mean a laptop got stolen at an airport. It does not mean a fax went to the wrong number. It means an attacker got shell access to something on your internal network that touches PHI, and they either encrypted it or exfiltrated it or both.

This is a significant shift from five years ago. In 2019-2021 the mix looked closer to 70% hacking, 20% unauthorized access, 10% theft/loss. The Theft category was larger when covered entities were still losing laptops. The physical-media loss column has collapsed to near zero, not because physical security got better, but because every clinic that had a laptop full of PHI now has a laptop that is a thin client into a cloud EHR, and the breach surface moved from the laptop to the cloud tenant.

#Where the data was when it got breached

The Location of Breached Information field is a useful hint at which control actually failed. The count:

• Network server: 65 breaches (66%)
• Email: 20 breaches (20%)
• Paper / films: 2 breaches
• Electronic Medical Record: 2 breaches
• Desktop computer: 2 breaches
• Network server + other combinations: 7 breaches
• Other / Unspecified: 3 breaches

Two-thirds of breaches are network-server incidents. That is the classic ransomware-hit-the-fileserver pattern. Attackers land on a workstation via phishing or an exposed RDP, lateral-move to a shared Windows server, and exfiltrate whatever is on that server. The fact that the PHI was on a server is often incidental. The attacker wanted anything worth ransoming. PHI happens to be there because someone in the practice keeps patient files in \\server\clinical\.

One-fifth of breaches are email-located. That is business email compromise. A front-desk person gets phished, their mailbox has 18 months of patient-intake forms attached to old emails, the attacker harvests and exfils. The fact that PHI lived in email attachments at all is the problem, but it is a near-universal problem at small practices.

The 4 EMR-located breaches matter more than the raw count suggests. Those are attacks that actually reached the patient-records system of the clinic. EMR breaches are rarer because EMRs are usually in a tighter network segment, but when one happens the fallout is larger because the data is structured, clean, and complete.

#Business associates are doing 30% of this

Business Associate Present is Yes on 30 of the 98 breaches. That is 30%. For any covered entity reading this, it means the probability that a reported breach involves a BA, either as the direct breach victim or as a downstream-affected party, is approximately one in three.

15 of the 98 breaches (15%) are reported with the BA itself as the covered entity type. TriZetto, ApolloMD Business Services, and IPPC are all in that column this quarter. These are the revenue-cycle vendors, billing processors, pharmacy benefit managers, and insurance-claims clearinghouses that sit behind the provider-facing brand. When one of them gets hit, every provider that uses them files a separate breach notification referencing the same root incident. One BA breach can cascade into dozens of provider filings.

The uncomfortable corollary: if you are a small practice, your security posture is only as good as the worst-maintained BA in your vendor chain. And you probably have 8-20 BAs that touch PHI (billing, transcription, lab results, telehealth platform, pharmacy app, insurance portal, patient-portal vendor, backup provider, IT MSP, payroll, clearinghouse, imaging, records-release service). You cannot audit all of them at depth. But you can look at the HHS list every quarter and see which of your named vendors appear.

#State distribution

The state of the covered entity is public. Top 10 by count:

| State | Breaches |

|-------|----------|

| Texas | 9 |

| California | 7 |

| New York | 6 |

| Pennsylvania | 5 |

| Florida | 4 |

| Colorado | 4 |

| Alabama | 4 |

| Virginia | 4 |

| Minnesota | 4 |

| Indiana | 3 |

Texas at 9 is interesting because Texas just enacted SB 2610 (the 2024 cyber-safe-harbor law), which rewards compliant security programs with a civil-liability shield in private cyber suits. Nine Texas providers got breached anyway. The safe harbor only helps if you can document that your program met recognized-cybersecurity-framework requirements at the time of breach. Most of the 9 Texas filers probably cannot document that. Every post-incident engagement in Texas in the last 60 days has included some form of "can we reconstruct our control evidence retroactively" question.

#Size distribution of the six-week slice

Population-affected, bucketed:

| Bucket | Breach count | Share |

|--------|--------------|-------|

| 1M+ affected | 2 | 2% |

| 250K - 1M | 3 | 3% |

| 100K - 250K | 4 | 4% |

| 25K - 100K | ~16 | ~16% |

| 5K - 25K | ~33 | ~34% |

| 500 - 5K | ~40 | ~41% |

Two incidents over one million account for 69% of all affected individuals in this slice. The top ten breaches account for 85% of total population-affected. The long tail — small and mid-sized practices that each lost five to fifty thousand records — is numerically the most common pattern, but any single one of them is dwarfed by the big-billing-vendor and big-health-system incidents at the top.

#The billing-vendor supply-chain pattern

Two of this slice's top five largest breaches are billing and revenue-cycle vendors rather than direct providers. That pattern repeats quarter over quarter in the OCR wall. Mid-sized practices outsource billing to a handful of clearinghouses and revenue-cycle services, so when one of those business associates gets hit the downstream providers all file separate breach notifications referencing the same root cause.

For any covered entity reading this, the implication is direct: if your practice outsources billing, claims, transcription, or prior-authorization to a shared vendor, your personal exposure depends on that vendor's security posture more than on your own. You can keep your office network perfect and still end up on this list because a service you use got breached.

#What the 2025 Security Rule update is about to change

In late 2024 OCR published a proposed rule updating the HIPAA Security Rule for the first time in over two decades. Comments closed in March 2025, the final rule is expected in 2026. If the proposed text survives into the final, small and mid-sized covered entities will need to do at least the following that they are not currently required to do explicitly:

• Formal technology asset inventory. Every device, every application, every piece of middleware that touches PHI, documented.
• Formal network map. Network topology diagram of where PHI flows, updated when it changes.
• MFA on every account. Not a "best practice" recommendation, a mandatory control with limited exceptions.
• Encryption of PHI at rest and in transit. Again with limited exceptions.
• Vulnerability scans quarterly, penetration tests annually. This is new. Today a small practice can legally meet the HIPAA Security Rule without ever having been pentested. Under the proposed rule, they cannot.
• Incident response plan tested at least annually. Tabletop exercise, written plan, after-action notes.
• Business associate security-documentation reviews before contracting. Includes the ability to require evidence.

The reasonable read of the HHS breach-wall trend plus the proposed rule is that HHS is trying to move HIPAA from a documentation-only regulation into a controls-verification regulation. The existing Security Rule describes what should exist; the proposed rule describes what evidence must exist that it does. Small practices that have been compliance-by-affidavit will need to become compliance-by-artifact within 12-24 months of the final rule.

#If you run a small or mid-sized healthcare practice

Four concrete things worth doing this quarter, regardless of where the rule lands.

1. Do your own OCR-wall lookup once a quarter. Go to https://ocrportal.hhs.gov/ocr/breach/breach_report_hip.jsf. Search on your largest BAs by name. If any of them show up, you are (a) legally required to have documented your own breach-notification timeline if their incident affected your PHI, and (b) likely getting an audit letter. This is a 10-minute check.

2. Get an asset and data-flow inventory down before the rule ships. The two things every post-incident engagement finds missing are an asset inventory and a data-flow map. If you cannot produce both of those when OCR asks, the investigation expands into "what else do you not know." Start with a spreadsheet. Real documentation later.

3. Put MFA on the front-desk inbox. 20% of reported breaches are email-located. Almost all of those start with a front-desk or billing-clerk account. A single MFA rollout on the office staff's Outlook/Gmail accounts removes the plurality of this quarter's breach column.

4. Ask your BAs for their own 1.05-equivalent commitment. Not a SOC 2 report, which almost everyone has. Ask specifically: "If you suffer a security incident involving our PHI, how many days until you notify us, and what is your documented runbook for that notification?" Half of them will not have a written answer. That is the finding. You can usually get a commitment in writing on the next contract renewal.

#What a HIPAA security assessment from us actually covers

Not a sales pitch, a scoping note. A Valtik HIPAA security assessment covers what the 2025 proposed Security Rule update is going to ask about, plus what HHS OCR actually looks at post-incident:

• Administrative safeguards: workforce-training records, access-management documentation, audit-log review evidence, sanction-policy enforcement.
• Physical safeguards: workstation-use, device-and-media controls, facility-access controls.
• Technical safeguards: MFA coverage on every PHI-touching account, encryption status for every class of data, audit-log completeness and retention, access controls against least-privilege.
• Risk analysis aligned to 45 CFR 164.308(a)(1)(ii)(A). Real inventory, real threat modeling, not a questionnaire.
• Active pentest of EHR access paths, patient-portal, staff email, network segmentation between clinical and administrative networks.
• Business-associate review: gap analysis on current BAA content, recommended amendments, and a runbook for soft-due-diligence on new BAs before signing.

Details at services/hipaa-security-assessment. The engagement window is typically 3-5 weeks for a mid-sized practice, longer for health systems.

#Closing

The HHS wall is a gift for any healthcare executive who will spend ten minutes per quarter on it. 98 real breaches, ten categories of metadata, one search box. Most of what an analyst would tell you about healthcare security posture in 2026 is sitting publicly on that page, and almost no provider actually reads it. Start there.

---

References

1. HHS OCR Breach Portal: https://ocrportal.hhs.gov/ocr/breach/breach_report_hip.jsf
2. Office for Civil Rights, HIPAA Security Rule Update Notice of Proposed Rulemaking, December 2024.
3. Texas SB 2610 (2024) — Safe Harbor from Certain Liabilities Arising from Cybersecurity Events.
4. 45 CFR 164.308(a)(1)(ii)(A) — Security Management Process (Risk Analysis requirement).
5. Valtik Studios HIPAA Security Assessment service: https://valtikstudios.com/services/hipaa-security-assessment