Last Update: 06/03/2026 at 6:50 AM EST
Healthcare Data Breaches Surge
Coverage from TechRadar, Security Boulevard, and others
Articles
83
Latest Article
06/01
Active Days
517
Executive Summary
Healthcare and related service providers are repeatedly disclosing large-scale breaches that expose Social Security numbers, medical records, insurance data, and other personal identifiers. Vendor access, ransomware, and delayed notification are the most persistent patterns, with regulators and lawsuits increasingly focused on disclosure timing and contractor accountability.
Key Points
- Large healthcare and contractor breaches dominate the cluster, with several incidents affecting hundreds of thousands to millions of people.
- Sensitive data exposures repeatedly include Social Security numbers, medical records, insurance details, addresses, and birth dates.
- Third-party and vendor systems are a recurring failure point, especially in government services, revenue-cycle, and support-platform environments.
- Ransomware, unauthorized access, and cloud or portal compromise all appear as active breach mechanisms rather than a single attack pattern.
- Notification timing remains a major issue, with multiple cases involving delayed disclosure, incomplete early detail, or extended notification timelines.
- Regulators are responding with investigations and breach-reporting scrutiny, especially where state filing delays or contractor handling are involved.
- Credit monitoring and identity protection offers appear as standard remediation, but they follow after broad exposure has already occurred.
Featured Article
Conduent disclosed in 2026 that a breach dating back to late 2024 exposed personal and medical data of more than 25 million individuals across Texas and Oregon.
Coverage Timeline: 517 Days
Hover over any logo to see coverage summary, click for full article.
Additional Articles
⭐⭐⭐⭐⭐
Zara and Inditex reported an Anodot-linked breach affecting about 200,000 customers, with leaked data analysis identifying 197,400 unique email addresses.
Inditex disclosed April 2026 unauthorized database access for Zara after ShinyHunters used compromised Anodot tokens, exposing customer emails, locations, purchases, and support tickets.
NYC Health and Hospitals disclosed a months-long vendor-mediated cyberattack detected February 2, 2026, exposing medical, identity, geolocation, and fingerprint data for at least 1.8 million people in New York.
NYC Health + Hospitals confirmed a November 2025 to February 2026 cyberattack exposing about 1.8 million patients' biometrics, health records, IDs, and precise geolocation.
Conduent disclosed a January 2025 data breach affecting millions across Texas, Oregon, and other states.
January 2025 breach at Conduent exposes millions of Americans' personal data nationwide.
Missouri officials investigated a Conduent breach occurring between fall 2024 and January 2025 after exposure of Social Security numbers and health data.
Missouri regulators escalated a Conduent Business Services cybersecurity breach investigation after regulators said Conduent did not provide needed information for assessing consumer impact.
ManoMano disclosed in January 2026 a data breach caused by a third-party provider affecting 38 million customers
Conduent Business Services notified over 25 million Americans after ransomware operators accessed sensitive benefit and HR records from October 2024 to January 2025.
Odido confirms data breach affecting more than 6.2 million customers in the Netherlands, disclosed February 13, 2026.
HHS OCR listings show nearly 57 million individuals affected by healthcare data breaches in 2025, with major vendor and ransomware incidents reported across the United States.
Excelas disclosed a May 12, 2026 data breach to Massachusetts and New Hampshire after 2025 unauthorized access may have exposed PII and protected health information.
Eversource Energy disclosed a phishing-related data breach affecting about 3,049 people, reported May 21, 2026 to the Maine Attorney General and notified consumers starting May 27, 2026.
NYC Health + Hospitals disclosed March 24, 2026 that a vendor-linked breach exposed medical records and biometric fingerprints for at least 1.8 million patients and employees.
HHS OCR reported 44 HIPAA breaches in March 2026 affecting 1.5 million individuals, with hacking as the dominant cause.
Edelson Lechtzin LLP offered free consultations in connection with Excelas after Excelas disclosed a 2025-2026 data breach and Massachusetts notification in 2026.
Missouri regulators investigated the Conduent breach in 2024-2025 data access and exfiltration, demanding better disclosure for consumer impact assessment, while Texas also pursued related inquiries in 2026.
NYC Health + Hospitals disclosed a March 24, 2026 report of a vendor-based breach detected February 2, 2026 that exposed medical and biometric data for at least 1.8 million people in New York City.
NYC Health + Hospitals notified nearly 2 million patients in 2024 after a third-party vendor hacking incident led to potential exposure of health, identity, payment, and biometric data in New York City.
ShinyHunters claimed responsibility for a Zara breach disclosed in April, using compromised Anodot authentication tokens to exfiltrate 197,400 BigQuery customer records from a former provider.
Western Orthopaedics, P.C. disclosed a 113,330-person healthcare data breach after unauthorized network access during September 2025.
NYC Health and Hospitals reported a months-long network breach from November 2025 to February 2026 affecting at least 1.8 million people, exposing medical records, IDs, and fingerprint scans.
NYC Health and Hospitals disclosed on 2026 that hackers accessed systems from 25 November 2025, stealing health records, biometric identifiers, and geolocation data affecting at least 1.8 million people.
NYC Health + Hospitals disclosed May 19, 2026 that a third-party vendor vulnerability in November 2025 enabled unauthorized access affecting about 1.8 million individuals.
OpenLoop Health disclosed in 2026 that hackers accessed systems between January 7 and 8 and exposed telehealth patient personal data of 716,000 people.
On May 20, 2026, Kroll notified The Oncology Institute about vendor-detected unauthorized access tied to patient data after a November 2025 breach disclosure.
Connecticut DSS announced May 22 postal notifications after a March 4 HUSKY provider-portal breach exposed personal information for about 22,500 enrollees.
On March 4, compromised Hartford HealthCare credentials enabled a hacker to access the Connecticut Medicaid provider portal, affecting about 22,500 patients, with notifications mailed starting May 22.
Conduent reports massive data breach in 2025 affecting tens of millions across multiple states.
TransUnion reported a late-July 2025 breach affecting 4.4 million consumers after exposure of Social Security numbers and contact data via a Salesforce-connected system.
Montana insurance regulator opened an investigation on Oct. 16 after Conduent's vendor breach exposed Social Security numbers and medical records for 462,000 Blue Cross Blue Shield Montana customers.
Patients and health care providers affected by a data breach at TriZetto Provider Solutions between November 2024 and October 2 2025 in the United States.
NYC Health + Hospitals identified a February 2, 2026 breach traced to vendor access that exposed protected health and biometric data for at least 1.8 million people.
DeXpose reports 2025 incidents across Oracle Cloud, Oracle EBS, and Oracle Health after CloudSEK observed credentials sold online and CISA issued an active-threat advisory.
SimonMed Imaging data breach reveals exposure of patient data in the United States between January and February 2025.
SafePay claimed responsibility in a months-long ransomware intrusion against Conduent Business Services, allegedly exposing Tennessee residents medical and identity data and prompting class actions.
⭐⭐⭐
On January 27, 2026, Erie Family Health Centers in Chicago confirmed suspected unauthorized access between December 10, 2025 and January 27, 2026 affecting about 570,000 individuals.
Aimbridge Hospitality disclosed a hotel systems data breach to Maine and Vermont authorities after unauthorized access may have occurred in November 2025.
Universal Pure LLC disclosed a 2024 unauthorized-access data breach affecting Maine, Massachusetts, New Hampshire, and Texas residents, with identity protection via Cyberscout.
Healthcare In Action reported a January 2026 credential compromise that exposed PII and protected health information for 1,143 people, with breach notification to HHS in March 2026.
Fluke Corp. reported a 2025-2026 data breach affecting 18,517 US residents, including Texas, Vermont, and Maine residents, with notifications beginning May 15, 2026.
Pivot Health disclosed a March 2026 AWS data breach affecting 1,172 people in Texas and 27 in Nebraska after unauthorized access between Feb. 26 and March 13.
Hemic disclosed a 2026 data breach discovered Feb. 2026, with potential exposure of Social Security numbers and health records for affected people in multiple states.
FRCC disclosed an unauthorized file-copying data breach in March-April 2026, potentially exposing names and Social Security numbers for Texas and New Hampshire residents.
Global Consulting Services & Software Development notified Maine, Massachusetts, and Vermont attorneys general on May 18, 2026 after unauthorized access exposed names and Social Security numbers for 1,320 U.S. individuals.
Southern California University of Health Sciences disclosed a 2026 data breach affecting about 2,206 people after file viewing and copying occurred March 23 to March 24, 2026.
Global Consulting Services & Software Development reported a January 2026 data breach to the Maine and Vermont attorney generals in May 2026, affecting 1,320 U.S. individuals.
NCCER notified affected individuals in 2026 after a March 2025 breach involving Quilin file exfiltration, with Maine residents receiving mailed notices on May 1, May 15, and May 21.
Ermi LLC reported a 2025 employee email breach to California and Vermont regulators after investigation found possible exposure of health records.
Easy Dynamics Corp. disclosed an employee data breach to Massachusetts regulators on May 19, 2026, exposing Social Security numbers and benefits data.
Interstate Management Company, LLC disclosed unauthorized hotel-system access from Nov. 19 to Nov. 22, 2025, potentially affecting 22,743 U.S. people, with notices sent May 26, 2026.
United Medical Systems disclosed a data breach impacting 485 people, including Massachusetts and Maine residents, with notifications beginning May 20, 2026.
NetLine Corp. reported a webserver data breach in Newton, Massachusetts, in which exposed data may include Social Security numbers or ITINs, after notifying Maine and Vermont attorneys general.
Everest Ito Group, LLP reported a May 20, 2026 data breach to Massachusetts regulators involving names and Social Security numbers for three affected residents.
University of Dallas disclosed a data breach on undisclosed date affecting Texas and Vermont residents, potentially exposing sensitive identity, financial, and health information.
Nursa disclosed unauthorized access to clinician profiles on its Murray, Utah platform, exposing names and full dates of birth for 13,168 Washington residents.
Odido disclosed a data breach on February 12 in the Netherlands affecting millions of customers.
New York City healthcare systems reported a vendor-linked cyberattack in which hackers allegedly stole data tied to nearly 1.8 million patients.
Murphy Law Firm reported a data breach exposing Social Security numbers, driver license numbers, financial data, and health records, enabling identity theft and fraud.
HaveIBeenPwned reported a ShinyHunters campaign tied to stolen Anodot tokens exposed Zara support ticket and Canvas user data across multiple countries in April 2026.
Lawmakers were notified after an RXNT-targeted data breach affecting the congressional medical office potentially exposed prescription history on March 1 and 3.
Medtronic confirmed a corporate IT breach in April 2026 after ShinyHunters claimed data compromise affecting nine million affiliated individuals, raising privacy and notification concerns.
Federman & Sherwood investigates the Texas Capital data breach reported to the Texas Attorney General after U.S. Mail notices around May 29, 2026.
Federman & Sherwood is investigating a Precipio, Inc. data breach reported to affect 4,952 Texas residents after a Texas Attorney General notification on April 28, 2026.
Federman & Sherwood is investigating a Fluke Corporation data breach reported to the Maine Attorney General after third-party application exploitation possibly exposed Social Security numbers.
CMS deferred more than 1.3 billion dollars in California Medicaid payments as a Congressional Medical Office breach exposed lawmakers' prescription and medical record data via RXNT.
In April 2026, ShinyHunters released data from a Mytheresa extortion attempt after a ransom deadline, exposing 84,000 customers.
IPPC Inc. reported a September 18 to 19 network intrusion that potentially exposed medical and Social Security data for up to 133,862 people across New Jersey and neighboring states.
LexisNexis disclosed a data breach affecting over 364,000 consumers after an unknown hacker obtained sensitive personal data via a third-party software development platform.
Gaylord Specialty Healthcare and Gainwell Technologies report data breaches in December 2024 and July 2025 affecting patients in Connecticut and Medicaid recipients in Georgia due to unauthorized network access.
Healthcare providers in Virginia, Massachusetts, California, New York, and Ohio reported protected health information exposure from ransomware and unauthorized access incidents during 2023 to 2024.
Three healthcare entities in California and Massachusetts reported data breaches in 2024 and 2025.
American Lending Center reported that a July 2025 ransomware attack exposed names, birthdates, and Social Security information for 123,158 people, with notifications sent April 28, 2026.
Fluke Corporation disclosed a data breach in 2025 involving third-party application access and possible Social Security number, birth date, and disability indicator exposure, with analysis completed in 2026.
Ermi reported an employee email account data breach in Texas, with potential exposure of Social Security numbers and medical information, and ongoing class-action assessment.
American Lending Center notified U.S. residents in multiple states after ransomware activity raised concerns about unauthorized access to personal information, with a review completed April 8, 2026.
Charlie Condon Law Firm, LLC disclosed unauthorized access between October 4 and October 6, 2025, potentially exposing data for about 2,975 people and notifying affected individuals starting May 8, 2026.
The City of Port Hueneme notified residents in May 2026 after unauthorized access to City files on or about February 23, 2026.
Loop Capital disclosed a February 2026 unauthorized network file access incident and offered 24 months of credit monitoring and identity protection.
Capital One, NPD, Jerico Pictures, MGM Resorts, and Moody's illustrate that data breach harm can last years through litigation, contracting losses, credit impacts, and sustained regulatory oversight.
⭐️⭐️
PowerSchool data breach on December 28, 2024 affects Connecticut school districts due to compromised credentials in the customer portal.