The HIPAA Journal updated its healthcare data breach statistics page on June 19, 2026, drawing on HHS Office for Civil Rights (OCR) data through May 19, 2026. The numbers confirm that healthcare remains one of the most heavily targeted sectors — with mega-breaches driving record victim counts even when incident frequency plateaus.
Read the full statistics:
https://www.hipaajournal.com/healthcare-data-breach-statistics/
Official breach portal:
https://ocrportal.hhs.gov/ocr/breach/breach_report_hip.jsf
HHS OCR Portal: 2026 Submissions
The live HHS OCR breach portal (under-investigation view) currently shows 198 large breach submissions dated in 2026, collectively affecting 18,662,505 individuals (national counts, not state-resident totals). Data is current through June 20, 2026.
Interactive Tracker
HHS OCR Large Healthcare Breaches: 2026 Submissions
HIPAA breach reports with a 2026 submission date, by month
Show largest 2026 HHS OCR breach reports
| Entity | Published | Individuals affected | Sector |
|---|---|---|---|
| TriZetto Provider Solutions | Feb 6, 2026 | 3,433,965 | Business Associate |
| QualDerm Partners, LLC | Feb 22, 2026 | 3,117,874 | Healthcare Provider |
| Nacogdoches Memorial Hospital n | Mar 30, 2026 | 2,507,073 | Healthcare Provider |
| Navia Benefit Solutions, Inc. | Mar 18, 2026 | 2,151,330 | Business Associate |
| New York City Health and Hospitals Corporation | Mar 24, 2026 | 1,800,000 | Healthcare Provider |
Source: HHS OCR Breach Portal (under-investigation view). Figures are national individuals-affected counts for covered entities; entity state does not equal state-resident totals.
Sources
State AG breach portals
State AG reporting & notices
Federal registries
Breach databases & aggregators
News & analysis
Key Figures
| Metric | Value |
|---|---|
| Large breaches reported in 2025 (500+ individuals) | 772 (annual record) |
| Large breaches Jan 1 – Apr 30, 2026 | 252 (9.5% fewer than same period in 2025) |
| Total large breaches on OCR portal since Oct 2009 | 7,670 |
| Open OCR investigations (under or awaiting review) | 936 (up from 882 in 2024) |
| Small breaches reported in 2024 (under 500 individuals) | 74,299 |
Mega-Breaches Drive Victim Counts
While breach counts grew modestly in recent years, the number of affected individuals spiked because of mega-breaches (1M+ records):
- Change Healthcare (2024) — estimated 192.7 million individuals (largest healthcare breach on record)
- Conduent Business Services (2025) — 62+ million individuals
- Aflac (2025) — nearly 14 million
- Episource (2025) — 6.7+ million
Ransomware and third-party business associate compromises remain the dominant pattern.
OCR Reporting Delays in 2026
HIPAA Journal notes that OCR has been slow to publish new portal entries in 2026, likely due to the 43-day federal government shutdown (October 1 – November 12, 2025). As of June 2026, OCR was still adding breaches attributed to March 2026 — meaning current statistics understate recent activity.
What Texas Healthcare Providers Should Do
- Review business associate agreements — ensure breach notification timelines and security exhibit requirements are current.
- Maintain a documented HIPAA Security Rule risk analysis — required, not optional.
- Test backup and restoration — ransomware recovery depends on offline, immutable backups.
- Harden email authentication — BEC and credential theft remain common initial access vectors.
- Monitor state AG portals in addition to OCR — Texas and California filings often appear before federal summaries.
See our healthcare AG breach tracker and Texas healthcare breaches for state-level context.
Related trackers
- Healthcare AG breach tracker
- Texas healthcare breaches (2026)
- Texas OAG YTD dashboard
- Financial services tracker
- Government & education tracker
- Washington healthcare breaches (2026)
- Washington law firm breaches (2026)
- CA June roundup
- TX July roundup
- WA May roundup
- TX Parks breach
- Have I Been Pwned
- HIBP July roundup
- Monitoring guide
- All trackers
Audit your healthcare organization’s email security.
Run a free scan at audit.emailmenow.com or contact EmailMeNow IT Consulting for HIPAA-aligned security assessments.