In March 2026, 44 healthcare data breaches affecting 500 or more individuals were reported to the HHS’ Office for Civil Rights (OCR). More than 1.5 million individuals had their personal and protected health information exposed, stolen, or otherwise impermissibly disclosed.
Under the HITECH Act of 2009, OCR is required to publish a summary of large healthcare data breaches – incidents involving the exposure, theft, or impermissible disclosure of the electronic protected health information of 500 or more individuals. OCR checks all breach reports submitted through its data breach portal, then adds the data breaches to the public-facing section of the portal. Typically, there is a delay of up to 2 weeks from the receipt of a breach report to its addition to the breach portal. During the month of March, no data breaches were added to the portal for March. March data breaches started to be added to the portal in mid-April, hence the delay in publication of this breach report. Currently, the OCR breach portal shows 44 reported data breaches affecting 500 or more individuals for March, although there may be further additions over the coming weeks, as OCR finalizes its checks.
Across those 44 incidents, the protected health information of 1,523,376 individuals was exposed, stolen, or otherwise impermissibly disclosed – the lowest monthly total in the past 12 months, and an 81% reduction from February 2026, although those figures may increase as further data breaches are added and data breach investigations are concluded.
Biggest Healthcare Data Breaches in March 2026
Eleven healthcare data breaches affecting 10,000 or more individuals were reported to OCR in March. The biggest data breach of March 2026 by some distance was reported by the telehealth platform provider OpenLoop Health. OpenLoop Health discovered the hacking incident in January 2026, and the investigation confirmed that a threat actor accessed its systems and exfiltrated patient data. A threat actor – Stuckin2019 – claimed responsibility for the attack and said the records of 1.6 million patients were exfiltrated, although OpenLoop Health reported the incident as affecting 716,000 individuals. While the breach was large and involved personal and health information, Social Security numbers and financial information were not stolen.
North Texas Behavioral Health Authority (NTBHA), a provider of mental health and substance use treatment and services in Texas, experienced a hacking incident that exposed the protected health information of 285,086 individuals. Few details have been published about the nature of the incident, other than hackers breaching its network in October 2025. NTBHA confirmed that protected health information was exposed and may have been stolen.
Saint Anthony Hospital in Chicago reported a breach of its email system. The breach occurred on February 27, 2026, and the threat actor obtained unstructured data from its email system, including names, dates of birth, and Social Security numbers. More than 146,000 individuals had data stolen in the incident. The hacking incident at Defense Health Agency affected almost 100,000 individuals, but the HIPAA Journal has been unable to find any details about the data breach, other than what is shown on the HHS’ Office for Civil Rights breach portal. The portal states that a business associate was involved and that the breach involved unauthorized access to electronic medical records.
| Regulated Entity | State | Covered Entity Type | Individuals Affected | Cause of Incident |
| OpenLoop Health, Inc. | IA | Business Associate | 716,000 | Hack and extortion incident – data theft confirmed |
| North Texas Behavioral Health Authority | TX | Healthcare Provider | 285,086 | Hacking incident |
| Saint Anthony Hospital | IL | Healthcare Provider | 146,108 | Unauthorized access to the email system |
| Defense Health Agency | VA | Health Plan | 96,271 | Hacking of a third-party electronic medical record system |
| Exclusive Physicians PLLC | MI | Healthcare Provider | 58,000 | Hacking incident |
| Woodfords Family Services | ME | Healthcare Provider | 38,061 | Ransomware attack |
| MedPeds Associates of Sarasota | FL | Healthcare Provider | 22,017 | Ransomware attack |
| Barrio Comprehensive Family Health Care Center | TX | Healthcare Provider | 19,971 | Unauthorized access to the email system |
| Longevity Health Plan | FL | Health Plan | 15,000 | Hacking incident |
| Cedar Valley Hospice | IA | Healthcare Provider | 10,666 | Hacking incident |
| Good Samaritan Health Center | GA | Healthcare Provider | 10,000 | Ransomware attack |
Three incidents were reported to OCR using totals of 500 or 501 individuals. These figures are often used as “placeholder” estimates to meet the reporting requirements of the HIPAA Breach Notification Rule when investigations and data reviews are ongoing. These data breaches could turn out to affect substantially more individuals than the breach portal suggests.
| Regulated Entity | State | Covered Entity Type | Individuals Affected | Type of Breach |
| Community Health Action of Staten Island | NY | Healthcare Provider | 501 | Hacking incident |
| Securian Financial | MN | Health Plan | 500 | Hacking incident at a business associate |
| Kin Counseling Services PLLC | CO | Healthcare Provider | 500 | Hacking incident |
Causes of March 2026 Healthcare Data Breaches
As has been the case for many months, the majority of data breaches are hacking/IT incidents, with hacking accounting for most of the reported data breaches. Unauthorized access/disclosure incidents are less common but a regular cause of data breaches, while loss, theft, and improper disposal incidents are now a rarity, typically being reported in extremely low numbers.
In March, 40 of the month’s 44 data breaches were hacking/IT incidents (90.9%), 3 were unauthorized access/disclosure incidents (6.8%), and there was one theft incident (2.3%). Across the 40 hacking incidents, 1,523,376 individuals had their protected health information exposed or stolen – 99.7% of all individuals affected by healthcare data breaches in March. The average breach size was 37,953 individuals (median: 5,080 individuals). The unauthorized access/disclosure incidents affected 4,710 individuals, 0.3% for the month’s affected individuals. The average breach size was 1,570 individuals (Median: 1,283 individuals), and the theft incident affected 538 individuals, 0.04% of the month’s affected individuals.
States Affected by March 2026 Healthcare Data Breaches
Data breaches were reported by HIPAA-regulated entities in 23 U.S. states in March, with Florida and Texas the worst-affected states with four breaches per state.
| State | Data Breaches |
| Florida & Texas | 4 |
| California, Massachusetts, Minnesota & Oklahoma | 3 |
| Colorado, Iowa, Illinois, Louisiana, Michigan, New York & Washington | 2 |
| Arizona, Georgia, Indiana, Maine, North Carolina, Ohio, Pennsylvania, Tennessee, Virginia & Wisconsin | 1 |
In terms of affected individuals, Iowa topped the list with 726,666 affected individuals, followed by Texas and Illinois.
| State | Individuals Affected |
| Iowa | 726,666 |
| Texas | 309,416 |
| Illinois | 152,194 |
| Virginia | 96,271 |
| Michigan | 60,740 |
| Florida | 43,811 |
| Maine | 38,061 |
| Louisiana | 17,755 |
| California | 12,700 |
| Minnesota | 10,958 |
| Georgia | 10,000 |
| Indiana | 8,941 |
| Massachusetts | 7,925 |
| Oklahoma | 5,777 |
| New York | 5,587 |
| Ohio | 4,234 |
| Tennessee | 3,171 |
| Colorado | 2,563 |
| Washington | 1,821 |
| North Carolina | 1,575 |
| Wisconsin | 1,574 |
| Arizona | 949 |
| Pennsylvania | 687 |
Data Breaches at HIPAA-Regulated Entities
In March, data breaches were reported by 33 healthcare providers (672,387 affected individuals), 6 health plans (121,639 affected individuals), and 5 business associates (729,350 affected individuals). When a data breach occurs at a business associate, the business associate must notify each affected entity, and then a decision must be made by the covered entity about who reports the data breach. The affected covered entity may choose to issue notifications – they are ultimately responsible for ensuring that notifications are issued – but many delegate that responsibility to the business associate. Taking that into account, the following charts show where the breach occurred rather than the reporting entity. All 6 health plan breaches occurred at business associates, as did half of the data breaches reported by healthcare providers.
HIPAA Enforcement Activity in March 2026
OCR investigates all large healthcare data breaches to determine if they occurred as a result of HIPAA noncompliance. The OCR breach portal shows that the majority of data breach investigations are closed with no further action taken or with OCR providing technical assistance to address HIPAA noncompliance. OCR currently has two main enforcement initiatives in place, one targeting noncompliance with the HIPAA Right of Access, and one targeting noncompliance with the risk analysis/risk management requirements of the HIPAA Security Rule. Violations of these provisions are likely to result in financial penalties.
OCR announced one enforcement action in March involving a financial penalty, after OCR discovered multiple violations of the HIPAA Rules – A risk analysis failure, breach notification failure, and an impermissible disclosure of the electronic protected health information of 15 million individuals. MMG Fusion, a Maryland-based provider of software solutions to oral healthcare providers, settled the case and paid a $10,000 financial penalty – one of the lowest financial penalties ever imposed by OCR. OCR said that when determining the settlement amount, consideration was given to MMG’s financial position.
The post March 2026 Healthcare Data Breach Report appeared first on The HIPAA Journal.
