Major Healthcare Data Breaches Expose Millions of Patient Records in Early 2026
The U.S. Department of Health and Human Services (HHS) recently updated its healthcare data breach tracker, revealing several significant incidents affecting millions of individuals. The breaches, disclosed in early 2026, highlight persistent vulnerabilities in the sector, particularly through third-party vendors and prolonged unauthorized access.
The largest breach involves New York City Health and Hospitals Corporation, which reported a compromise affecting 1.8 million individuals. Detected on February 2, 2026, the investigation found that threat actors accessed systems between November 2025 and February 2026 via a third-party vendor. Exposed data includes personal, health insurance, medical, biometric, and financial information.
In Chicago, Illinois, Erie Family Health Centers discovered a hack in January 2026, with attackers active on its network from December 10, 2025, to late January 2026. The breach compromised names, Social Security numbers (SSNs), driver’s license details, passport numbers, financial data, and medical records, impacting 570,000 individuals.
Florida Physician Specialists reported a breach affecting 276,000 patients, with hackers accessing its network for two days in November 2025. Exposed data includes names, SSNs, driver’s license numbers, financial details, and medical information.
Other notable breaches include:
- Coastal Carolina Health Care (North Carolina) – 110,000 individuals affected, detected over a year after the intrusion.
- Western Orthopaedics (Colorado) – 110,000 individuals impacted.
- Nacogdoches Memorial Hospital (Texas) – Initially reported as affecting 250,000, but the HHS tracker lists 2.5 million, suggesting a possible error.
- An Arizona dermatology clinic – Initially reported as 3 million affected, later corrected to 500.
None of the breaches have been claimed by known cybercrime groups. The incidents underscore ongoing risks in healthcare cybersecurity, particularly from third-party vulnerabilities and delayed breach detection.
Source: https://www.securityweek.com/millions-impacted-across-several-us-healthcare-data-breaches/
Northwestern Medical Faculty Foundation cybersecurity rating report: https://www.rankiteo.com/company/northwestern-medical-faculty-foundation
"id": "NOR1779115476",
"linkid": "northwestern-medical-faculty-foundation",
"type": "Breach",
"date": "12/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '1,800,000',
'industry': 'Healthcare',
'location': 'New York City, New York, USA',
'name': 'New York City Health and Hospitals '
'Corporation',
'type': 'Healthcare Provider'},
{'customers_affected': '570,000',
'industry': 'Healthcare',
'location': 'Chicago, Illinois, USA',
'name': 'Erie Family Health Centers',
'type': 'Healthcare Provider'},
{'customers_affected': '276,000',
'industry': 'Healthcare',
'location': 'Florida, USA',
'name': 'Florida Physician Specialists',
'type': 'Healthcare Provider'},
{'customers_affected': '110,000',
'industry': 'Healthcare',
'location': 'North Carolina, USA',
'name': 'Coastal Carolina Health Care',
'type': 'Healthcare Provider'},
{'customers_affected': '110,000',
'industry': 'Healthcare',
'location': 'Colorado, USA',
'name': 'Western Orthopaedics',
'type': 'Healthcare Provider'},
{'customers_affected': '2,500,000',
'industry': 'Healthcare',
'location': 'Texas, USA',
'name': 'Nacogdoches Memorial Hospital',
'type': 'Healthcare Provider'},
{'customers_affected': '500',
'industry': 'Healthcare',
'location': 'Arizona, USA',
'name': 'Arizona Dermatology Clinic',
'type': 'Healthcare Provider'}],
'attack_vector': 'Third-party vendor compromise, Unauthorized access',
'data_breach': {'number_of_records_exposed': '5,366,500+',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal information',
'Health insurance information',
'Medical records',
'Biometric data',
'Financial information',
'Social Security numbers (SSNs)',
'Driver’s license details',
'Passport numbers']},
'date_detected': '2026-02-02',
'date_publicly_disclosed': '2026-01',
'description': 'The U.S. Department of Health and Human Services (HHS) '
'updated its healthcare data breach tracker, revealing several '
'significant incidents affecting millions of individuals. The '
'breaches, disclosed in early 2026, highlight persistent '
'vulnerabilities in the sector, particularly through '
'third-party vendors and prolonged unauthorized access.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': 'Personal, health insurance, medical, '
'biometric, financial information, Social '
'Security numbers (SSNs), driver’s license '
'details, passport numbers, medical records',
'identity_theft_risk': 'High',
'payment_information_risk': 'High'},
'initial_access_broker': {'entry_point': 'Third-party vendor'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Persistent vulnerabilities in healthcare sector, '
'particularly through third-party vendors and delayed '
'breach detection.',
'post_incident_analysis': {'root_causes': 'Third-party vendor '
'vulnerabilities, prolonged '
'unauthorized access, delayed '
'breach detection'},
'references': [{'source': 'U.S. Department of Health and Human Services (HHS) '
'Healthcare Data Breach Tracker'}],
'regulatory_compliance': {'regulations_violated': 'HIPAA',
'regulatory_notifications': 'U.S. Department of '
'Health and Human '
'Services (HHS)'},
'title': 'Major Healthcare Data Breaches Expose Millions of Patient Records '
'in Early 2026',
'type': 'Data Breach'}