5 notable healthcare breaches from the first quarter of 2026

As Former OCR Director Melanie Fontes Rainer said in the 2026 Healthcare Email Security Report by Paubox, "Patients must be able to trust that sensitive health information in their files is protected to preserve their trust in the patient-doctor relationship and ensure they get the care they need." That trust is tested every time a breach occurs and in the first quarter of, it was tested repeatedly.

In 2025, healthcare organizations reported 170 email-related incidents to the HHS Office for Civil Rights alone. According to the Paubox report, 41% of breached organizations fell into the high-risk category, up from 31% the year prior.

1. Stryker Corporation

On March 11, 2026, attackers linked to the Iranian-aligned hacktivist group Handala gained access to Stryker's internal Microsoft cloud environment and, using legitimate administrative tools, issued mass remote wipe commands across approximately 80,000 employee devices within hours.

The attack forced teams across Stryker's global operations to revert to manual processes for order management and customer support. Employees and contractors reported seeing Handala's logo appear on internal login screens. Shares of Stryker fell approximately 3.6% following news of the breach. Notably, Stryker confirmed that its medical devices and patient-facing systems were not compromised, and that the incident was contained to its internal Microsoft environment.

Handala framed the attack as politically motivated. The group claimed to have also exfiltrated large volumes of data, though those claims were not verified. Investigators noted the attack exploited a technique known as "living off the land," where threat actors use trusted system functions rather than deploying malicious software, making detection harder.

Learn more: What are Living off the Land attacks?

2. University of Mississippi Medical Center

On the morning of February 19, 2026, the University of Mississippi Medical Center suffered a ransomware attack that brought down its IT network, including its EPIC electronic medical records system, across all locations statewide. Clinics were closed, elective surgeries were canceled, and the coordinating network for hospital transfers across Mississippi was also affected.

UMMC activated its emergency operations plan, and an FBI Special Agent in Charge attended the institution's press event, though investigators declined to identify the specific ransomware strain or its origins at that stage. Emergency services remained available, and patients already admitted continued to receive care. One exception to the clinic closures was the dialysis clinic at the Jackson Medical Mall, which stayed open for scheduled appointments.

Among those affected were patients awaiting chemotherapy and parents who had brought children to Mississippi Children's Hospital, only to be turned away because records systems were inaccessible. Vice Chancellor Dr. LouAnn Woodward confirmed the attack publicly and acknowledged that the scope of any protected health information compromise was still being determined.

3. Community Health Action of Staten Island

On February 13, 2026, the GENESIS ransomware group claimed responsibility for a cyberattack on Community Health Action of Staten Island, a New York nonprofit that provides health services to vulnerable populations. The group posted on a dark web forum stating it had accessed and stolen sensitive data, including medical databases containing more than 60,000 records related to HIV testing. The attackers gave the organisation five to six days to meet their demands before threatening to publish the data.

The breach was formally reported to the Massachusetts Office of Consumer Affairs and Business Regulation on February 24, 2026. The categories of exposed information confirmed in official disclosures included names, Social Security numbers, driver's license numbers, bank account and routing numbers, health insurance information, and medical data. The attackers also claimed to have obtained financial records, government grant documents, HIPAA-related information, HR files, and data connected to Sun River Health and its subsidiaries.

Genesis was first publicly identified in October 2025. It uses double-extortion tactics, which means, stealing data before encrypting systems and threatening public release if a ransom is not paid.

In response, the organization offered affected individuals a complimentary two-year Experian IdentityWorks membership and stated it had implemented enhanced monitoring and alerting software.

4. NADAP

The National Association on Drug Abuse Problems, a New York-based nonprofit, notified the U.S. Department of Health and Human Services on February 13, 2026, of a network server breach affecting approximately 90,000 individuals. According to NADAP's breach notice, the incident was determined to have occurred on January 27, 2026. Both employees and patients may have had data accessed, with compromised information potentially including names, Social Security numbers, dates of birth, medical information, health insurance data, health care treatment and diagnostic details, and tax or financial records.

While NADAP did not publicly classify the incident as a ransomware attack, the Genesis ransomware group listed NADAP as a victim on its leak site and claimed to have obtained two terabytes of data. In statements posted online, Genesis was explicit about why it targeted the organization. The group noted that nonprofits "have access to government money that for-profits can't touch," and specifically cited NADAP's Medicaid contracts, New York state grants, and access to emergency funds. The group also stated that NADAP did not engage in negotiations despite what the attackers characterized as "fair terms."

5. UFP Technologies

UFP Technologies, a Massachusetts-based publicly traded manufacturer of surgical components, wound care products, implants, and healthcare wearables, disclosed on February 19, 2026, that it had detected suspicious activity on its IT systems on February 14. The company filed an 8-K form with the U.S. Securities and Exchange Commission, confirming that attackers had gained unauthorized access, stolen company data, and in some cases destroyed files.

The attack disrupted operational functions including billing and label-making for customer deliveries, though backups and contingency measures allowed the company to continue operating. External cybersecurity advisors were consulted, and the company stated it believed the threat actor had been removed and that access to impacted systems had been restored.

UFP Technologies employs approximately 4,300 people and reported an annual revenue of $600 million. The company noted that a portion of its direct costs associated with the breach would be reimbursed through insurance.

What healthcare institutions can do to prevent breaches

• Understand the cost of downtime: Dr. Christian Dameff, co-director of the University of San Diego's Center for Healthcare Cybersecurity, made this point in the context of the UMMC attack, "Four years ago, we looked at emergency department patients that were being treated in a town with a ransomware attack. In a followup study a year later looking at that same attack, for patients who had a cardiac arrest, you had about a 40% chance of surviving with an intact brain before the attack. During the attack that number went down to 4.5%." Dameff also noted that the duration of attacks has lengthened, "Ten years ago, ransomware attacks lasted three, four, five days. The trend with these types of attacks the last four or five years, to last weeks to months is not uncommon."
• Fix foundational email security controls: Email remains one of the most common entry points for healthcare breaches. The Paubox 2026 Healthcare Email Security Report found that 74% of breached organizations lacked effective DMARC enforcement, meaning they had no policy in place to reject or quarantine emails that failed authentication. Over 56% had permissive or missing SPF records, allowing unauthorized senders to land in inboxes.
• Treat vendor access as a primary risk vector: The Avosina and UFP Technologies breaches both show that attackers do not need to breach a hospital directly to access patient data. Vendor risk management should include contractually required security standards, limited and segmented network access for vendors, and continuous monitoring of third-party connections.
• Invest in detection, not just prevention: The Paubox report found that many healthcare organisations take an average of 308 days to identify and contain a breach. Shorter detection times limit data exfiltration and reduce operational downtime. This requires continuous monitoring, properly resourced security operations, and incident response planning that is tested before an attack occurs.
• Account for how AI is changing attacks: According to Paubox's research, 85% of healthcare IT leaders say they suspect staff are using unauthorised AI tools, while only 26% report having any visibility into that usage. As AI-assisted workflows increase the speed and volume of communications, the quantity of sensitive information moving through email systems grows. Security assessments must expand to account for how and where PHI is now being created, processed, and transmitted.

FAQs

Are smaller healthcare organizations at greater risk of cyberattacks than larger ones?

Smaller organisations are more vulnerable because they have fewer dedicated IT and security resources.

Do healthcare organizations have to publicly disclose when they've been breached?

Under HIPAA, covered entities are required to notify affected individuals, the HHS, and in some cases the media.

What happens to patient data after it is stolen in a ransomware attack?

Stolen data is either published on dark web leak sites, sold to other criminal actors, or held as leverage.