Hacking accounts for 173 of the 189 large breaches reported to federal regulators so far this year, with revenue cycle vendors and benefit administrators among the hardest-hit organizations.

 

What happened

The HHS Office for Civil Rights breach portal has recorded 189 large healthcare data breaches affecting more than 19 million individuals in the first six months of 2026, according to HealthTechSecurity. Of those, 173 were attributed to hacking and IT incidents, with just one theft, one loss, and 14 unauthorized access or disclosure cases recorded. The ten largest breaches reported to OCR so far this year span revenue cycle management, benefits administration, hospital systems, telehealth infrastructure, and behavioral health, with business associates and covered entities represented in roughly equal measure. The largest single breach was filed by TriZetto Provider Solutions in February 2026, affecting 3,433,965 individuals after an unauthorized party accessed insurance eligibility verification records beginning in November 2024.

 

Going deeper

The ten largest breaches reported to OCR through June 2026 and their confirmed affected populations are: TriZetto Provider Solutions at 3,433,965, QualDerm Partners at 3,117,874, Nacogdoches Memorial Hospital at 2,507,073, Navia Benefit Solutions at 2,151,330, NYC Health + Hospitals at 1,800,000, OpenLoop Health at 716,000, ApolloMD Business Services at 626,540, Erie Family Health Centers at 570,000, Minnesota Department of Human Services at 303,965, and North Texas Behavioral Health Authority at 285,086. The Minnesota Department of Human Services breach is the only one in the top ten attributed to unauthorized access rather than hacking a provider-associated user accessed over 300,000 demographic records through the state's MnCHOICES vendor system. In several cases, the breach occurred months before OCR was notified: ApolloMD first detected suspicious activity in May 2025 but reported to OCR in February 2026, and TriZetto identified unauthorized access beginning November 2024 but reported in February 2026.

 

What was said

HealthTechSecurity noted in its report that "hacking remains the top type of healthcare data breach reported to the HHS Office for Civil Rights six months into 2026, underscoring the volatility of the cyberthreat landscape." Most healthcare providers said the usual with QualDerm Partners stating in its breach notice that, "as part of our ongoing commitment to the privacy of personal information in our care, we are reviewing our existing policies and procedures regarding information security." Nacogdoches Memorial Hospital even told patients it had implemented "remediation measures to prevent recurrence, to strengthen NMH's network security, enhancing NMH's cyber preparedness through additional awareness training, and updating NMH's procedures."

 

In the know

The TriZetto breach is particularly notable given the company's scale. TriZetto Provider Solutions, owned by Cognizant, processes more than 2.5 billion healthcare transactions annually as a revenue cycle management vendor. A breach of insurance eligibility verification transactions that went undetected from November 2024 until October 2025 represents an eleven-month unauthorized access window against infrastructure touching a substantial portion of US healthcare billing. The NYC Health + Hospitals breach has drawn Congressional scrutiny. According to HealthTechSecurity, Senate HELP Committee Chair Bill Cassidy sent a formal letter to NYC Health + Hospitals CEO Mitchell Katz on June 4, 2026, demanding answers about the breach's scope and the health system's security protocols before and after the incident.

 

The big picture

Seven of the ten largest breaches in the first half of 2026 involved either a business associate or a vendor system, consistent with the third-party exposure pattern that has dominated healthcare breach data for three consecutive years. TriZetto, Navia Benefit Solutions, OpenLoop Health, ApolloMD, FEI Systems at the Minnesota DHS, and the unnamed third-party vendor at NYC Health + Hospitals all represent organizations whose compromise created downstream breach obligations for the covered entities they serve. According to the Verizon 2026 Data Breach Investigations Report, third-party breaches in healthcare rose 60 percent year over year. The first-half 2026 OCR data confirms that trend is continuing at pace, with vendor and business associate breaches driving the majority of the largest individual exposure counts before the year is even half complete.

 

FAQs

What does the OCR breach portal show and how current is its data?

The HHS OCR breach portal lists all reported breaches affecting 500 or more individuals, updated on a rolling basis as covered entities and business associates file reports. The portal shows breach reports received by OCR, not necessarily the date the breach occurred, which is why breaches from 2024 and 2025 can appear in 2026 portal updates as investigations conclude and final notification counts are confirmed.

 

Why do so many large breaches go undetected for months before being reported?

Detecting network intrusions in intricate healthcare IT environments requires active monitoring, behavioral analysis, and threat intelligence that many organizations lack the resources to maintain consistently. Revenue cycle vendors and benefit administrators handling high transaction volumes generate large amounts of network activity that makes anomalous access harder to isolate without dedicated detection tooling.

 

What is a revenue cycle management company, and why does a breach there affect so many people?

Revenue cycle management companies handle the administrative and financial processes connecting healthcare providers to insurance payers, including eligibility verification, claims submission, and payment processing. A single RCM vendor like TriZetto can process transactions for thousands of healthcare organizations simultaneously, meaning a breach of its systems can expose data from patients across the entire client base in a single incident.

 

What types of data are most commonly exposed in hacking incidents versus unauthorized access incidents?

Hacking incidents typically expose whatever data is stored in the compromised network, often including Social Security numbers, medical records, insurance information, and billing data. Unauthorized access incidents, like the Minnesota DHS case, are more likely to involve a specific dataset accessed through legitimate credentials, with the scope limited to what the unauthorized user was able to reach through their access level.

 

How should covered entities respond when a vendor breach affects their patient population?

Covered entities should confirm with the vendor exactly which patient records were involved, assess their independent HIPAA notification obligations rather than relying solely on the vendor's notification process, file with HHS within 60 days of discovering their own patients were affected, and review business associate agreement terms to determine what contractual remedies and security requirements the vendor failed to meet.