Four vendors held most of the risk in Q1
The inaugural Q1 2026 State of Compliance — a quarterly empirical review of U.S. healthcare data breaches drawn from seven authoritative sources. Headline finding: four upstream vendor breaches drove 67.6% of all Q1 patient impact across less than 2% of the period's incident count.
Written and reviewed by the Patient Protect team — Joseph A. Perrin, CTO (former government CTO, military-grade security architecture), Angie Perrin, CSO (Certified HIPAA Consultant, 10+ years clinical practice), and Alexander Perrin, CEO (15 years enterprise SaaS).
Secure Care Research Institute
State of Compliance · Vol. 1, Issue 1 · Q1 2026
Four vendors held most of the risk in Q1.
Today we publish the inaugural Q1 2026 State of Compliance — a quarterly empirical review of the U.S. healthcare data breach landscape, drawn from seven authoritative sources after the OCR portal alone showed almost no March activity.
Headline finding
67.6%
Of all Q1 healthcare breach impact came from just four upstream vendors. They represented less than 2% of the period’s breach count.
§ 1 — The headline finding
A small number of breaches did most of the damage.
Quarterly breach reporting in U.S. healthcare is fragmented across at least seven authoritative sources — HHS OCR, fifty state attorneys general, FTC enforcement, CISA advisories, CMS records, community intelligence, and modeled threat signals. The full picture is rarely assembled in one place with academic rigor and independent funding.
That gap is what the State of Compliance series exists to close. The practices, regulators, and policy researchers who depend on this data deserve more than a single-portal view — and as Q1 2026 demonstrates, the single-portal view can be dangerously misleading.
The OCR breach portal, accessed in late March, recorded just two breach reports for all of March 2026. Two. Against an investigation queue of 978 cases. Anyone reading the portal alone would have concluded that breach activity had nearly stopped. It hadn’t — the reporting had. State attorney general filings, primarily through Oregon, surfaced 80 additional March breaches that the OCR portal hadn’t yet shown.
Compiled across all seven sources, reconciled for duplicate filings, and scope-filtered to the healthcare sector, the real Q1 number is 207 breaches affecting roughly 15.9 million patients. The multi-source view delivers an empirical lift of approximately 75% over the late-March OCR-only snapshot that was visible while the quarter closed. And inside that record, one finding broke through everything else.
The concentration ratio, visualized
Less than 2% of breaches drove more than two-thirds of patient impact.
Share of Q1 breach count
1.9%Share of Q1 patient impact
67.6%The bars compare what the four breaches were as a share of the period’s breach count, against what they did to the period’s patient population. The asymmetry is the story.
§ 2 — The four breaches
Vendors that sit between you and your patients’ data.
Four upstream breaches accounted for 10.75 million of approximately 15.9 million Q1 affected patients. Each one is a vendor — a company whose products handle patient data on behalf of hundreds of healthcare organizations. When one of these vendors gets breached, every practice that uses them gets dragged into the disclosure.
This is what business-associate concentration looks like in practice. The four names below represent the bulk of Q1’s harm.
No. 01
Hacking / IT
TriZetto Provider Solutions
3,433,965
patients affected
Healthcare payments and claims processing vendor; subcontractor to OCHIN and other healthcare technology platforms. The breach hit roughly 9% of OCHIN’s member network alone.
No. 02
Hacking / IT
QualDerm Partners
3,117,874
patients affected
Dermatology practice aggregator providing management services to 158 healthcare practices across 17 states. Intrusion confirmed Dec 23–24, 2025.
No. 03
Hacking / IT
Healthcare Interactive (HCIactive)
3,056,950
patients affected
Maryland-based AI-powered insurance enrollment and benefits administration platform. Initial OCR filing claimed 501 individuals affected. The actual figure surfaced months later through Oregon’s AG filing.
No. 04
Ransomware (MEDUSA)
Insightin Health
1,144,686
patients affected
Baltimore-based AI-powered platform for health insurer and payer data analytics. Attackers exploited a previously unknown vulnerability in the GoAnywhere file-transfer tool. MEDUSA claimed responsibility on Sept 26, 2025.
Case in point — why one source isn’t enough
HCIactive filed a breach report for 501 people. The real number was 3,056,950.
On September 22, 2025, Healthcare Interactive filed an initial breach report with HHS OCR using a placeholder figure of 501 affected individuals — a value the company used while the investigation was still open.
On January 7, 2026 — more than three months later — the company notified the Oregon Attorney General of the actual figure: 3,056,950 individuals. By the late-April compilation, the breach had been formally filed in California, Maine, South Carolina, Texas, Vermont, Massachusetts, and New Hampshire.
For the entire window in between, anyone reading the OCR portal alone saw a small breach. The full scope only became visible because Oregon’s breach notification law required disclosure to the state AG before HHS OCR updated its public entry.
6,098×
Upward revision between the initial and final figures
§ 3 — What this means for practices
Your next breach is more likely to start at a vendor than at your own perimeter.
The Q1 record carries a clear implication for any independent healthcare practice. If 67.6% of the period’s harm came from four upstream vendor breaches, then the highest-value action a practice can take is to inventory the vendors that touch its patient data and confirm that each one is held to a real security standard.
That means pulling a list of every vendor in the workflow. Billing. EHR. Scheduling. Telehealth. Transcription. Cloud backup. Anything that handles patient data, even in transit, even briefly. For each one, confirm a current signed Business Associate Agreement is on file. If any vendor processes data overseas, confirm the BAA covers that explicitly.
The work is unglamorous. It also would have prevented hundreds of the downstream notifications generated by the four Q1 breaches.
The 2026 HIPAA Security Rule update — which could be finalized later this year — adds further pressure. Encryption and multi-factor authentication, currently classified as “addressable” (which most practices have read as optional), become required. Vulnerability scans every six months. Penetration testing every year. Practices that pre-position now will have a far easier compliance window than those waiting for the final rule to drop.
§ 4 — What else is in the issue
Five additional findings from the Q1 record.
The concentration story is the headline, but the full working paper carries five other findings that round out the period.
Detection-to-disclosure
195 days
Innovative Pharmacy Packaging Corp (IPPC) — attack September 2025, individual notification April 2026. The healthcare sector benchmark is 93 days. The SEC finance-sector requirement is 4 business days.
OCR investigation queue
978 cases
Up 10.9% year-over-year from 882 in January 2025. Breach reporting volume continues to outpace federal civil rights enforcement resourcing.
First risk-analysis enforcement of 2026
$103,000
Top of the World Ranch Treatment Center settled with OCR on Feb 19, 2026 for alleged noncompliance with 45 CFR §164.308(a)(1)(ii)(A) — the risk-analysis requirement.
Seven attack archetypes
7
Platform/BA cascade · named-group ransomware · insider threat · offshore data mishandling · nation-state · detection-gap disclosure · telehealth-sector targeting. The first publicly-attributed nation-state targeting of a U.S. medical-device manufacturer (Stryker) entered the period.
The 43-day federal government shutdown of late 2025 explains why the OCR portal carried only two breach reports for all of March 2026 — and why a single-source view of the quarter would have read it as quiet. The multi-source compilation does not.
Read the full report
39 pages. Full methodology. Open for scrutiny.
The complete Q1 2026 working paper includes seven attack archetypes, a full reconciliation against OCR-only reporting, the TARF analytical framework applied to the Q1 record, and four appendices documenting our compilation methodology in detail.
Working paper
Download the Q1 2026 report
39-page PDF with full methodology and attack-archetype analysis. Email-gated for research updates.
Get the report →
Live data
Explore the breach dashboard
The same multi-source compilation behind this report — filterable by entity, state, attack type, and impact band.
Open the dashboard →
A note on the data
Sources. The Q1 figures come from the Patient Protect Breach Intelligence Dashboard, exported in late April 2026. The dashboard compiles breach intelligence from HHS OCR, all fifty state attorneys general, FTC enforcement records, CISA advisories, CMS enforcement data, crowdsourced community intelligence, and modeled threat signals. After deduplication of multi-state filings (218 raw → 211) and exclusion of four records outside the healthcare-sector scope, 207 unique large healthcare breaches were retained for Q1 2026.
Limitations. Numbers may shift slightly upward as late filings come in. The 67.6% concentration figure is anchored on four large breaches whose patient counts are now confirmed across multiple state filings, and is robust to plausible upward revisions in the denominator.
Suggested citation. Perrin, A. (2026). State of Compliance: Q1 2026 Healthcare Breach Review. The State of Compliance Series, Vol. 1, Issue 1. Secure Care Research Institute, Patient Protect LLC.
The Secure Care Research Institute is an independent research program operating under Patient Protect LLC.