Q1 2026 Healthcare Breach Review
Multi-source empirical analysis drawing on seven authoritative channels — HHS OCR, state attorney general filings, FTC enforcement records, CISA advisories, and primary entity disclosures. After deduplication and healthcare-sector scope filtering, the Q1 2026 record surfaces 207 unique large healthcare breaches affecting approximately 15.9 million individuals. The headline finding: four upstream business-associate incidents account for 67.6% of population impact across just 1.9% of the incident count.
207
Unique Q1 2026 breaches
15.9M
Individuals affected
67.6%
Impact from 4 incidents
+75%
Lift over OCR-only view
On this page
Key findings
Six observations anchor the period.
Each finding is drawn from the multi-source compilation summarized in §2 and audited in Appendix D of the working paper.
Four upstream incidents drove 67.6% of all Q1 2026 affected individuals.
TriZetto Provider Solutions (3,433,965 affected), QualDerm Partners (3,117,874), Healthcare Interactive / HCIactive (3,056,950), and Insightin Health (1,144,686) together account for 10,753,475 of the approximately 15.9 million Q1 2026 affected individuals — across just 1.9% of the period's incident count.
Multi-source compilation surfaces what OCR-only reporting misses.
The HHS OCR portal alone, accessed in late March 2026, recorded 118 breaches across January–February 2026 and only two breach reports for March 2026. The Patient Protect Dashboard's late-April 2026 export surfaces 207 unique Q1 2026 healthcare breaches after deduplication — an empirical lift of approximately 75% over the late-March OCR-only snapshot.
Detection-to-disclosure gaps in named cases remained well above sector norms.
Named-incident detection-to-disclosure intervals ranged from approximately 64 days (Stockton Cardiology, attack to ransomware leak publication) to approximately 195 days (IPPC, attack to individual notification). The healthcare sector benchmark is 93 days; the SEC Item 1.05 Form 8-K finance-sector requirement is 4 business days.
The OCR investigation queue continues to grow.
As of January 31, 2026, 978 healthcare data breaches were under or awaiting OCR investigation — up from 882 at the comparable date in 2025, a 10.9% year-over-year increase. The growth predates the late-2025 federal shutdown and reflects breach reporting volume rising faster than enforcement resourcing.
The period added a publicly-reported nation-state cyberattack on a U.S. medical device manufacturer.
The Stryker medical-device cyberattack has been publicly reported and linked in open-source reporting to Iran-affiliated actors. The incident is referenced for archetype illustration and is excluded from the deduplicated 207-incident analytical dataset; the reporting boundary it illustrates — the gap between HIPAA enforcement (OCR) and medical device cybersecurity oversight (FDA) — is itself diagnostically interesting.
The regulatory environment opened two new variables within the period.
Effective February 16, 2026, OCR's civil enforcement authority over 42 CFR Part 2 substance use disorder records took effect. The OCR Top of the World Ranch settlement (February 19, 2026) imposed a $103,000 civil money penalty resolving alleged noncompliance with the risk analysis requirement at 45 CFR §164.308(a)(1)(ii)(A). The 2026 HIPAA Security Rule update (NPRM December 27, 2024) remains the largest pending regulatory variable.
The concentration
Four incidents. 67.6% of the people.
Q1 2026's most consequential finding is concentration. Four upstream business-associate and platform-vendor incidents — together representing 1.9% of the period's deduplicated incident count — account for 10,753,475 of the approximately 15.9 million Q1 2026 affected individuals.
The concentration is not an artifact of dataset construction. It reflects the underlying market structure of healthcare data processing, in which a small number of upstream platform vendors and business associates aggregate PHI across hundreds of covered entities. A single intrusion at one node propagates downstream into hundreds of separate covered-entity breach notifications.
TriZetto Provider Solutions
3.43M
BA cascade
Subcontractor to OCHIN; ~700,000 patients reported via OCHIN downstream.
QualDerm Partners
3.12M
Specialty aggregator
Dermatology practice aggregator across 158 practices in 17 states.
Healthcare Interactive (HCIactive)
3.06M
BA cascade
501-individual placeholder revised to 3,056,950 confirmed three months later.
Insightin Health
1.14M
BA cascade · MEDUSA ransomware
GoAnywhere file-transfer zero-day; state filings across 6 states.
Total: 10,753,475 affected across 4 incidents = 67.6% of Q1 impact.
The OCR-only gap
The HHS OCR portal alone surfaces only part of the picture.
Accessed in late March 2026, the OCR portal recorded 46 large healthcare breaches in January 2026, 63 in February 2026, and only 2 reports for March 2026 (against an investigation-pending queue of 978 cases). The Patient Protect Dashboard, drawing on state attorney general filings (notably Oregon AG) and continued OCR backlog clearance through late April 2026, surfaces 80, 47, and 80 breaches respectively for the same months — an empirical lift of approximately 75% over the late-March OCR-only snapshot.
Figure 1 · Q1 2026 healthcare breach volume
OCR-only (late March access) vs. multi-source dashboard
Jan 2026
Feb 2026
Mar 2026
Sources: HHS OCR Breach Portal (late-March 2026 access); Patient Protect Breach Intelligence Dashboard (late-April 2026 export, deduplicated across multi-state filings). The 43-day late-2025 federal government shutdown amplified the multi-source advantage by suspending OCR portal updates while state-level reporting continued.
Anatomy of Q1
Seven attack archetypes characterize the period.
A quarterly review that reports only aggregate counts misses the diagnostic value of the incident record. Q1 2026 produced a structurally diverse set of named incidents — each representing a distinct combination of attack surface, threat-actor motivation, data concentration, and detection failure.
Platform & Business-Associate Cascade
Dominant archetype by population impact. Six named Q1 cases (TriZetto, QualDerm, HCIactive, Insightin, CareCloud, Conduent) — single intrusions at upstream platform vendors propagate downstream to hundreds of covered entities.
Named-Group Ransomware
Stockton Cardiology (GENESIS) and QualDerm. Leak-site publication is now a common public-disclosure vector, frequently preceding formal regulatory notification.
Insider Threat
Weill Cornell Medicine and CWA Local 1180. Not addressable by perimeter security alone — requires access control review, role-based permission hygiene, and behavioral analytics under §164.308.
Offshore Data Mishandling
Mirra Health (Florida Medicare). Doesn't require a hacker — only a BAA implementation gap. Increasingly disproportionate regulatory burden under state-level consumer privacy enforcement.
Nation-State / Geopolitical
Stryker Corporation (open-source attribution: Iran-linked). Sits at the operational seam between HIPAA (OCR) and medical device cybersecurity (FDA) — diagnostic of a known cross-agency coordination gap.
Detection-Gap Disclosure
Innovative Pharmacy Packaging Corp (IPPC) — 195 days from compromise to individual notification. The most direct empirical refutation of the hypothesis that declining reported breach counts reflect declining breach activity.
Telehealth-Sector Targeting
Two telehealth incidents in late March 2026 collectively affected an estimated 3.7 million patients. Telehealth platforms sit structurally between covered entity infrastructure and consumer-facing digital health.
Detection-to-disclosure
Named Q1 cases ranged from 64 to 195 days.
The healthcare-sector benchmark is 93 days (Ponemon, 2024). The SEC Item 1.05 Form 8-K finance-sector requirement is 4 business days. Detection-to-disclosure intervals appear in the TARF denominator (Healthcare Transparency Index) and any directional decline inflates transparency-adjusted risk for every covered entity and business associate.
Stockton Cardiology
64 days
Initial phishing Dec 15, 2025 → public disclosure via GENESIS leak-site Feb 17, 2026
Healthcare Interactive (HCIactive)
180 days
Attack July 8–12, 2025 → Oregon AG full disclosure Jan 7, 2026
Innovative Pharmacy Packaging Corp
195 days
Attack Sept 18–19, 2025 → individual notification letters Apr 1, 2026
SEC Item 1.05 Form 8-K (finance benchmark)
4 days
Regulatory inflection
Q1 carried three regulatory developments — and one overarching uncertainty.
Feb 16, 2026
42 CFR Part 2 enforcement begins.
OCR's civil enforcement authority over Part 2 substance use disorder records took effect; the agency began accepting Part 2 breach notifications and complaints through its existing reporting portal.
Feb 19, 2026
$103,000 civil money penalty.
OCR settled with Top of the World Ranch Treatment Center, resolving alleged noncompliance with the risk-analysis requirement at 45 CFR §164.308(a)(1)(ii)(A). The settlement signals continued enforcement of the risk-analysis provision.
Pending
2026 HIPAA Security Rule update.
The NPRM (Dec 27, 2024) remains the largest pending regulatory variable of 2026. Expected provisions include mandatory encryption, mandatory MFA, semiannual vulnerability scanning, and 24-hour access notifications. Finalization timing is subject to uncertainty following the Jan 20, 2025 regulatory freeze EO.
Appendix A — open data
Q1 2026 named incidents.
The table below inventories named healthcare-sector breaches with Q1 2026 public disclosures. Each row meets either an affected-population threshold or a structural-significance criterion for inclusion in the analytical sections of the working paper. Affected-population figures are reported at the most recent publicly available value at the time of dashboard ingestion and may be subsequently revised. Available as a downloadable CSV for re-use under attribution.
| Entity | Disclosure | Attack type | Affected | Archetype |
|---|---|---|---|---|
| TriZetto Provider Solutions | Feb 11 (OR AG) / Mar 3 (OCR) | Hacking/IT | 3,433,965 | BA cascade |
| QualDerm Partners, LLC | Feb 23 (OR AG) / Mar 23 (OCR) | Hacking/IT | 3,117,874 | Specialty aggregator |
| Healthcare Interactive (HCIactive) | Sep 22, 2025 / Jan 7, 2026 (OR AG) | Hacking/IT | 3,056,950 | BA cascade |
| Insightin Health, Inc. | Mar 5, 2026 (OR AG) | Ransomware (MEDUSA) | 1,144,686 | BA cascade |
| Illinois Dept. of Human Services | Feb 4, 2026 | Unauth. Access/Disclosure | 705,017 | Direct (gov) |
| ApolloMD Business Services | Feb 11, 2026 | Ransomware (Qilin) | 626,540 | BA cascade |
| Northwest Radiologists / Mt. Baker Imaging | Jan 29, 2026 | Hacking/IT | 362,713 | Direct intrusion |
| Navia Benefit Solutions (Bellevue) | Mar 18, 2026 | Hacking | 319,208 | BA cascade |
| Minnesota Dept. of Human Services | Jan 22, 2026 | Unauth. Access/Disclosure | 303,965 | Direct (gov) |
| Harbor (OH) | Jan 20, 2026 | Hacking/IT | 216,000 | Direct intrusion |
| Expert MRI | Jan 30, 2026 | Hacking/IT | 209,560 | Direct intrusion |
| Modernizing Medicine, Inc. | Jan 13, 2026 | Hacking/IT | 198,795 | Direct intrusion |
| Vikor Scientific, LLC | Feb 6 (OR AG) / Mar 2 (OCR) | Hacking/IT | 139,964 | Direct intrusion |
| Stockton Cardiology Medical Group | Feb 17, 2026 (GENESIS leak) | Ransomware (GENESIS) | Undisclosed (645 GB) | Named-group ransomware |
| Innovative Pharmacy Packaging Corp | Feb 27, 2026 (notice) / Apr 8, 2026 (OCR) | Hacking/IT | 133,862 | Detection-gap |
| Stryker Corporation | Mar 20–23, 2026 (public reporting) | Open-source attribution: Iran-linked | Medical device infra. | Nation-state — modeled |
| CareCloud | Late Mar 2026 (public reporting) | Unauthorized access | Under investigation | Platform — modeled |
| Mirra Health (FL Medicare members) | Late Mar 2026 (public reporting) | Offshore data mishandling | Undisclosed | Offshore — modeled |
Sources: HHS OCR Breach Portal (2026); Oregon Attorney General; California Attorney General; Vermont Attorney General; primary entity disclosures. The CareCloud, Stryker, and Mirra Health references are sourced through the dashboard's modeled-threat-signal channel and public secondary reporting; they are excluded from the deduplicated 207-incident analytical dataset and referenced for archetype illustration only.
Cite this report
Suggested citation.
Permitted uses include academic citation with full attribution, fair-use quotation for commentary or news reporting, and sharing of the published PDF in its complete and unaltered form.
APA
Perrin, A. (2026). State of compliance: Q1 2026 healthcare breach review — Multi-source compilation and the concentration finding. The State of Compliance Series, Vol. 1, Issue 1. Secure Care Research Institute, Patient Protect LLC.
Chicago
Perrin, Alexander. "State of Compliance: Q1 2026 Healthcare Breach Review." The State of Compliance Series, Vol. 1, Issue 1. Working paper. Chicago: Secure Care Research Institute, Patient Protect LLC, 2026.
BibTeX
@techreport{perrin2026soc_q1,
author = {Perrin, Alexander},
title = {State of Compliance: Q1 2026 Healthcare Breach Review},
series = {The State of Compliance Series},
number = {Vol. 1, Issue 1},
institution = {Secure Care Research Institute, Patient Protect LLC},
year = {2026},
type = {Working paper},
url = {https://patient-protect.com/research/state-of-compliance-q1-2026}
}Get the next issue
Q2 2026 publishes July 2026.
Each issue extends the multi-source compilation and tracks the concentration dynamic longitudinally.