Skip to main content
Patient Protect circular logo mark in purple and white used for site navigationPatient Protect

Published July 11, 2026. Vol. 1, Issue 2 (Brief) of The State of Compliance Series. Full 13-page working brief available for download below.

The State of Compliance SeriesVol. 1 · Issue 2 · Brief · Q2 2026 · July 2026

Q2 2026 Healthcare Breach Brief

Ten independently verified healthcare data breach disclosures submitted to the HHS Office for Civil Rights during the second quarter of 2026 (April 1 through June 30), compiled and verified by the Secure Care Research Institute as of July 2, 2026. The verified record establishes a floor of at least 2,698,826 affected individuals — grounded in individually confirmed incidents, not a comprehensive quarter total. The largest verified disclosure, at Xsolis, Inc. — an AI-enabled utilization-management vendor — accounts for 51.7% of the verified floor and continues the upstream-aggregation pattern the series identified in Q1 2026, now migrating through an AI platform.

10

Verified Q2 disclosures

2.7M+

Individuals affected (floor)

51.7%

Impact from Xsolis alone

7/10

At specialty/imaging practices

Key takeaways

Five observations anchor the Q2 record.

Each takeaway maps to a layer of the sector: impact concentrates upstream; frequency concentrates downstream. Both patterns are true simultaneously.

01

Upstream concentration persisted — through a new channel.

Q1 2026's impact concentrated in four business-associate and platform-vendor cascades. Q2 2026's largest verified disclosure came from an AI-enabled utilization-management vendor (Xsolis, §1.1). The mechanism is unchanged — a small number of platforms aggregating clinical data across hundreds of clients — and Xsolis suggests that upstream aggregation risk may increasingly run through AI-enabled platforms.

02

Within the verified set, breach frequency concentrated downstream at independent specialty and imaging practices.

Seven of the ten verified disclosures occurred at small specialty or imaging practices (§1.4), not at the large platforms that drive impact. Both patterns are true within the verified set and describe different layers of the same sector — impact concentrated upstream at platforms, frequency concentrated at the point-of-care level.

03

A repeat-victim governance pattern is worth tracking on its own.

Radiology Associates of Richmond's second breach within roughly fifteen months (§1.2) is not a data-aggregation story; it is a remediation-completeness question. Repeat breaches at a single covered entity within a short window raise a distinct governance question this series will track into Q3.

04

Retention beyond operational need remains a standing exposure.

Records from a Xsolis client that ended its vendor relationship in 2021 were still present in the 2026 breach (§1.1) — a finding this brief ties directly to the Transparency-Adjusted Risk Function (TARF) reusability component (§3). Data that survives a vendor relationship without documented disposition remains exposed years after the business relationship that justified holding it has ended.

05

The regulatory floor did not move.

OCR continued to cite risk-analysis failures in every one of its April 2026 settlements (§4), independent of whether the proposed HIPAA Security Rule update finalizes. The Rule update, whose regulatory-agenda target for final action was May 2026, passed that window without a final rule.

The AI-vendor cascade

One AI vendor. 51.7% of the verified floor.

Q2 2026's single largest verified disclosure — Xsolis, Inc., an AI-driven utilization-management vendor whose platform serves 600+ hospitals and health systems — affected 1,396,519 individuals. At more than five times the next-largest verified entry, it accounts for 51.7% of the verified floor by itself.

The mechanism is unchanged from Q1: a small number of platforms aggregating clinical data across hundreds of clients. Q1 2026's cascades ran through business-associate and platform-vendor channels. Xsolis — Q2's largest verified disclosure — suggests that upstream aggregation risk may increasingly run through AI-enabled platforms specifically, a hypothesis this series will confirm or disconfirm across Q3 and Q4.

One detail carries a specific operational lesson: Rochester Regional Health, a confirmed affected system, had ended its Xsolis relationship in 2021, yet approximately 18,600 of its patients' records were still present in the Xsolis environment at the time of the 2026 breach. Data that survives a vendor relationship without documented disposition remains exposed years after the business relationship that justified holding it has ended.

Xsolis, Inc.

1.40M

AI-vendor cascade

AI-driven utilization-management platform serving 600+ hospitals; phishing intrusion Jan 20 detected Jan 22, OCR filed Jun 5. Client records from a 2021-terminated relationship still present in the 2026 breach.

All other verified Q2 disclosures combined

1.30M

48.3% of verified floor · 9 incidents

Verified floor: at least 2,698,826 affected across 10 incidents. Not a comprehensive quarter total (see methodology).

Anatomy of Q2

Four archetypes characterize the verified set.

The ten verified disclosures are not interchangeable. Each represents a distinct structural pattern, and together they characterize the quarter more fully than any single lead incident can.

§1.1

The AI-Vendor Cascade — Xsolis

Xsolis (1,396,519 affected) is the largest verified Q2 disclosure and — at more than five times the next-largest entry in the verified set — the clearest continuation of the upstream-aggregation pattern this brief could confirm. That the quarter's largest disclosure came from an AI vendor whose product function depends on aggregating clinical data across hundreds of clients is a signal worth tracking: Q1's cascades ran through business-associate and platform-vendor channels; Q2's largest ran through an AI platform. Xsolis alone suggests that upstream aggregation risk may increasingly run through AI-enabled platforms — a hypothesis this series will confirm or disconfirm across Q3 and Q4.

§1.2

The Repeat-Victim Pattern — Radiology Associates of Richmond

Radiology Associates of Richmond (266,183) disclosed a second breach within roughly fifteen months of its first — a case worth treating as a finding in its own right rather than a table entry. The Virginia imaging practice's first breach affected more than 1.4M patients and was OCR-reported July 1, 2025. A separate incident began around July 25, 2025 — within weeks of the first breach's federal reporting. Raises the question of whether remediation had fully taken hold; sequence reported as a pattern to track, not a finding of causation.

§1.3

Named-Group Extortion

Three of the ten verified disclosures were claimed by named ransomware or extortion groups rather than disclosed as unattributed unauthorized access: Southern Illinois Dermatology (Insomnia, 160,312 affected), Western Orthopaedics (PEAR, 113,330 affected), and Hematology Oncology Consultants (Rhysida, 62,972 affected). PEAR is a newer extortion actor associated with data-exfiltration claims rather than traditional encryption-only ransomware; Rhysida has claimed a series of healthcare-sector attacks since 2023.

§1.4

The Specialty-Practice Long Tail

Seven of the ten verified disclosures occurred at independent specialty practices or an imaging provider — dermatology, ophthalmology, orthopedics, oncology, neurology, radiology — rather than at the two business-associate/AI vendors (Xsolis, Innovative Scientific Solutions) or the one hospital system (Singing River) in the verified set. This is a structural counterpoint to §1.1 and §1.2: the quarter's largest verified disclosures concentrate impact at an AI vendor and a repeat-victim imaging practice, but the volume of confirmed disclosures sits predominantly at small, independent covered entities.

Detection-to-disclosure

Verified Q2 intervals remained one to two orders of magnitude longer than the finance-sector benchmark.

The transparency component of the Transparency-Adjusted Risk Function (TARF), the sector's primary defensive lever per the Q1 framework, did not improve in Q2. Detection-to-disclosure intervals in the verified set remained long: Xsolis's interval from January attack to June OCR filing was approximately four to five months, and Radiology Associates of Richmond's first-breach interval from its April 2024 incident to its July 2025 federal filing was approximately fifteen months. Against the finance-sector benchmark of a four-business-day disclosure rule, healthcare intervals in the verified set remained one to two orders of magnitude longer.

Xsolis, Inc.

~137 days

Phishing attack Jan 20, 2026 → detected Jan 22 → OCR filing Jun 5, 2026. Roughly 4–5 months from initial attack to federal breach filing.

Radiology Associates of Richmond (first breach)

~456 days

First-breach incident April 2024 → OCR-reported July 1, 2025. Approximately 15 months from incident to federal reporting.

SEC Item 1.05 Form 8-K (finance benchmark)

4 days

Regulatory environment

The Security Rule update missed its May 2026 finalization window. Enforcement of the current rule continued.

The proposed HIPAA Security Rule update, whose regulatory-agenda target for final action was May 2026, passed that window without a final rule. A coalition of more than one hundred hospital and provider groups continued to press HHS to withdraw the proposal, citing an OCR first-year compliance-cost estimate of approximately nine billion dollars. OCR continued to enforce the current Security Rule, where a missing or stale risk analysis under 45 CFR §164.308(a)(1)(ii)(A) remained the single most frequently cited deficiency; all four of OCR's April 2026 settlements involved a risk-analysis failure. The practical implication is unchanged by the rule's delay: a current, documented risk analysis is both the most-cited enforcement gap under the present rule and the foundation on which every proposed change builds.

May 2026 · passed

Security Rule update did not finalize.

Regulatory-agenda target for final action passed without a final rule. Coalition of 100+ hospital and provider groups continued to press HHS to withdraw the proposal.

April 2026 · 4 of 4

Every settlement cited risk-analysis failure.

All four of OCR's April 2026 settlements involved noncompliance with the risk-analysis requirement at 45 CFR §164.308(a)(1)(ii)(A). The most consistently cited enforcement gap.

Standing exposure

Rule delay does not reduce the current obligation.

A current, documented risk analysis is both the most-cited enforcement gap under the present rule and the foundation on which every proposed change builds. Delay is not the same as pause.

Recommendations

Concrete controls, derived directly from the verified Q2 record.

The following are derived directly from the ten verified Q2 disclosures. They do not constitute legal advice; covered entities and business associates with specific compliance questions should consult qualified HIPAA counsel.

For covered entities

  1. 01

    Document vendor offboarding with proof of data disposition. The Xsolis case (§1.1) shows data remaining exposed years after a vendor relationship ended.

  2. 02

    Treat a completed breach investigation as the start of a remediation review, not the end of the incident. Radiology Associates of Richmond's second breach began within weeks of its first breach's federal reporting.

  3. 03

    Maintain a current, documented risk analysis independent of Security Rule finalization timing. All four of OCR's April 2026 settlements cited a risk-analysis failure.

  4. 04

    Independent and specialty practices should assume they are a primary target, not a low-priority one. Seven of the ten verified Q2 disclosures occurred at practices of this size.

  5. 05

    Where a named extortion group claims responsibility without encryption (as PEAR did at Western Orthopaedics), treat the claim as an immediate exposure event rather than a ransom negotiation — the data is already circulating.

For business associates and vendors

  1. 01

    Publish a data-retention and disposition schedule that clients can audit. The Xsolis case is, in part, a documentation failure — no client-facing record confirmed disposition after the 2021 termination.

  2. 02

    AI-enabled platforms that aggregate clinical data across many client organizations should treat that aggregation as the primary attack surface, not a byproduct of the product. The upstream-concentration pattern this series has now tracked across two quarters runs increasingly through platforms built this way.

The verified set

Q2 2026 verified breach disclosures.

Ten incidents individually verified against the HHS OCR breach portal and independent public reporting, with OCR submission dates confirmed within the Q2 2026 window. Not a complete inventory of the quarter — the subset whose Q2 OCR submission and affected count could be independently confirmed by this brief's cutoff (July 2, 2026). Basis column states each entry's verification tier: 'A' denotes an OCR date and affected count independently confirmed through multiple concurring primary or press sources; 'B' denotes a date drawn from external portal review or a single independent source. Full tier definitions in Appendix D of the working brief.

EntityCategoryAffectedOCR submittedBasis
Xsolis, Inc.AI / BA vendor1,396,519Jun 5, 2026Tier A
Florida Physician SpecialistsSpecialty provider276,498Apr 24, 2026Tier B
Radiology Associates of RichmondImaging provider266,183~May 21, 2026Tier A
Southern Illinois DermatologySpecialty provider160,312Apr 2, 2026Tier B
Laurel Eye ClinicSpecialty provider145,221Apr 22, 2026Tier B
Innovative Scientific SolutionsBA vendor143,842Apr 17, 2026Tier B
Western Orthopaedics, P.C.Specialty provider113,330~Apr 29–May 5, 2026Tier B
Minnesota Epilepsy Group, P.A.Specialty provider80,061~Jun 5, 2026Tier A
Hematology Oncology ConsultantsSpecialty provider62,972Apr 24, 2026Tier A
Singing River Health SystemHospital system53,888~May 19, 2026Tier B

Sources: HHS OCR Breach Portal (accessed July 2, 2026); entity notification records; SecurityWeek; DataBreaches.net; TechTarget / HealthITSecurity; direct entity notices. See Appendices B–D of the working brief for full source reconciliation, exclusion logic, and verification methodology.

Cite this brief

Suggested citation.

Permitted uses include academic citation with full attribution, fair-use quotation for commentary or news reporting, and sharing of the published PDF in its complete and unaltered form.

APA

Perrin, A. (2026). State of compliance: Q2 2026 healthcare breach brief. The State of Compliance Series, Vol. 1, Issue 2 (Brief). Secure Care Research Institute, Patient Protect LLC.

Chicago

Perrin, Alexander. "State of Compliance: Q2 2026 Healthcare Breach Brief." The State of Compliance Series, Vol. 1, Issue 2 (Brief). Working brief. Chicago: Secure Care Research Institute, Patient Protect LLC, 2026.

BibTeX

@techreport{perrin2026soc_q2,
  author      = {Perrin, Alexander},
  title       = {State of Compliance: Q2 2026 Healthcare Breach Brief},
  series      = {The State of Compliance Series},
  number      = {Vol. 1, Issue 2 (Brief)},
  institution = {Secure Care Research Institute, Patient Protect LLC},
  year        = {2026},
  type        = {Working brief},
  url         = {https://patient-protect.com/research/state-of-compliance-q2-2026}
}

Get the next issue

Q3 2026 publishes October 2026.

Whether the AI-vendor aggregation pattern observed at Xsolis persists into a third quarter — and whether the underlying compilation gains the reliable date and count fields needed to support a full quantitative review again — are the two open questions this series will track next.