What happened
Several major healthcare data breaches have been added to the HHS Office for Civil Rights breach tracker in recent days, with confirmed figures now public for incidents that were disclosed in earlier months. The combined scope runs into the millions of affected individuals across organizations in New York, Illinois, Florida, North Carolina, Colorado, and Texas.
The largest confirmed breach involves NYC Health and Hospitals Corporation, which detected unauthorized access on February 2, 2026, following a third-party vendor compromise that gave threat actors access between November 2025 and February 2026. The HHS tracker lists 1.8 million individuals affected, with exposed data spanning personal, health insurance, medical, biometric, and financial information.
Erie Family Health Centers in Chicago detected a hacker attack in January 2026 following network access between December 10, 2025 and late January 2026. Compromised data includes names, phone numbers, email addresses, Social Security numbers, driver’s license and passport numbers, online account credentials, financial information, and medical information, affecting 570,000 individuals.
Florida Physician Specialists reported that hackers had access to its network for two days in November 2025, exposing names, SSNs, driver’s license numbers, financial information, and medical information for 276,000 individuals. Coastal Carolina Health Care in North Carolina and Western Orthopaedics in Colorado each reported breaches affecting approximately 110,000 people, with Coastal Carolina having detected its intrusion more than a year before disclosure.
The HHS tracker lists Nacogdoches Memorial Hospital in Texas as affecting 2.5 million individuals, though prior reporting indicated 250,000, suggesting a possible data entry error. None of the breaches has been claimed by known cybercrime groups.
Who is affected
Patients across multiple US states face exposure of highly sensitive personal, medical, and financial data. The NYC Health and Hospitals breach alone at 1.8 million individuals represents a significant portion of New York City’s patient population. The Erie breach’s inclusion of online account credentials and passport numbers alongside medical data creates a broader identity theft risk profile than typical healthcare incidents.
Why CISOs should care
Several patterns across these disclosures warrant attention. The Coastal Carolina detection-to-disclosure gap of more than a year reflects a recurring problem in healthcare breach response. The NYC Health and Hospitals breach stems from a third-party vendor, maintaining the supply chain access pattern that has characterized many of the largest healthcare breaches of 2026. The Florida Physician Specialists breach involved only two days of unauthorized access, yet exposed data on 276,000 individuals, demonstrating how brief intrusion windows can produce substantial data exposure when systems lack adequate access controls on sensitive repositories.
The absence of ransomware group claims across all of these incidents is notable. It may indicate ransom payments, attacks by groups without public leak sites, or pure data theft operations without encryption.
3 practical actions
- Audit third-party vendor access to patient data systems following the NYC Health and Hospitals breach pattern: A three-month vendor access window that exposed 1.8 million patient records reflects inadequate monitoring of third-party connections to sensitive systems. Review which vendors hold persistent access to your patient data environments and implement just-in-time access provisioning and behavioral monitoring for all third-party connections.
- Compress the detection-to-notification timeline by establishing forensic readiness protocols: Multiple breaches in this roundup involved months-long gaps between initial access and detection, and in Coastal Carolina’s case more than a year between detection and public disclosure. Establish forensic readiness measures including centralized log aggregation, automated anomaly detection, and pre-retained incident response relationships that can accelerate both detection and scope determination.
- Treat healthcare data repositories containing credentials alongside medical data as highest-priority assets: The Erie breach exposed online account credentials alongside medical information, creating compounding identity theft risk. Segment systems storing credential data from those storing medical records where technically feasible, and apply the most stringent access controls to any system where these categories co-exist.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.