Over 72,000 Patient Records Exposed in Four Healthcare Data Breaches

Four healthcare organizations reported major data breaches to the U.S. Department of Health and Human Services between mid-April and early May 2026. In total, more than 72,000 patients had their medical information accessed without permission.

The largest breach happened at City Health, a California medical company. On April 14, they reported that 65,000 patients' electronic medical records were accessed by someone who shouldn't have had that access. Two weeks later, the Iowa Department of Health and Human Services disclosed a separate breach affecting 6,717 patients whose information was compromised on their network servers. On May 1, two more breaches came to light: the University of Michigan/Michigan Medicine reported 551 affected patients, and Integrated Pain Associates in Texas reported 500 patients impacted by a hacking attack.

What the Law Requires

Healthcare organizations are required by a federal privacy law called HIPAA to report breaches to the HHS Office for Civil Rights. Any breach affecting 500 or more people must be reported quickly—no later than 60 days after the organization discovers the problem. Smaller breaches affecting fewer than 500 people are reported once a year instead.

All reported breaches are added to a public database maintained by HHS so patients and the public can see what has happened.

How These Breaches Happened

Three of the four breaches happened because someone with access to the system was able to view records they shouldn't have, or because hackers stole login credentials—usernames and passwords—and used them to break in. These credential-based attacks are common in healthcare. The fourth breach, at the Texas pain management clinic, was a direct hacking attack on their computer servers.

Think of it like the difference between a burglar stealing someone's house key versus breaking down the door. Both get the intruder inside, but they work differently.

Electronic medical record systems—the software where doctors store patient information—were targeted in three of the four incidents. Network servers, which are like central filing cabinets for an organization's data, were also hit.

Geographic Spread and Scale

The City Health breach in California accounts for about nine out of every ten affected patients. The other three breaches are scattered across Iowa, Michigan, and Texas. The spread across different states and different types of organizations—a state health department, a university hospital, a private pain clinic, and a large medical company—suggests these were separate, unrelated incidents rather than parts of one coordinated attack.

What Happens Next

The HHS Office for Civil Rights will investigate each breach. They will look at what information was exposed, what security measures were in place, and whether the organization found and reported the breach quickly enough. These investigations can take six to eighteen months.

The organizations affected must tell their patients about the breach within 60 days. They must also show what steps they took to fix the problem and cooperate with the government investigation. Patients may also file lawsuits against these organizations.

Why This Matters

The broader context here is that healthcare systems are getting bigger and more connected. When a large system gets breached, the number of affected people can be enormous—as we saw with City Health. Over decades of reporting on technology, I have seen this pattern before: organizations move quickly to adopt new technology and worry about security later. During the COVID-19 pandemic, hospitals rushed to build digital systems to handle patient care faster. Many of those systems are still running today with their original security setup, which leaves them vulnerable.

Healthcare organizations need to rethink how they protect access to patient data. The traditional approach—securing the outer edge of your computer network like a castle wall—is not enough anymore. Instead, organizations need to verify that each person accessing data actually should be doing so, and keep detailed logs of who looked at what. This approach, called "zero-trust," assumes that bad actors could be anywhere, even inside the organization.