Four Healthcare Data Breaches Exposed 72,000 Patients in Recent Weeks—Here's What Happened

Between mid-April and early May 2026, four healthcare organizations reported significant data breaches to the Department of Health and Human Services, collectively compromising information belonging to more than 72,000 patients. The incidents varied in size and nature but reveal patterns worth understanding if you work in healthcare, IT, or are simply curious about how patient data gets exposed.

The largest breach involved City Health, a California-based medical corporation, which reported unauthorized access to patient medical records affecting 65,000 people on April 14. The Iowa Department of Health and Human Services followed with a report on April 16 about unauthorized network access that compromised data for 6,717 patients. Two more breaches came to light on May 1: the University of Michigan/Michigan Medicine disclosed unauthorized access to records affecting 551 people, and Integrated Pain Associates in Texas reported a hacking attack on their network servers that impacted 500 patients.

How These Breaches Get Reported

These four incidents fall under HIPAA (the Health Insurance Portability and Accountability Act), which is the federal law governing patient privacy. HIPAA requires that when healthcare organizations lose control of patient data affecting 500 or more people, they must report it to the HHS Office for Civil Rights. These reports go into a public database that anyone can search.

Organizations must notify HHS without unreasonable delay—generally within 60 days of discovering the breach. For smaller breaches affecting fewer than 500 people, reporting still happens but usually just once a year rather than immediately, meaning the public knows less about them in real time.

Two Different Types of Attacks

When you look at these four breaches, a pattern emerges. Three of them involved "unauthorized access/disclosure," which typically means either someone with legitimate access abused that access or attackers stole login credentials and used them to get in. Only the Texas pain management practice fell into the "hacking/IT incident" category, meaning a more traditional cyberattack from outside.

This pattern reflects a real challenge in healthcare: the systems that store patient records—electronic medical records (EMRs) and network servers—need broad access permissions so that doctors, nurses, and staff can do their jobs. That flexibility creates opportunity. A disgruntled employee could access records they shouldn't see. Or if attackers steal someone's username and password, they can move through the system more easily because the access rules are loose.

Where These Breaches Happened

The City Health breach in California dwarfs the others, representing roughly 90 percent of all affected patients. The other three incidents were scattered across Iowa, Michigan, and Texas, hitting different types of organizations: a state health department, a university medical center, and a private practice. The geographic spread and mix of organization types suggest these were separate, unconnected incidents rather than part of a coordinated attack.

Historical Context

We have seen this pattern before. During COVID-19, healthcare organizations rushed to build out digital systems and move patient care online—which was necessary and good—but often prioritized speed over security. Many of those systems are still running today with their original security setups, which means vulnerabilities from five years ago are still creating risk. As attackers get smarter about targeting healthcare specifically, these aging systems become easier targets.

What Happens Next

The HHS Office for Civil Rights will investigate each breach, which typically takes six to eighteen months. The investigations look at what went wrong, whether the organization had adequate safeguards in place, and whether they discovered and reported the breach in a timely manner. The affected organizations have to notify patients within 60 days, document what they did to fix the problem, and cooperate with investigators. Depending on what was exposed, they may also face lawsuits from affected patients or additional penalties from state regulators.

The Broader Security Challenge

The broader context here is that these breaches point to a real gap in how healthcare organizations think about security. Most have spent money on protecting the perimeter—firewalls, intrusion detection, things meant to stop attackers from getting in from outside. But many of these breaches happen because someone already inside the system had too much access, or because attackers stole credentials and moved laterally through loosely connected systems. That's a different problem, and it requires a different approach.

A security strategy called "zero trust" is increasingly relevant in healthcare. The basic idea: assume attackers could already be inside your network, so verify every access request rather than trusting users once they've logged in once. It limits what any single person can see or do, and it creates detailed logs of who accessed what and when. Given the concentration of patient data in large hospital systems, a single successful attack can now affect hundreds of thousands of people. That risk profile is changing how hospitals need to think about their defenses.

It is also worth noting that the 500-person threshold for immediate public reporting creates a blind spot. Smaller breaches—dozens or hundreds of patients—might happen more frequently but never make the news because they are reported in batches once a year. Healthcare security teams see a more complete picture than the public does, even though both are looking at the same data streams.