The story of healthcare breaches in Q1 2026 can be told in two numbers: 44 incidents and nearly 5 million records exposed, all before the calendar reached March. Across January and February 2026, those 44 reported incidents exposed or compromised the protected health information of nearly 5 million individuals.

That works out to an average of over 3.5 breaches reported per week, affecting an average of over 400,000 individuals every week since the beginning of the year. It’s important to note that the HHS OCR breach portal is not updated in real-time; that, along with the 45-day breach notification window, means we’ll likely see dozens more Q1 2026 breaches announced on the portal over the next several weeks.

The mechanisms driving these incidents, ranging from ransomware groups with names like Qilin, to supply chain failures running several layers deep, to a single employee with valid credentials who accessed records they had no business viewing, tell a story that every healthcare organization needs to hear.

Here is a closer look at four of the most significant breaches reported to HHS OCR so far this year, what they reveal about the current threat landscape, and what they mean for your organization.

Your Subcontractor’s Subcontractor Just Lost Your Data

TriZetto Provider Solutions, a Cognizant subsidiary and healthcare revenue management clearinghouse based in Missouri, submitted a breach report in February 2026 covering 3,433,965 individuals. It is the single largest breach reported in the dataset so far this year, and it represents a failure mode that the healthcare sector has not yet figured out how to contain.

On October 2, 2025, TriZetto detected suspicious activity within a web portal used by healthcare provider clients to access its systems. The forensic investigation that followed determined that unauthorized access had begun in November 2024, nearly a year before detection. During that period, the threat actor accessed historical eligibility transaction reports containing names, addresses, dates of birth, Social Security numbers, health insurance member numbers (including Medicare beneficiary identifiers for some individuals), provider names, and additional demographic and health insurance data.

What makes this breach particularly instructive is the chain of relationships it ran through. TriZetto was not a direct vendor to many of the affected patients’ providers. In a number of cases, TriZetto served as a subcontractor to OCHIN, which was itself a business associate of the covered entities. Patients received breach notification letters from an organization they had never heard of, about a relationship they did not know existed, describing data they did not know had been shared.

TriZetto engaged cybersecurity firm Mandiant to investigate, notified affected healthcare providers in December 2025, and offered to handle individual notification and OCR reporting on behalf of its clients, covering the cost of credit monitoring services in the process. Those remediation steps are appropriate. But they do not change the core lesson: your risk posture is not determined solely by your own security controls. It is shaped by every vendor, subcontractor, and downstream partner that touches your data. If you do not know who those parties are and how they protect PHI, you are carrying risk you cannot see.

Nine Months Too Late

Nine months may be just right for a pregnancy… but for breach notification, that’s several lifetimes.

ApolloMD Business Services, an Atlanta-based physician practice management company serving more than 125 practices across 18 states, reported a breach in February 2026 covering 626,540 individuals. The breach itself occurred in May 2025.

Between May 22 and May 23, 2025, the Qilin ransomware group accessed ApolloMD’s network, exfiltrated 238 GB of data, and posted about the attack on a dark web forum on June 12, 2025. The stolen data included patient names, addresses, dates of birth, diagnosis information, provider names, dates of service, treatment information, health insurance details, and Social Security numbers for a subset of individuals.

ApolloMD notified affiliated physician practices between July and September 2025. Patient notification letters began going out on September 17, 2025. The full 626,540-person count did not reach HHS OCR until February 2, 2026: nine months after the attack.

That delay deserves attention. The HIPAA Breach Notification Rule requires covered entities to notify HHS of large breaches within 60 days of discovery. When a forensic investigation spans months, the clock on notification can be difficult to manage, but affected individuals carry the cost of that delay. While the investigation was ongoing, anyone in that dataset could have faced fraudulent medical claims, medical identity theft, or tax fraud using their Social Security number, without knowing they needed to be on guard. Credit monitoring, offered after the fact, catches financial fraud only after it has occurred. It does nothing for medical identity theft.

Qilin is not a one-time threat. The group targeted more than 700 organizations in 2025 alone, with healthcare ranking among its most frequently attacked sectors. If your organization lacks network segmentation, endpoint detection, and a tested incident response plan, Qilin, or a group operating exactly like it, will eventually identify that gap.

No Hacker Required

The Minnesota Department of Human Services breach, reported to HHS OCR on January 16, 2026, and covering 303,965 individuals, does not fit the standard ransomware narrative. There was no external attacker in the conventional sense. There was a user with valid credentials who accessed data they were not authorized to see.

The breach involved MnChoices, a state-managed system used by counties, Tribal Nations, and managed care organizations to support long-term services and supports assessment and planning. FEI Systems, the third-party vendor managing the platform, detected unusual activity in November 2025 and reported it to the state. The user in question was associated with a licensed healthcare provider and had legitimate access to portions of the system. The problem was scope: the user accessed significantly more than their role permitted.

The data accessed included names, sex, dates of birth, phone numbers, addresses, Medicaid ID numbers, and the last four digits of Social Security numbers for approximately 303,965 individuals. For 1,206 of those individuals, the user accessed additional sensitive demographic data, including ethnicity, birth records, physical traits, education, income, and benefits information.

This is the insider threat variant that often gets underestimated: not a malicious actor exploiting a vulnerability, but a user with too much access and insufficient oversight. Role-based access controls, least-privilege enforcement, and continuous audit logging exist precisely to catch and contain incidents like this one. If your systems cannot tell you who accessed which records, when, and whether that access fell within the scope of their role, you are not equipped to detect this category of breach until it is far too late.

Small Provider; Big Problems

The Counseling Center of Wayne and Holmes Counties, a behavioral health provider based in Wooster, Ohio, reported a breach in February 2026 covering 83,354 individuals. The organization was first alerted to suspicious activity on March 3, 2025, when a third-party service provider reported a disruption to its IT systems. The investigation determined that an unauthorized party had gained access to a single server beginning on March 2, 2025.

The data compromised includes names, Social Security numbers, financial account information, and medical records. For a behavioral health provider, the sensitivity of that medical record data runs deeper than most: it may include diagnosis information, treatment history, and provider notes tied to mental health conditions that patients have a heightened interest in keeping private. When Social Security numbers, financial account details, and behavioral health treatment records are exposed together, attackers gain a combination of identity data and personal context that can be leveraged for targeted phishing, medical identity fraud, and insurance misuse in ways that are difficult for victims to detect or reverse.

The notification timeline adds another layer of concern. Suspicious activity was identified in March 2025. Affected individuals did not receive written notice until February 2026, nearly eleven months later. The forensic review concluded on December 9, 2025, and notification followed in early February 2026. That timeline is within the technical requirements of the HIPAA Breach Notification Rule, but it illustrates a broader challenge for smaller healthcare organizations. When a breach occurs, the forensic investigation, data review, notification preparation, and regulatory reporting process are resource-intensive. Organizations that have not pre-built an incident response plan, engaged a breach response vendor, or documented their data inventory will spend months in a reactive posture that delays everything downstream.

Small and mid-sized providers are not immune to sophisticated attacks. They are frequently targeted precisely because their defenses are thinner and their incident response capacity is limited.

Four Breaches, One Problem

Taken together, these incidents cover the full spectrum of how healthcare data gets compromised in 2026: supply chain failures cascading through vendor and subcontractor relationships, ransomware from a named and active threat actor, credential abuse by an over-privileged user, and a direct attack on a small community provider. There is no single control that addresses all four. But there is a common thread: each of these organizations lacked visibility, vendor oversight, or access governance to detect and contain the incident before it escalated.

Nearly 5 million individuals had their protected health information exposed in the first 60 days of 2026, with exponentially more likely to be added to the portal in the coming weeks.

If your organization does not have a current HIPAA risk analysis, documented vendor management processes, and continuous monitoring of technical safeguards, you are operating with a gap that is increasingly difficult to justify to your patients, your partners, and your regulators.

Sentraeus360 was built to close exactly these gaps for healthcare organizations that cannot afford a dedicated compliance staff. Learn more or schedule a demonstration at 360.axeleos.com.