Health Care Data Breaches | Full 2025–2026 Tracker of Every Major Health System Hack, Leak & Patient Data Exposure

Knowledge Hub
Health Care Data Breaches

A health care data breach happens when protected patient information, medical records, insurance details, Social Security numbers, or treatment history is accessed, stolen, or exposed without authorization. Between 2024 and 2026, health care data breaches affected more Americans than any other industry, with individual incidents such as the Change Healthcare and Oracle Health breaches each affecting tens of millions of patients. This page tracks the major breaches, explains how they happen, and shows you exactly what to do if your information was exposed.

What Is a Health Care Data Breach?

A health care data breach is any unauthorized access, disclosure, or theft of protected health information (PHI) held by a hospital, insurer, health-tech vendor, or government health program. It can result from a targeted ransomware attack, a compromised employee account, or a vulnerability at a third-party vendor that never directly touches a patient. Health care has held the title of the costliest industry for data breaches for 15 consecutive years, with the average US health care breach now costing $7.42 million per incident, according to IBM’s 2025 Cost of a Data Breach Report.

How Health Data Breaches Happen (Ransomware, Insider Threats, Third-Party Vendors)

Most health data breaches trace back to one of three root causes: ransomware gangs encrypting or exfiltrating hospital systems, employees mishandling or misusing access to patient records, and third-party vendors, billing companies, EHR providers, and claims clearinghouses getting breached and exposing every hospital that relies on them. The third category has become the dominant pattern in 2025 and 2026, since a single vendor compromise can cascade into notifications from dozens of unrelated health systems, as seen with the Oracle Health/Cerner and Cognizant TriZetto incidents below.

What Counts as “Protected Health Information” (PHI) Under HIPAA

PHI is any individually identifiable health information created, received, or maintained by a covered entity or its business associate, and it covers far more than diagnosis codes. Names, addresses, Social Security numbers, insurance member IDs, medical record numbers, billing details, and clinical notes all qualify as PHI when they’re tied to a specific patient. This broad definition is why a breach at a billing vendor or claims processor, which never treats a single patient, still triggers the same HIPAA breach notification obligations as a breach at a hospital.

Why Health Care Is the #1 Target for Cybercriminals

Medical records sell for far more on the dark web than stolen credit card numbers because they contain everything needed for long-term identity theft, insurance fraud, and medical fraud in one package, and they can’t be canceled and reissued the way a credit card can. Combine that with hospitals’ reliance on legacy systems, life-critical uptime pressure that pushes many victims toward paying ransoms quickly, and a sprawling web of third-party vendors, and healthcare becomes the most attractive and most expensive sector for attackers to hit, a pattern IBM’s data confirms has held for a decade and a half straight.

Major Health Care Data Breaches (2025–2026 Live Tracker)

The 2025–2026 period produced some of the largest confirmed health data breaches on record, spanning ransomware attacks, vendor compromises, and legacy system exploits across hundreds of hospitals and health plans nationwide.

Oracle Health / Cerner Breach, Timeline and Patient Impact

Oracle Health, the EHR business formerly known as Cerner, disclosed that an unauthorized third party used stolen credentials to access legacy Cerner servers as early as January 22, 2025, and that the intrusion was discovered on February 20, 2025. Law enforcement initially asked Oracle Health and its hospital clients to delay patient notifications during the investigation, and by the time that restriction lifted, reporting from Becker’s Hospital Review indicated as many as 80 hospitals may have been affected, with health systems continuing to send breach letters into 2026. Compromised data varies by provider but commonly includes names, dates of birth, Social Security numbers, medical record numbers, and clinical details such as diagnoses and test results. Multiple lawsuits have since been filed against Oracle Health, alleging negligence in securing servers inherited from its 2022 acquisition of Cerner.

Change Healthcare Data Breach: What Happened

The February 2024 ransomware attack on Change Healthcare, a UnitedHealth Group subsidiary, stands as the largest health care data breach ever recorded, ultimately affecting an estimated 190 million individuals after UnitedHealth nearly doubled its original impact estimate in early 2025. The ALPHV/BlackCat ransomware group exfiltrated data including names, Social Security numbers, insurance information, and clinical and billing details, and UnitedHealth reportedly paid a $22 million ransom, only for a dispute among the attackers to result in the stolen data being posted anyway. The incident disrupted claims processing and pharmacy operations nationwide for weeks and remains the benchmark case cited whenever regulators or Congress discuss health care cybersecurity risk.

Ascension, UnitedHealth Group & Other Major Health System Breaches

Ascension, one of the largest nonprofit health systems in the US, was hit twice in close succession: a May 2024 ransomware attack that exposed 5.6 million patient records, followed by a separate December 2024 incident traced to a former business partner’s vulnerable file-transfer software, which HHS filings show affected 437,329 patients and has been linked to the Cl0p ransomware group’s exploitation of a Cleo software flaw. UnitedHealth Group’s Optum subsidiary also disclosed a related breach at Episource, a medical coding vendor, in early 2025. Other major health systems reporting breaches across this period include Corewell Health, Community Health Systems, Northwell Health, Novant Health, Sutter Health, and dozens more listed below.

Full A–Z List of Affected Health Systems and Providers

Health systems and providers that have disclosed data breaches in recent tracking periods include:

  • Ascension Health, Advocate Aurora/Advocate Health, Allegheny Health Network, Ardent Health, Atrium Health, Aurora Health Care
  • Banner Health, Baptist Health, Broward Health, Cardinal Health, CommonSpirit Health, Community Health Systems, Corewell Health, Covenant Health, CVS Health
  • Dignity Health, Frederick Health, Geisinger Health, Harvard Pilgrim Health Care, Henry Ford Health, Hospital Sisters Health System
  • Integris Health, IU Health, Kaiser Foundation Health Plan, Kettering Health, Lehigh Valley Health Network, Magellan Health, McLaren Health, MedStar Health, Mercy Health
  • Northwell Health, Novant Health, Palomar Health, Premier Health, Prisma Health, Sanford Health, Shields Health Care Group, SSM Health, Sutter Health
  • Trinity Health, UCLA Health, UC San Diego Health, UnitedHealth Group/UnitedHealthcare, UnityPoint Health, Universal Health Services

New health systems continue to disclose breaches on a rolling basis; check this tracker periodically for updates, or run a free scan at dexpose.io/free-darkweb-report to assess your own exposure.

Regional & Government Health Data Breaches

Health data breaches aren’t a uniquely American problem; regulators in Australia, Canada, Singapore, and New Zealand have all reported significant health-sector incidents through 2025 and 2026, and US state and federal health agencies have faced their own share of exposures.

Health Data Breaches in Australia (Month-by-Month 2025–2026)

The Office of the Australian Information Commissioner reported 532 data breach notifications in the January–June 2025 period, with the health sector accounting for the largest single share at 18% of all reported breaches, ahead of finance and Australian government agencies. That followed a record 1,113 breach notifications across all of 2024, a 25% jump from 2023, with malicious or criminal attacks driving the majority of incidents and the health sector consistently topping the list of most-affected industries month over month.

US State Department of Health Breaches (Florida, Texas, Maryland, Colorado)

State health agencies and health insurance exchanges have faced their own breaches independent of private health systems. The most prominent example is DC Health Link, the District of Columbia’s ACA marketplace, which confirmed in March 2023 that the personal information of tens of thousands of enrollees, including members of Congress and their families, had been accessed and posted publicly, with the incident ultimately affecting up to 170,000 individuals. The agency agreed to a $1.45 million class action settlement in early 2025, with payments issued to affected class members by September 2025.

International Health Data Breaches (Canada, Singapore, Egypt, NZ)

Outside the US, health agencies in Canada (Interior Health), New Zealand (Manage My Health), Singapore, and Egypt’s health ministry have all disclosed patient data exposures in recent reporting periods, typically driven by the same factors seen domestically: third-party software vulnerabilities, ransomware, and misconfigured systems. These incidents reinforce that health data is a global target regardless of a country’s regulatory framework.

How Health Care Data Breaches Happen: Attack Vectors

Understanding the specific attack vectors behind health care breaches helps organizations prioritize defenses where they matter most, since a handful of recurring patterns account for the vast majority of incidents.

Ransomware Attacks on Hospitals and Health Networks

Ransomware remains the single most disruptive attack vector in health care, as seen in both the Change Healthcare and Ascension incidents, where attackers combined data theft with system encryption to maximize leverage for extortion. IBM’s 2025 research found that while more organizations are refusing to pay ransoms (63% versus 59% the prior year), average ransom demands remain around $5.08 million, and healthcare’s life-critical operations make it uniquely pressured to pay or restore systems quickly regardless of cost.

Third-Party and Supply Chain Breaches (e.g., Cognizant TriZetto)

Third-party and supply chain breaches now rival direct attacks as the leading source of health care data exposure. Cognizant’s TriZetto Provider Solutions, a claims clearinghouse used by hospitals and physician practices nationwide, detected unauthorized access dating back to November 2024 and disclosed in early 2026 that more than 3.4 million individuals were affected, even though most patients had no direct relationship with TriZetto itself. This pattern, where a vendor breach cascades into notifications from dozens of unrelated providers, is now one of the fastest-growing sources of health data exposure.

Phishing and Credential Theft in Healthcare

Phishing overtook stolen credentials as the leading initial access vector across all industries in 2025, according to IBM, accounting for roughly 16% of breaches and costing an average of $4.8 million per incident when successful. Healthcare staff, often juggling multiple systems and under constant time pressure, remain a preferred target for credential-harvesting campaigns that give attackers a foothold before any ransomware or data theft even begins.

What to Do If Your Health Data Was Breached

If you’ve received a breach notification letter or suspect your health information has been exposed, the steps you take in the following days matter more than the details of how the breach happened.

How to Check If Your Health Information Was Exposed

Start by checking whether your email address or personal details appear in known dark web leaks using a dedicated scanning tool, rather than waiting for a notification letter, since many organizations take months to identify and disclose incidents. DeXpose’s free dark web report and email data breach scan check whether your information has surfaced in known breach dumps, dark web markets, or malware logs, giving you a faster answer than waiting on a provider’s notification timeline.

Steps to Take After a Health Care Data Breach Notice

Once you’ve confirmed exposure, place a fraud alert or credit freeze with the major credit bureaus, enroll in any free credit monitoring the breached organization offers, and watch closely for medical billing statements or insurance claims you don’t recognize, since medical identity theft often surfaces first through fraudulent claims rather than financial fraud. Change passwords for any patient portal or insurance account, and treat unsolicited calls or emails referencing the breach with suspicion, as scammers frequently spoof breach notifications.

Monitoring the Dark Web for Leaked Health Records

Because stolen medical records tend to circulate on dark web marketplaces and forums long after the initial breach, ongoing monitoring is more effective than a single point-in-time check. Continuous dark web monitoring flags new appearances of your information as they surface, rather than leaving you to wonder whether old breach data has resurfaced in a fresh combo list or marketplace listing.

Legal Consequences & Class Action Lawsuits

Health care data breaches routinely trigger both regulatory penalties and civil litigation, and the financial consequences frequently extend years beyond the initial incident.

Notable Health Data Breach Class Actions and Settlements

The DC Health Link breach settlement, at $1.45 million covering roughly 170,000 affected individuals, illustrates a now-common outcome: organizations settle without admitting wrongdoing, and class members can claim documented losses up to $10,000 depending on how directly their data was exposed. Litigation tied to the Change Healthcare breach has also continued well past the initial incident, with a Nebraska Attorney General lawsuit against the company surviving a motion to dismiss in late 2025, a sign that regulators are pursuing accountability even years after a breach occurs.

HIPAA Violation Penalties and Regulatory Fines

HIPAA enforcement uses a four-tier civil penalty structure based on culpability, ranging from a minimum of $145 per violation for genuinely unknowing violations up to $2,190,294 per violation category per year for uncorrected willful neglect, under 2025–2026 inflation-adjusted figures from HHS. In practice, the Office for Civil Rights has focused heavily on failures to conduct compliant risk analyses, with settlements in 2025 ranging from $25,000 for smaller providers to $3 million for larger organizations that suffered a major breach without performing adequate risk assessments beforehand.

How to Prevent Health Care Data Breaches (For Organizations)

Preventing a health care data breach requires visibility into exposure that already exists, leaked credentials, exposed assets, and vulnerable vendors, rather than relying solely on perimeter defenses that ransomware groups and phishing campaigns routinely bypass.

Dark Web Monitoring for Health Systems

Continuous dark web monitoring gives health systems early warning when employee credentials, patient data samples, or internal system access appear for sale or are exposed on dark web forums and marketplaces, often well before a full-scale breach is publicly disclosed. Given that healthcare breaches take an average of 279 days to identify and contain, per IBM’s 2025 findings, early detection through dark web visibility can meaningfully shrink that window.

Attack Surface Management for Hospital Networks

Hospital networks typically span decades of acquired systems, medical devices, and legacy EHR infrastructure, and attack surface mapping identifies which of those exposed assets are actually reachable by attackers before they become the next Oracle Health-style entry point. Regular attack surface reviews are especially critical after mergers and acquisitions, since inherited legacy systems, as seen in the Oracle Health/Cerner incident, are a recurring source of breaches years after the underlying deal closes.

Vendor/Supply Chain Risk Monitoring

Given how often breaches now originate at billing companies, claims clearinghouses, and EHR vendors rather than at the hospital itself, ongoing supply chain monitoring gives health systems visibility into their vendors’ breach exposure before a cascading notification event forces their hand. The TriZetto and Cleo/Ascension incidents both demonstrate that a health system’s own security posture is only as strong as its weakest connected vendor.

Frequently Asked Questions

What was the largest health care data breach in 2025/2026?

The Change Healthcare breach remains the largest health care data breach on record, ultimately affecting an estimated 190 million individuals, according to UnitedHealth’s 2025 update. However, the underlying ransomware attack occurred in February 2024. Among incidents newly confirmed in the 2025–2026 window itself, the Cognizant TriZetto breach, affecting more than 3.4 million individuals, and the Oracle Health/Cerner breach, impacting patients across as many as 80 hospitals, are the two largest.

How do I know if my health data was part of a breach?

Check your email address against known breaches and dark web data using a scanning tool rather than waiting for a notification letter, since organizations often take months to identify and disclose an incident. DeXpose’s free dark web report and email breach scan both check your information against known exposure sources in minutes.

What is the average cost of a health care data breach?

Health care data breaches cost an average of $7.42 million in the US, according to IBM’s 2025 Cost of a Data Breach Report, making it the most expensive industry for breach costs for the 15th consecutive year. Healthcare breaches also take the longest to identify and contain of any industry, averaging 279 days from initial compromise to full containment.

Is my provider’s data breach still under investigation?

Many health data breaches remain under active investigation for months or even years after initial disclosure, particularly when litigation, regulatory review, or ongoing forensic analysis is involved, as seen in the ongoing Change Healthcare litigation more than a year after the original attack. Check your provider’s official breach notification page directly for the most current status, since investigation timelines and total affected numbers are frequently revised upward as review continues.

Free Dark Web Report

Keep reading

No results found.