Breach feed · live
Sierra Nevada Health Plan · NV · 250,000 affected · hackingLennox International Inc. · TX · 3,709 affected · hacking/it incidentL.A. Care Health Plan · CA · 2,885 affected · unauthorized access/disclosureInnovative Scientific Solutions, LLC · SC · 143,842 affected · hacking/it incidentIowa Department of Health and Human Services · IA · 6,717 affected · unauthorized access/disclosureProvidence · CA · -1 affected · breachWashington VA Medical Center · DC · 1,467 affected · unauthorized access/disclosurePacific Northwest Health System · OR · 15,000 affected · insiderMazzola Mardon, P.C. · NY · 2,123 affected · hacking/it incidentPediatric Products, LLC · CA · -1 affected · breach
Tue, May 5, 2026
Vol. 1 · No. 19Tuesday, May 5, 2026Edition: National

HIPAA Pulse.

Breach intelligence · HIPAA news · Prevention
From Patient Protect
Live data · Updated nightly

Breach intelligence tracker

Every HIPAA breach reported to HHS OCR, every State AG notification we can parse, every OCR enforcement action, and the FTC and CISA filings adjacent to healthcare. Maintained by Patient Protect Research and free to use with attribution.

Incidents reported
178
Last 30 days, all sources
Individuals affected
3665.26M
Cumulative across the archive
Confirmed breaches
62%
2,094 of 3,388 incidents
Total in archive
3,388
All-time tracked

Recent breaches

Back to newsroom →
OrganizationStateRecordsVectorSourceReported
DATCP HomeWIBreachState AGMay 4
Sierra Nevada Health PlanNV250,000HackingState AGMay 1
Texas Tech University Health Sciences CenterCAUnknownState AGApr 24
Marin Cancer CareCAUnknownState AGApr 23
Harbor Developmental Disabilities Foundation (d/b/a Harbor Regional Center)CAUnknownState AGApr 22
L.A. Care Health PlanCA2,885Unauthorized Access/DisclosureHHS OCRApr 27
Innovative Scientific Solutions, LLCSC143,842Hacking/IT IncidentHHS OCRApr 26
Lennox International Inc.TX3,709Hacking/IT IncidentHHS OCRApr 27
Iowa Department of Health and Human ServicesIA6,717Unauthorized Access/DisclosureHHS OCRApr 27
ProvidenceCA-1BreachState AGApr 16
Washington VA Medical CenterDC1,467Unauthorized Access/DisclosureHHS OCRApr 27
Mazzola Mardon, P.C.NY2,123Hacking/IT IncidentHHS OCRApr 26
Pacific Northwest Health SystemOR15,000InsiderState AGApr 15
City Health, a medical corporationCA65,000Unauthorized Access/DisclosureHHS OCRApr 26
Defense Health AgencyVA1,300Unauthorized Access/DisclosureHHS OCRApr 27
Community Psychiatry Management, LLC d/b/a Mindpath HealthCABreachState AGApr 14
Pediatric Products, LLCCA-1BreachState AGApr 14
A-Z License ListWIBreachState AGApr 13
Instabase, Inc.DE908Hacking/IT IncidentHHS OCRApr 27
Springfield HospitalVT5,892Hacking/IT IncidentHHS OCRApr 26
CARE ClinicMN500Hacking/IT IncidentHHS OCRApr 26
Duncan Regional Hospital, Inc.OK724Hacking/IT IncidentHHS OCRApr 27
BUENA VISTA MANAGEMENT SERVICES, LLC DBA Windward Life CareCABreachState AGApr 10
Branch Metrics, Inc.CA857Hacking/IT IncidentHHS OCRApr 27
CardioFit Medical Group, Inc.CABreachState AGApr 9

Recent OCR enforcement

Resolution agreements, civil money penalties, corrective action plans
OrganizationStateRecordsVectorSourceReported
Texas Medical PracticeTX1EnforcementOCR EnforcementDec 6
New York Medical PracticeNY1EnforcementOCR EnforcementNov 8
California Medical PracticeCA1EnforcementOCR EnforcementOct 18
Lovelace Health SystemNM1,900,000EnforcementOCR EnforcementSep 20
Allegheny Health NetworkPA10,000EnforcementOCR EnforcementAug 9
Eye Care LeadersNC3,000,000EnforcementOCR EnforcementAug 1
Perry Memorial HospitalIL1EnforcementOCR EnforcementJun 14
Anthem, Inc.IN78,800,000EnforcementOCR EnforcementJun 1

Using this data in your reporting

For journalists, researchers, and compliance teams

Quote the tracker directly with attribution: cite HIPAA Pulse breach intelligence tracker, hipaapulse.com/tracker and link back. Limited verbatim quotation under fair use is fine; bulk reproduction, scraping, or use of the underlying data compilation in a derivative product is not (see our Terms).

Embeddable widgets are available under license to qualifying outlets. Email editor@hipaapulse.com with your publication, intended use, and audience size.

For the full multi-source dashboard with severity scoring, geographic mapping, entity intelligence, and enforcement analytics, see Patient Protect’s breach dashboard →

Suggested citation
HIPAA Pulse breach intelligence tracker. Patient Protect Research, retrieved May 5, 2026. hipaapulse.com/tracker

Methodology

The HIPAA Pulse breach tracker pulls from five public-record data streams that together form a near-complete picture of healthcare cybersecurity incidents. Each row in the tracker originates in a regulator filing, an enforcement action, or a government advisory — never an unverified claim.

Sources

HHS OCR Breach Portal Primary
The U.S. Department of Health and Human Services, Office for Civil Rights maintains the official Breach Notification Portal. Under HIPAA, covered entities must report breaches affecting 500 or more individuals. This is the most authoritative federal source for healthcare breach data.
State Attorney General notifications Primary
State AGs receive breach notifications under state-level data breach laws. Many states require notification for breaches smaller than the federal 500-person threshold, making AG data a critical supplement that often surfaces weeks before the federal portal updates.
OCR enforcement actions Regulatory
Resolution Agreements (negotiated settlements), Civil Money Penalties, and Corrective Action Plans imposed on covered entities for HIPAA violations. Enforcement data identifies which breaches led to regulatory consequences and the financial penalties that followed.
FTC Health Breach Notification Rule Regulatory
The Federal Trade Commission enforces the HBNR for entities that handle health data outside HIPAA’s jurisdiction — consumer health apps, wearable device makers, and non-HIPAA-covered services. FTC data captures healthcare-adjacent breaches the OCR portal does not.
CISA medical-device advisories Cyber
The Cybersecurity and Infrastructure Security Agency publishes advisories for vulnerabilities in medical devices and healthcare IT systems. Advisories include CVE identifiers, CVSS scores, affected products, and patch availability. They are leading indicators — flagged here as advisories, not breaches, until confirmed exploitation appears in HHS or AG filings.

What we exclude from the public tracker

The platform behind this tracker also ingests two streams we do not publish here: modeled breach projections (statistically inferred from leading indicators) and internal Patient Protect Network reports (community-reported incidents from the Patient Protect platform). These belong in compliance tooling, not in a public publication. The HIPAA Pulse tracker is restricted to incidents with public-record provenance: a regulator filing, an enforcement record, or a government advisory.

Severity, scoring, and reporting lag

Each incident carries a severity score (0–100) computed from individuals affected (35%), attack vector risk (25%), entity criticality (15%), enforcement history (10%), and source confidence (15%). Source confidence is highest for HHS OCR (95%) and FTC (90%); lower for unconfirmed sources. The dashed boundary between “moderate” and “high” severity in the table reflects the platform’s standard 60-point cutoff used in the Patient Protect breach dashboard.

Reporting lag — the gap between breach discovery and regulator notification — varies widely. HIPAA requires notification within 60 days, but many filings arrive later. The tracker shows the regulator-reported date, not the discovery date; lag analysis lives in the full breach dashboard.

Source links

HHS OCR Breach Portal → · FTC Health Breach Notification Rule → · CISA healthcare advisories → · Patient Protect breach dashboard →