With California leading the nation in incidents and 52 new investigations already launched in 2026, cybersecurity experts urge organizations to address critical network vulnerabilities.
Analysis of data from the US Department of Health and Human Services (HHS) Breach Portal reveals that more than 2,200 healthcare centers in the US have been affected by data breaches since 2023, according to research by cybersecurity firm Bridewell. In the first months of 2026, 52 healthcare centers are already under investigation for breaches impacting more than 5.5 million people.
The findings, which examined both active investigations and archived records, suggest persistent vulnerabilities in how healthcare organizations manage sensitive patient information. While the number of healthcare centers under investigation rose in 2025, the total number of individuals impacted decreased from an estimated 289 million in 2024 to 63 million in 2025.
Geographic Trends in Healthcare Security
California recorded the highest number of healthcare data breaches of any state, with 231 incidents affecting more than 52 million individuals. Texas followed with 172 incidents and 20 million people affected, while New York ranked third with 159 incidents and 13 million people affected. Florida and Illinois rounded out the top five states with 123 and 110 impacted medical centers, respectively.
In response to the volume of incidents, California enacted Senate Bill 446 in late 2025. The law introduced stricter breach notification requirements, mandating that organizations notify residents within 30 days and provide plain-language descriptions of what data was exposed and the steps taken to address the incident.
Recent High-Profile Incidents
Several major organizations have reported significant exposures recently. In December 2025, Blue Shield announced that a misconfigured Google Analytics setup shared the medical information of 4.7 million people with advertising platforms.
In February 2026, the New York City Health and Hospitals Corporation disclosed that an unauthorized actor accessed its network for two months. The exposed data included medical records, Social Security numbers, biometric data such as fingerprints and palm prints, and financial account details. Additionally, the Texas attorney general announced an investigation in February 2026 into Conduent Business Services following a data breach impacting more than 192 million people.
Factors Impacting Breach Rates
Experts suggest that while the industry is improving its response to attacks, prevention remains a challenge.
“It’s promising to see that the number of people impacted by healthcare data breaches declined in 2025; however, it’s clear that this is still a widespread issue,” says Kelechi Onyedebelu, director security solutions presales at Bridewell US, in a release.
Onyedebelu notes that the decrease in impacted individuals may be linked to updated Health Insurance Portability and Accountability Act rules that require network segmentation. This practice prevents attackers from automatically accessing an entire system once they gain entry. Faster detection and containment are also cited as factors limiting the scale of recent breaches.
However, the high volume of affected centers indicates that many organizations remain at risk. “Threat actors are targeting healthcare at an unprecedented scale, and while the industry is getting better at limiting the damage, it is not yet getting better at preventing intrusions in the first place. Issues like legacy infrastructure, unpatched systems, and inadequate access controls could all be contributing to widespread breaches,” says Onyedebelu in a release.
ID 74992674 © Weerapat Kiatdumrong | Dreamstime.com
