|
Patient Protect
|
|
HIPAA Pulse
|
|
HIPAA PULSE
April 15, 2026 · Bi-Weekly Briefing
|
|
Breach Shockwaves, Concentrated Risk & What to Fix Before the Next One
|
One big pattern, a few key signals, and concrete action you can take today.
Welcome to HIPAA Pulse — a briefing from Patient Protect for anyone carrying responsibility for HIPAA compliance or patient-data risk. Independent practices, health systems, MSPs, vendors, and security leaders who know the landscape is shifting.
This issue covers the most recent full reporting period. The headline number is 12 million individuals affected across 20 breaches. But the more important story is how concentrated that damage is — and what it means for practices that aren't OpenLoop Health.
View the live Breach Dashboard →
|
|
Stat of the Issue
70%
of all reported healthcare breaches this period were Hacking/IT Incidents. That share hasn't meaningfully shifted in two years. The threat vector is not changing — defenses are just not keeping pace.
|
|
Risk Barometer · Most Recent Full Reporting Period
|
Total Breaches
20
reported this period
|
Individuals Affected
12M+
12,081,111 total
|
|
Top Breach Type
Hacking /
IT Incident
70% of all reported breaches
|
Largest Single Breach
OpenLoop
Health
disproportionate individual impact
|
|
|
Breach of Note
OpenLoop Health
Telehealth network · Hacking / IT Incident · Millions affected
OpenLoop Health, a telehealth and virtual care network, represents this period's most significant single-entity breach by individual impact. The incident is consistent with the dominant pattern in healthcare right now: a networked organization with broad patient reach becomes a single point of failure across every practice it serves.
The structural risk here is not unique to OpenLoop. Any platform that aggregates patient data across multiple practices — telehealth networks, clearinghouses, shared billing services — creates a concentration point that attackers are explicitly targeting. When the platform is breached, every organization connected to it is exposed.
The question for your practice: which platforms aggregate your patient data, and what is your exposure if one of them is compromised?
|
|
Three Signals That Matter Right Now
Hacking/IT Incidents Are Still Dominant — And More Coordinated
This category continues to lead, but the nature is evolving. These are no longer isolated attacks — they are credential-based intrusions, vendor pathway exploits, API and integration abuse, and multi-step access escalations. What looks like a single breach is often a chain of failures across systems.
That number has not meaningfully shifted in two years. Frequency is stable; severity is increasing.
Large-Scale Exposure Is Becoming the Expected Outcome
Events impacting millions of individuals are no longer statistical outliers — they are the expected edge cases for organizations above a certain scale. OpenLoop, QualDerm, Navia, and Change Healthcare each represent concentrated exposure where a single breakdown exposes records at a scale that was once considered catastrophic. Your worst-case scenario is no longer theoretical.
Controls must now be designed around maximum exposure potential — not the average case.
Third-Party Vendors Remain the Hidden Attack Surface
The presence of entities like CareCloud and Stryker in this period's breach data is not incidental. Supply chain vulnerabilities and business associate failures are a structural problem. When a vendor is compromised, every client organization they serve becomes exposed — often without warning and sometimes without a properly executed BAA in place.
These are foundational failures — and they remain unresolved at scale across the industry.
|
|
30-Minute System Check — Run This Today
If you do nothing else this week, do this. Each item below is a known attack vector in the breach data above.
|
1
|
Audit user access — remove unnecessary privileges immediately. If someone left the practice, their credentials are live until you revoke them.
|
|
|
2
|
Enforce MFA everywhere — email, EHR, vendor portals, billing systems. No exceptions. Every unguarded authentication point is a credential-based intrusion in waiting.
|
|
|
3
|
Review vendor access paths — which vendors touch your PHI right now? Is each one covered by a current, signed BAA? Pull the list and verify.
|
|
|
4
|
Check email forwarding rules — a commonly overlooked silent exfiltration vector. Rules set by a compromised account forward PHI out indefinitely without triggering alerts.
|
|
|
5
|
Validate your logging visibility — can you actually detect abnormal access behavior in your systems right now, or are you flying blind between reviews?
|
|
If any of these require "we think so" as an answer, you have measurable exposure. A current risk assessment will tell you exactly where.
Run the free assessment →
|
|
What This Points To
HIPAA risk is no longer a checklist problem. It's a live system problem. Data is moving across vendors, messaging platforms, APIs, mobile devices, and external tools — and most organizations cannot see that movement clearly. That's where risk is accumulating.
The breaches this period are not anomalies. They are the predictable output of systems that were documented but not enforced, audited annually but not monitored continuously. The practices that avoided incidents this period weren't lucky — they had visibility.
|
|
Worth Reading
| |
HHS OCR Breach Portal →
The primary public record of reported healthcare breaches. The data in this issue is drawn directly from here. Worth bookmarking.
|
| |
HHS HIPAA Security Rule Guidance →
The canonical source for Security Rule implementation guidance. If you haven't reviewed it recently, the section on risk analysis is worth rereading in light of current enforcement trends.
|
| |
CISA Healthcare Cybersecurity Resources →
CISA's healthcare-specific threat intelligence and security guidance. Their advisories on healthcare-targeted ransomware are particularly relevant given this period's data.
|
|
|
Closing Note
Compliance isn't the only goal — confidence in security is what we're building toward. HIPAA Pulse is your ongoing source for the context, signals, and clarity that make that confidence possible.
Next issue drops April 29. We'll be watching OCR enforcement activity and the trajectory of vendor-pathway attacks as Q2 breach data comes in.
Patient Protect is a HIPAA compliance platform built for independent practices. If this briefing is useful, the platform is what we built to act on it.
Learn more →
|
|
|
