|
Patient Protect
|
|
HIPAA Pulse
|
|
HIPAA PULSE
April 29, 2026 · Bi-Weekly Briefing
|
|
The Q1 Record Is In · Concentration, Cascades & What the Numbers Demand Next
|
Today we publish our Q1 2026 State of Compliance report. The headline finding: a small number of breaches did most of the damage.
Two weeks ago this briefing covered the 20 breaches and 12 million people affected from one OCR reporting window. The full Q1 number, once you compile across every public source, is bigger and more lopsided: 207 breaches and 15.9 million individuals affected. The OCR portal alone showed almost no March activity — just two breach reports against a queue of 978 cases under investigation.
The full picture only assembles when you compile across HHS OCR, fifty state attorneys general, FTC enforcement, CISA advisories, and primary entity disclosures. That compilation is what we just published — and inside it, one finding broke through everything else.
|
|
Just Published · Vol. 1, Issue 1
State of Compliance
Q1 2026 Healthcare Breach Review
The inaugural quarterly research paper from the Secure Care Research Institute, drawing on the Patient Protect Breach Intelligence Dashboard's seven-source compilation. Thirty-eight pages, formal academic format, full methodology disclosure.
The central finding: four upstream business associate incidents drove 67.6% of all Q1 affected patients across just 1.9% of the period's breach count. Most of the risk in healthcare cybersecurity sits at a small number of upstream vendors. When one of them gets hit, the damage spreads to every practice they serve.
|
|
207
Breaches
|
15.9M
Affected
|
67.6%
From 4 Incidents
|
75%
Lift Over OCR
|
|
|
Perrin, A. (2026). State of Compliance: Q1 2026 Healthcare Breach Review. The State of Compliance Series, Vol. 1, Issue 1. Secure Care Research Institute, Patient Protect LLC.
|
|
|
Stat of the Issue
67.6%
of all Q1 2026 affected patients trace to four upstream vendor breaches — TriZetto, QualDerm, HCIactive, and Insightin Health. Together those four account for less than 2% of the quarter's breach count. They drove most of the harm because they sit upstream of hundreds of practices.
|
|
Risk Barometer · Q1 2026 (Across All Public Sources)
|
Q1 Breaches
207
across all public sources
|
Patients Affected
15.9M
across the full quarter
|
|
OCR Investigation Queue
978
+10.9% year-over-year
|
Multi-Source Lift
+75%
vs OCR-only late-March snapshot
|
|
Largest Single Breach
TriZetto
3.43M
upstream vendor breach
|
Time to Disclosure
64–195
days
range across Q1 cases
|
|
|
Breach of Note
Healthcare Interactive (HCIactive)
AI-powered insurance enrollment platform · Hacking / IT Incident · 3,056,950 affected
On September 22, 2025, HCIactive filed an initial breach report with HHS OCR using a placeholder figure of 501 affected individuals while the investigation continued. On January 7, 2026 — more than three months later — the company notified the Oregon Attorney General of the actual figure: 3,056,950 individuals. A 6,098× upward revision.
For the entire window in between, anyone reading the OCR portal alone saw a small breach. The full scope only became visible because Oregon's breach notification law required disclosure to the state AG before HHS OCR updated its public entry. By late April, state filings had spread to California, Maine, South Carolina, Texas, Vermont, Massachusetts, and New Hampshire.
HCIactive is the clearest example in Q1 of why looking at the OCR portal alone gives you an incomplete picture. It's also why the State of Compliance series exists.
|
|
Three Signals From the Q1 Record
Four Vendors Held Most of Q1's Risk
Four breaches account for 10.75M of approximately 15.9M Q1 affected patients. TriZetto (3.43M), QualDerm (3.12M), HCIactive (3.06M), and Insightin Health (1.14M) all have one thing in common: they're vendors that sit between you and your patients' data. When one of them gets breached, every practice that uses them gets dragged into the disclosure.
Trace where your patient data goes after it leaves your systems. That's where Q1's damage compounded.
OCR's Investigation Backlog Is Now an Early Warning Sign
As of January 31, 2026, 978 healthcare breaches were under or awaiting OCR investigation — up 10.9% year-over-year from 882. Breach reports have roughly doubled since 2018, but OCR's resources have stayed about the same. The 43-day federal shutdown of late 2025 added more pressure to a backlog that was already growing.
OCR's response makes sense: focus on risk-analysis cases (like the $103,000 Top of the World Ranch settlement on February 19), since those resolve faster than full breach investigations.
Disclosure Gaps Are Wide — and Sometimes the Attackers Tell First
Q1 disclosures ranged from about 64 days (Stockton Cardiology — from attack to the ransomware group publishing the leak) to about 195 days (Innovative Pharmacy Packaging Corp, whose disclosure timeline straddled the Q1 boundary — from attack to actually notifying patients). The healthcare average is 93 days. Finance has to disclose material cyber events to the SEC in 4 business days. In the Stockton case, the GENESIS ransomware group announced the breach before the company did — patients learned about it from a dark-web leak site, not from their cardiologist.
Patients of the IPPC breach went 195 days without being told. That window — when stolen records are circulating and people don't know — is the real exposure.
|
|
30-Minute System Check · Pre-Position for the NPRM
The 2026 HIPAA Security Rule update is the biggest change to HIPAA in over a decade. The proposed rule was published in late 2024 and could be finalized later this year. Each item below either reflects what OCR is enforcing right now, or what the new rule will require.
|
1
|
Refresh your risk analysis. The Top of the World Ranch settlement was $103,000 over a missing risk analysis (45 CFR §164.308(a)(1)(ii)(A)). If your most recent one is older than twelve months or doesn't cover all the systems holding your patient data, this is the single most important thing you can fix this week.
|
|
|
2
|
List your vendors that touch patient data. Four vendor breaches drove 67.6% of Q1's impact. Pull a list of every vendor that touches your patient data — billing, EHR, scheduling, telehealth, transcription — and confirm a current, signed BAA for each. If any of them processes data overseas, make sure the BAA covers that.
|
|
|
3
|
Get encryption and MFA in place now. The new rule will make both required, with very limited exceptions. Today they're "addressable," which most practices have read as optional. Find anywhere your patient data sits unencrypted, and any system that lets staff log in without multi-factor authentication. Doing this now is cheaper than scrambling once the rule is finalized.
|
|
|
4
|
Set an internal disclosure target tighter than 60 days. 60 days is HIPAA's hard limit. The Q1 cases that took 64–195 days to disclose show what happens when you treat the limit as the goal. Document a 30-day internal target in your breach response plan.
|
|
|
5
|
Run a tabletop drill on a vendor breach. Based on Q1's pattern, your next breach is more likely to start at a vendor than at your own perimeter. Walk your team through the scenario: TriZetto, CareCloud, or your largest vendor calls you with short notice. Who notifies whom? In what order? By what deadline?
|
|
If any of these require "we think so" as an answer, you have measurable exposure.
Run the free assessment →
|
|
Q2 In Progress · What the Last 14 Days Already Show
Since the last issue, we've logged 128 additional healthcare breaches across HHS OCR and state attorney general filings, affecting roughly 6.4 million people. Two patterns are already showing up — both lining up with what we found in Q1.
North Dakota just published 45 breaches in a single day.
On April 27, the North Dakota Attorney General published 45 separate breach notifications dated the same day — including BCBS of North Dakota (1.5M, phishing), Aspen Dental Management (1.4M), Trinity Health (1M), Altru Health System (242K), Prime Healthcare Services (200K), and Western Plains Regional Medical Center (200K). Several were vendor or supply-chain breaches — the same upstream pattern we documented in Q1. Pension Benefit Information and Delta Dental of Minnesota are inside that batch — both are vendors whose breaches will hit hundreds of practices downstream. Anyone watching only the OCR portal saw none of this on April 27.
North Texas Behavioral Health Authority is the first major behavioral-health breach disclosed under OCR's new enforcement powers.
OCR added a hacking incident affecting 285,086 people at North Texas Behavioral Health Authority on April 20 — the largest individual non-batch breach of the period. OCR's enforcement power over substance-use-disorder records (42 CFR Part 2) took effect on February 16, 2026. Behavioral health entities are now subject to the same breach reporting rules everyone else has lived under for decades. Q2 will tell us how OCR uses this new authority.
|
|
Worth Reading
| |
HIPAA Security Rule NPRM — Federal Register →
The full text of the proposed new HIPAA Security Rule. Encryption and MFA become required, not just "addressable." Vulnerability scans every six months. Penetration testing every year. Read it at the source.
|
| |
HHS OCR Breach Portal →
The official federal portal — and one of seven sources behind the Q1 report. Useful, but rarely the full picture. The State of Compliance methodology section walks through where it leads and where it lags.
|
|
|
Closing Note
The State of Compliance series exists because no single source captures the healthcare breach record in real time. Pulling data from HHS OCR, fifty state AGs, FTC enforcement, and CISA — and reconciling it into one clean picture — is heavier work than reading the OCR portal alone. Q1 is the first time we've published the full picture in one place, with our methodology open for anyone to check.
Future issues will track whether the concentration finding holds, how OCR's investigation backlog moves, and how the new HIPAA Security Rule reshapes the landscape once it's finalized. Next Pulse drops May 13. The Q2 2026 State of Compliance is in progress and scheduled for July.
Patient Protect is a HIPAA compliance platform built for independent practices. The Secure Care Research Institute is its independent research arm. If this briefing is useful, the platform is what we built to act on it.
Learn more →
|
|
|
|
