A new analysis of breach disclosures from the U.S. Department of Health and Human Services (HHS) Breach Portal paints a stark picture of the healthcare sector’s ongoing struggle to protect sensitive patient data. According to research conducted by Bridewell, more than 2,200 healthcare organizations have reported data breaches between 2023 and early 2026, underscoring both the scale and persistence of cyber risk across the industry.
The findings, drawn from both active investigations and archived breach records, reveal that no region has been immune. In 2026 alone, 52 healthcare entities are already under investigation, with more than 5.5 million individuals impacted—evidence that the sector remains a high-value, high-frequency target for threat actors.
Geographic Concentration Reveals High-Risk States
California, Texas, and New York emerge as primary targets amid rising regulatory scrutiny
While breaches are widespread, the data highlights a clear geographic concentration. California leads the nation with 231 reported incidents since 2023, affecting more than 52 million individuals. The scale of exposure has prompted aggressive regulatory action, including Senate Bill 446, enacted in late 2025, which mandates tighter breach notification timelines and greater transparency for affected residents.
Texas ranks second, with 172 breaches impacting roughly 20 million individuals. The state has also become a focal point for enforcement, as the Texas Attorney General launched a high-profile investigation into Conduent Business Services following a breach affecting more than 192 million people.
New York follows closely with 159 incidents and approximately 13 million individuals affected. Among the most significant recent events was a breach at the New York City Health and Hospitals Corporation, in which attackers reportedly maintained undetected access to systems for two months. The compromised data set included medical records, Social Security numbers, biometric identifiers, and financial information—highlighting the depth of exposure in modern healthcare breaches.
Rounding out the top five, Florida and Illinois reported 123 and 110 affected healthcare entities, respectively.
Mega Breaches and Misconfigurations Drive Exposure
High-profile incidents demonstrate how both cyberattacks and internal errors fuel risk
Recent breach disclosures reinforce that exposure is not limited to sophisticated external attacks. In December 2025, Blue Shield of California revealed that sensitive patient data from 4.7 million individuals had been inadvertently shared with Google advertising platforms due to a misconfigured analytics deployment.
One of the more nuanced findings in the report is the divergence between breach frequency and impact scale. While the number of healthcare organizations reporting incidents surged in 2025, the total number of individuals affected dropped sharply from an estimated 289 million in 2024 to 63 million in 2025.
This shift suggests measurable progress in detection and containment capabilities. Faster incident response, improved network segmentation, and evolving regulatory requirements are helping limit lateral movement and reduce the scope of compromise once attackers gain access.
However, the aggregate numbers remain sobering. The 2024 figure, approaching the total U.S. population, illustrates the likelihood that many individuals have had their data exposed multiple times across different incidents.
Systemic Weaknesses Continue to Drive Intrusions
Legacy infrastructure and access control gaps leave healthcare organizations exposed
Despite incremental improvements in mitigation, the research points to persistent structural vulnerabilities across healthcare environments. According to Bridewell’s analysis, common contributing factors include legacy IT infrastructure, unpatched systems, and insufficient identity and access management controls.
Kelechi Onyedebelu, Director of Security Solutions Presales at Bridewell U.S., noted that while the reduction in the number of affected individuals is encouraging, it does not signal a fundamental shift in defensive posture.
Threat actors, he emphasized, continue to target healthcare organizations at scale, exploiting weaknesses that remain deeply embedded in operational and technical environments. Improvements in segmentation and detection may be limiting damage, but they are not yet preventing initial compromise.
The Bottom Line: Containment Is Improving—Prevention Is Not
Industry progress remains reactive as adversaries maintain the upper hand in initial access
The latest data reinforces a critical inflection point for healthcare security leaders. While investments in detection, response, and regulatory compliance are yielding measurable gains in limiting the impact of breaches, they have not yet translated into a reduction in successful intrusions.
For CISOs and security directors, the implication is clear: the next phase of healthcare cybersecurity must shift from reactive containment to proactive resilience. That means modernizing infrastructure, tightening identity governance, and reducing exposure to the attack surface across increasingly complex digital ecosystems.
Until those foundational issues are addressed, the data suggests that healthcare breaches will remain not just frequent, but inevitable.