Three United States healthcare organizations officially disclosed significant data breaches on April 21, 2026, collectively affecting approximately 599,000 individuals. The filings, submitted to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights, detail a range of cybersecurity incidents including network intrusions and unauthorized access to employee email accounts. These disclosures highlight ongoing vulnerabilities within the healthcare sector's digital infrastructure and the exposure of sensitive Protected Health Information (PHI).

The North Texas Behavioral Health Authority (NTBHA) reported the largest of the three incidents, affecting 231,000 individuals. According to the organization's disclosure, the breach originated from unauthorized access to its internal network environment. Forensic investigations determined that the intrusion occurred between late 2025 and early 2026, during which time an unauthorized actor gained access to files containing patient names, addresses, dates of birth, and Social Security numbers. NTBHA stated it has since implemented enhanced multi-factor authentication and endpoint monitoring to mitigate future risks.

Saint Anthony Hospital, based in Chicago, disclosed a breach impacting 212,000 patients. The hospital identified a network security incident that resulted in the encryption of certain systems. Technical analysis revealed that the unauthorized party accessed a legacy file server containing historical patient data. The compromised information included clinical details, insurance information, and financial account numbers. Saint Anthony Hospital confirmed that its primary Electronic Health Record (EHR) system remained secure during the event, and clinical operations were not significantly disrupted, resulting in zero downtime for critical care services.

Southern Illinois Dermatology reported a data security incident affecting 156,000 individuals. The organization detected unusual activity within its email environment, which led to a comprehensive review of affected accounts. The investigation concluded that an unauthorized individual accessed several staff email accounts containing sensitive patient data. Exposed information varied by individual but included medical diagnoses, treatment information, and provider names. The practice has begun notifying affected parties and is providing credit monitoring services to those whose Social Security numbers were involved.

All three organizations are complying with the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule, which requires notification to the HHS Secretary and affected individuals within 60 days of discovery. These incidents underscore the technical challenges facing mid-sized healthcare providers and regional authorities in securing distributed networks against sophisticated cyber threats. The HHS Office for Civil Rights is expected to monitor the remediation efforts of each entity to ensure compliance with federal data protection standards.