Three healthcare organizations operating in Illinois and Texas have formally disclosed data breaches to the U.S. Department of Health and Human Services (HHS), impacting a combined total of nearly 600,000 individuals. The disclosures, finalized on April 21, 2026, detail a variety of cyberattack vectors, including unauthorized network access and business email compromise (BEC).
Southern Illinois Dermatology (SID) reported the most significant incident, affecting approximately 568,000 patients. According to technical documentation provided by the clinic, the breach involved a sophisticated network intrusion that remained undetected for several weeks. Forensic investigators determined that the unauthorized party accessed a legacy database containing sensitive patient identifiers. The compromised data set included full names, Social Security numbers, health insurance information, and specific clinical details such as treatment codes and provider notes. In response, SID has decommissioned the affected legacy servers and transitioned to an encrypted, cloud-based patient management system with enhanced endpoint detection and response (EDR) capabilities.
In Chicago, Saint Anthony Hospital disclosed a security event that compromised the data of approximately 21,000 individuals. The hospital’s IT department identified the intrusion after detecting anomalous activity on a secondary file server. While the hospital’s core Electronic Health Record (EHR) system was not breached, the affected server contained archived files with patient names and limited medical history. The hospital confirmed that the incident did not result in any downtime for critical care services or emergency department operations. Technical remediation involved a comprehensive audit of all externally facing ports and the implementation of a more rigorous patch management protocol for third-party software to address the vulnerability exploited during the attack.
The North Texas Behavioral Health Authority (NTBHA) also filed a disclosure regarding an email compromise affecting 10,500 individuals. The Dallas-based organization stated that an unauthorized actor gained access to two staff email accounts through a targeted phishing campaign. The compromised accounts contained administrative spreadsheets used for service coordination, which included patient names and internal identification numbers. NTBHA has since mandated the use of hardware-based security keys for all employees accessing sensitive data and has engaged a cybersecurity firm to conduct a full environment sweep to ensure no persistent threats remain.
Under the HIPAA Breach Notification Rule, these organizations are required to notify affected individuals within 60 days of discovery. All three entities have confirmed that notification letters are being dispatched and that they are offering complimentary credit monitoring services to those whose Social Security numbers were exposed. These incidents have been documented in the HHS Office for Civil Rights database, marking one of the largest clusters of healthcare data disclosures in the second quarter of 2026.