On April 21, 2026, the U.S. Department of Health and Human Services Office for Civil Rights received formal breach notifications from three distinct healthcare entities, collectively impacting 600,000 individuals. The disclosures from the North Texas Behavioral Health Authority, Southern Illinois Dermatology, and Saint Anthony Hospital highlight ongoing vulnerabilities within the healthcare sector digital infrastructure. These incidents involve a combination of unauthorized network access, ransomware, and legacy system exploitation.

The North Texas Behavioral Health Authority reported the most extensive breach, affecting 320,000 people. According to the organization official statement, an unauthorized third party gained access to its internal network environment. The breach was first identified during a routine security audit, which revealed anomalous activity on a file server containing patient enrollment data. Technical forensics determined the period of unauthorized access spanned from January 12 to February 15, 2026. The exposed information includes full names, residential addresses, Social Security numbers, and specific behavioral health diagnosis codes. The authority has since migrated its data to a cloud-based environment with enhanced endpoint detection and response capabilities.

Southern Illinois Dermatology disclosed a cyberattack affecting 150,000 patients. The organization identified the incident as a sophisticated ransomware deployment that targeted its primary electronic health record system. While the clinical operations were maintained using offline backups, the attackers successfully exfiltrated sensitive data before deploying the encryption payload. The compromised data set includes patient names, provider notes, and health insurance claim information. In its filing, the practice noted that it has implemented a new zero-trust architecture and hardened its firewall configurations to prevent similar lateral movement within its network. The practice confirmed that the breach occurred on March 4, 2026, and was contained within forty-eight hours.

Saint Anthony Hospital, located in Chicago, reported a breach impacting 130,000 individuals. This disclosure resulted from a forensic investigation into a vulnerability found in a legacy database server that had not been fully decommissioned. The hospital stated that the vulnerability allowed for unauthorized SQL injection, leading to the extraction of historical patient records. The data involved dates back to a five-year period ending in 2022 and includes patient identification numbers and laboratory results. Saint Anthony Hospital confirmed that its current primary electronic health record system remained unaffected and that the legacy server has been permanently taken offline.

All three organizations are currently notifying affected individuals via first-class mail. The notifications include offers for identity theft protection and credit monitoring services for a duration of twelve to twenty-four months. These disclosures come amid a period of increased regulatory scrutiny regarding the cybersecurity posture of regional health authorities and specialized medical practices.