200 Breaches in 90 Days
Between January 1 and March 31, 2026, 200 healthcare data breaches were reported to the HHS Office for Civil Rights — matching the record-breaking pace set in 2025. More than 19 million individuals have been impacted by healthcare data breaches as we approach the year's halfway point. The largest single incident: a hacking attack on Nacogdoches Memorial Hospital in Texas exposing personal and health information of 2.5 million patients. The New York City Health and Hospitals Corporation breach affected 1.8 million individuals, with attackers maintaining access for 11 weeks before detection.
The attack patterns are not sophisticated. Across major healthcare breaches in 2026, the consistent finding is that attackers did not break in — they logged in. Compromised credentials from phished employees, help desk social engineering, and inherited vendor access provide the initial foothold. Legacy web applications with weak authentication then provide the lateral movement path to patient databases.
The Legacy Web Form Problem
Federal News Network reported in January 2026 on a hidden vulnerability that connects these breaches to web infrastructure: legacy government and healthcare web forms. These forms collect Social Security numbers, financial records, health information, and security clearance data through systems built years or decades ago. Many lack modern encryption, multi-factor authentication, and compliance features. They were designed when the primary threat was a lost paper file, not an automated credential-stuffing attack processing thousands of login attempts per minute.
The web form is the patient portal login, the insurance claim submission, the appointment request, the medical records access page. These are WordPress installations, custom PHP applications from 2012, and Drupal sites running unmaintained modules. They are internet-facing applications handling regulated data on infrastructure that predates the regulatory requirements (HIPAA updates, HITECH Act) that now govern them.
The Canvas Breach — Education's Version
Healthcare is not unique. The education sector experienced its own infrastructure-level breach in April 2026: ShinyHunters claimed theft of 3.65 terabytes from Instructure's Canvas LMS, affecting 275 million users across nearly 9,000 educational institutions. Canvas is the learning management system used by universities and K-12 schools across the United States. A single infrastructure compromise affected nearly 9,000 institutions because they all shared the same legacy platform.
The Infrastructure Decision
Healthcare organizations spend 80% of IT budgets maintaining legacy systems. The web forms collecting patient data run on those legacy systems. The breaches exploiting those web forms cost healthcare organizations an average of $10.93 million per incident — the highest of any industry. The total cost of maintaining and breaching legacy infrastructure exceeds the cost of replacing it. But replacement requires capital expenditure, while maintenance is operational — and hospital budgets favor operational spending even when it is more expensive over time.
What This Means
The 19 million breach victims are not victims of sophisticated cyber attacks. They are victims of infrastructure decisions made a decade ago. The web forms that collect their data run on frameworks that lack modern security features by default — no CSP headers, no HSTS, no SRI, no subresource integrity. Modern frameworks ship these protections as defaults. The healthcare sector's breach rate is a direct consequence of its infrastructure age.


