Data breaches are surging in 2026 as attackers increasingly target government agencies and healthcare systems, with the average cost of a breach hitting an all-time high of $10.22 million in the United States, according to new industry data.
From January through April 2026, 252 large healthcare data breaches affecting 500 or more individuals were reported to the U.S. Department of Health and Human Services’ Office for Civil Rights, according to the HIPAA Journal. That pace puts 2026 on track to match or exceed 2025, which saw 772 large healthcare breaches reported—a record for any year since tracking began in 2009.
The surge reflects a broader wave of cyberattacks across both private and public sectors. The first half of 2026 saw widespread attacks on critical infrastructure and major organizations, including zero-day exploits against Cisco SD-WAN systems, destructive attacks on medical device maker Stryker, and breaches affecting data firms, educational platforms, and government networks. According to CRN, the increased activity shows signs of AI-powered capabilities being used by threat actors to accelerate attacks.
Healthcare organizations face particularly acute risk. As of June 2026, more than 19 million individuals have been impacted by healthcare data breaches reported to the Office for Civil Rights, according to TechTarget. Hacking and other IT incidents now account for more than 80 percent of large healthcare data breaches, compared to just 49 percent in 2019, the HIPAA Journal reports. The shift reflects attackers’ growing focus on exploiting vulnerabilities and gaining unauthorized system access rather than relying on lost or stolen devices.
Government systems are not immune. On July 2, 2026, the Department of Homeland Security disclosed a breach of its Homeland Security Information Network, or HSIN, a platform used by federal, state, and local governments to share intelligence and coordinate emergency response, according to TechCrunch. The breach occurred in late May and early June 2026. While the extent of data stolen remains unclear, Senator Mark Warner, the ranking Democrat on the Senate Intelligence Committee, warned that the exposed information is “highly sensitive, and its exposure risks national security.” The HSIN platform supports major events including the World Cup games currently underway in the United States.
The financial toll of breaches continues to climb. According to SentinelOne, the average cost of a data breach in the U.S. has reached $10.22 million in 2026, driven by high containment costs and strict regulatory requirements. The global average stands at $4.88 million, representing a 9 percent decline from the prior year due to faster detection and response, but U.S. costs remain substantially higher. SentinelOne also reports that U.S. cybercrime reached a record $20.9 billion in 2026.
The first half of 2026 witnessed some of the year’s most disruptive breaches. ShinyHunters, a data-extortion group, was linked to more than half of confirmed “mega-breaches” through May, including attacks on educational platform Instructure’s Canvas learning management system, which exposed data on 275 million users across thousands of schools and universities. The group also claimed responsibility for breaches at Charter Communications, Carnival Corporation, and Salesforce, among others. Other major incidents included attacks on password manager Dashlane, supply-chain compromises affecting open source projects, and breaches at LexisNexis and Ivanti mobile management systems.
Ransomware remains a potent weapon. According to SentinelOne, ransomware accounts for 44 percent of all breaches, with many beginning at exposed VPNs or edge devices. The average cost of a ransomware incident initiated by insiders reaches $4.99 million, higher than breaches initiated externally. Stolen intellectual property records carry the highest per-record cost at approximately $178 per record.
The convergence of healthcare and government sector breaches underscores the growing vulnerability of critical systems. Healthcare organizations continue to face supply-chain risks, with business associates accounting for an increasing share of large breaches. The HIPAA Journal notes that 2026 represents one of the industry’s biggest challenges in securing the supply chain, as breaches at third-party vendors serving multiple covered entities can expose millions of records in a single incident.
Sources
- HIPAA Journal — Healthcare data breach statistics for 2026, showing 252 large breaches from January to April 2026 and 772 total in 2025; hacking accounting for over 80 percent of large healthcare breaches in 2025.
- TechTarget — Report on healthcare data breaches in 2026, noting 19 million individuals impacted by breaches reported to OCR as of June 2026.
- SentinelOne — Data breach statistics for 2026, reporting average U.S. breach cost of $10.22 million, global average of $4.88 million, and U.S. cybercrime costs of $20.9 billion.
- CRN — Coverage of 10 major cyberattacks and data breaches in 2026, including Cisco SD-WAN, Stryker, LexisNexis, Ivanti, Fortinet, and ShinyHunters incidents.
- TechCrunch — Report on DHS Homeland Security Information Network breach in July 2026, with statement from Senator Mark Warner on national security risk.











