Three healthcare providers across the United States have reported separate data breaches compromising patient information, with incidents occurring between January and April 2026. The breaches affected Clinical Registry Solutions in New York, First Sight Family Vision in Washington, and VHC Health in Virginia, exposing sensitive medical and personal data belonging to thousands of patients.
Clinical Registry Solutions, a Brooklyn-based provider of clinical data services, discovered suspicious activity on its network on April 9, 2026. The forensic investigation revealed unauthorized access and file exfiltration affecting patients of Dignity Health's St. Mary's Medical Center. While the company states that patient names, procedure dates, and medical record numbers were compromised, Social Security numbers and diagnosis information were not involved. However, the Akira ransomware group has claimed responsibility for stealing 41 GB of data, including employee passports, Social Security numbers, and driver's licenses.
First Sight Family Vision, an optometry practice in Battle Ground, Washington, was affected by a breach at its vendor RXNT, a cloud-based healthcare software provider. RXNT detected unauthorized access to customer systems between March 1 and March 3, 2026. The compromised data includes patient names, birth dates, contact information, patient IDs, prescription details, and Social Security numbers. The breach impacted at least 1,225 patients of the optometry practice, though the total number of affected individuals across all RXNT customers remains unclear.
VHC Health, serving Northern Virginia and the Washington D.C. metro area, experienced a breach through its vendor Xsolis, a utilization management services provider. On January 22, 2026, Xsolis identified unauthorized access stemming from a phishing attempt two days earlier. The incident exposed files containing names, addresses, birth dates, Social Security numbers, medical treatment information, and health insurance details. Xsolis began mailing notification letters to affected individuals on April 23, 2026, though the total number of impacted VHC patients has not been disclosed.
All three organizations have implemented or are implementing additional security measures and are offering affected individuals complimentary credit monitoring and identity theft protection services. Healthcare providers should review their vendor security practices and ensure third-party partners maintain adequate cybersecurity controls, as two of these three breaches originated from supply chain vulnerabilities. Patients who receive notification letters should enroll in the offered monitoring services and remain vigilant for signs of identity theft or fraudulent activity.
Source: https://www.hipaajournal.com/clinical-registry-solutions-jason-r-egbert-od-pc-vnc-health-data-breaches/