63 Healthcare Breaches in February Expose 8.1 Million Records, OCR Releases HIPAA Guidance

February’s healthcare breach numbers are in: 63 incidents, 8.1 million records exposed, with TriZetto Provider Solutions and QualDerm Partners leading in volume. OCR released new HIPAA risk management guidance the same week, giving covered entities a window to act before enforcement tightens. The SEC named a new enforcement director effective May 4, and a New Jersey pharmacy disclosed a breach 7 months after the original intrusion, which says as much about detection capability as it does about reporting.

Top 5 Critical Compliance Alerts

1. February 2026 Healthcare Data Breach Report: 8.1 Million Records Exposed

The HIPAA Journal reports 63 major healthcare data breaches in February 2026, exposing over 8.1 million individual records. TriZetto Provider Solutions and QualDerm Partners reported the largest incidents. The numbers continue a trend of increasing breach volume and scale in the healthcare sector. HIPAA Journal

Operator Note: Healthcare organizations should treat breach reporting as a lagging indicator. The time to act is during the cybersecurity assessment, not after the disclosure.

2. SEC Appoints David Woodcock as Director of Enforcement

The SEC named David Woodcock, a Gibson Dunn partner, as the new Director of the Division of Enforcement effective May 4, 2026. The appointment signals the direction of SEC cyber enforcement priorities under the new leadership. SEC

3. New Jersey Pharmacy Breach Affects 133,800 Patients

Innovative Pharmacy entities disclosed a September 2025 intrusion that exposed patient data including names, identification numbers, and medical information for over 133,000 individuals. The 7-month gap between incident and disclosure raises questions about breach detection capabilities. HIPAA Journal

4. OCR Releases HIPAA Security Rule Risk Management Guidance

The HHS Office for Civil Rights published new instructional content explaining risk management compliance requirements and enforcement priorities for HIPAA-regulated entities. The guidance clarifies expectations ahead of potential rulemaking. HIPAA Journal

5. FINRA Launches Financial Intelligence Fusion Center

The Financial Industry Regulatory Authority established a new center to coordinate intelligence sharing against cybersecurity and fraud threats across the financial services industry. The fusion center model mirrors government threat-sharing frameworks applied to the private sector. Dark Reading

Additional Compliance Alerts

Third-Party Risk & Due Diligence

• GRC Vendors Launch AI-Powered Compliance Tools - Drata, Diligent, HICX, and Ibex released new agentic AI assessment systems and risk management platforms designed to automate third-party compliance workflows. Corporate Compliance Insights

• Haast Raises $12M for AI Compliance Agents - The marketing compliance firm secured Series A funding to expand AI agents that automate manual review of promotional materials for regulatory violations. Corporate Compliance Insights

Policy & Governance Updates

• State Pay Transparency Laws Create Complex Multistate Compliance Burden - Expanding pay disclosure requirements across states are forcing multistate employers to navigate inconsistent compensation reporting rules. Corporate Compliance Insights

The Axe Report is a daily briefing from Grab The Axe. Need help assessing your organization’s security posture? Take our free Human Attack Surface Score assessment.