THE FOWLER GROUP — HEALTHCARE MONTHLY CYBERSECURITY BRIEF
May 2026 Review
Classification: Public — Share Freely
Next Issue: July 1, 2026
AT A GLANCE — MAY 2026
| Metric | Value |
|---|---|
| Healthcare breaches reported to OCR | 66 |
| Individuals affected by breaches | 8.7M+ |
| Average ransomware demand | $16.9M |
| Medical devices with critical vulnerabilities | 74% |
TOP STORIES
1. NYC Health + Hospitals Breach Exposes 1.8M Records Including Biometrics
NYC Health + Hospitals disclosed a months-long breach via a third-party vendor that exposed highly sensitive patient and employee data for at least 1.8 million people, making it one of the largest healthcare breaches of 2026 so far.
During the attack window, attackers copied files containing personal, medical, financial, and biometric information including fingerprint and palm-print biometrics.
2. Congress Members' Prescriptions Compromised in RXNT Breach
The RXNT data breach in March 2026 involved unauthorized access to Congress members' personal and prescription information, as RXNT's medical software is used by the Office of the Attending Physician to manage care for members of Congress, including names, addresses, dates of birth, physician names, and prescription and pharmacy information.
Multiple clients were affected in what has been described as a significant data breach.
3. TridentLocker Ransomware Hits World Trade Center Health Program
The World Trade Center Health Program was struck by TridentLocker ransomware, which combines encryption with likely data exfiltration.
The average ransom demand across confirmed healthcare incidents surged to $16.9 million, up from $577,800 the previous quarter, with the largest single demand reaching $100 million.
4. Telehealth Platform OpenLoop Breach Affects 716K Patients
OpenLoop Health suffered a security breach in January 2026 that exposed information of 716,000 people, with an unauthorized third party gaining access to its systems between January 7-8 and copying files containing names, addresses, email addresses, dates of birth, and medical information.
The threat actor Stuckin2019 appears to be an individual with a pattern of targeting telehealth companies specifically, suggesting deliberate sector targeting.
5. Medical Device Vulnerabilities Reach Critical Mass
99% of hospitals manage at least one IoMT device with a known exploited vulnerability, with medical devices averaging 6.2 vulnerabilities per device and 60% of medical devices being end-of-life with no available security patches.
24% of facilities experienced a cyberattack on a medical device, up from 22% in 2025.
ONE THING TO DO THIS MONTH
Audit Your Third-Party Vendor Access Controls
May's NYC Health + Hospitals breach through a third-party vendor and the pattern of vendor-related incidents demonstrate that business associate risk has become your primary exposure.
Review all vendor remote access permissions, require MFA for all connections, and implement real-time monitoring for unusual data movements. Don't wait for the next vendor questionnaire cycle — the threat actors aren't.
SUBSCRIBER SPOTLIGHT
This month's subscribers received:
- Healthcare Cybersecurity Quarterly — Q2 2026 (deep-dive analysis)
- 3 Flash Advisories on breaking threats
- Healthcare Threat Actor Tracker (updated quarterly)
Ready for the full picture? Subscribe at tfgbriefs.com