Providence Data Breach Exposes Sensitive Info of 22,701 Patients

Providence, a not-for-profit healthcare system headquartered in Renton, Washington, disclosed a potential compromise of patient data involving Health Gorilla, a health information exchange (HIE) vendor. The incident affected approximately 22,701 individuals in the United States.

The breach was disclosed to the U.S. Department of Health and Human Services and to the California Attorney General. starting on Jan. 16, 2026. Providence began mailing notification letters to consumers on April 9, 2026.

What happened in the Providence data breach

Many healthcare organizations, including Providence, participate in electronic health information exchanges. These networks allow different healthcare providers to securely share certain patient data to improve care coordination, quality and efficiency.

Health Gorilla manages these connections and was responsible for linking Providence's electronic health record system called Epic.

On Feb. 11, 2026, Providence was notified of a problem related to how some patient information was potentially being accessed and shared by certain participants in the exchange. The issue involved data exchange activity that took place between Aug. 30, 2024, and Dec. 8, 2025.

Ssome patient information may have been accessed or shared by certain participants in the exchange without a defined business need. Providence stated there was no indication that patient medical records were hacked or stolen by any third party, including Health Gorilla or its participants.

The types of protected health information that may have been exposed included full name, date of birth, address, phone number, insurance information and policy number, emergency contact information, dates of service, places of service, test results, medications, diagnoses and other clinical records used by care teams.

Social Security numbers were not included in the exposed information, according to the notification.

Providence's response to the breach

Providence is offering affected individuals one year of free identity protection services through IDX at no cost. To enroll, individuals can visit the IDX enrollment website or call 1-888-202-1558. IDX representatives are available Monday through Friday from 6 a.m. to 6 p.m. Pacific Time, excluding holidays.

The enrollment deadline for the free identity protection services is July 9, 2026. The identity protection membership includes credit monitoring, which must be activated separately to take effect, according to the notification.

Steps to take if your information was exposed

• Review credit reports regularly by requesting free copies at AnnualCreditReport.com, where consumers are entitled to one free report from each of the three major credit bureaus every 12 months.
• Monitor health insurance statements carefully for any unfamiliar services, providers or charges, since medical information such as diagnoses, medications and insurance policy details was involved in this breach.
• Place a fraud alert with one of the three credit bureaus (Equifax at 1-866-349-5191, Experian at 1-888-397-3742 or TransUnion at 1-800-680-7289), which will automatically notify the other two.
• Consider placing a security freeze on credit files to prevent new accounts from being opened, which can be done at no cost with each of the three major credit bureaus.
• Be cautious of phishing attempts that reference Providence or this data breach by name, particularly unsolicited phone calls, emails or text messages requesting personal or medical information.
• Report any suspicious activity to the Federal Trade Commission at 1-877-438-4338 or to local law enforcement if signs of identity fraud appear.