Active breach tracker Falls Church, VA Disclosed April 14, 2026

Defense Health Agency Data Breach 2026: 1,300 TRICARE Beneficiaries Exposed via Email Incident. Limited Public Disclosure. What To Do

The Defense Health Agency (DHA), the DoD component administering TRICARE for ~9.6M military beneficiaries, filed an HHS OCR breach in April 2026 affecting 1,300 individuals via an unauthorized email access/disclosure. Specific incident mechanism, PHI categories, and remediation not yet publicly disclosed. Distinct from the larger March 2026 DHA EMR incident. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Apr 14, 2026

HHS OCR filing (incident date, discovery date, and notification date not publicly disclosed)

Apr 14, 2026

Attacker gained access

Apr 14, 2026

Breach detected

Data exposed

01

High-risk identity

Enables financial + identity theft

Likely subset of: DoD Benefits Number, DoD ID/EDIPI, sponsor SSN (legacy systems), DOB, branch of service, TRICARE plan, appointment / clinic data, possibly diagnostic / treatment notes

03

Contact & insurance

Phishing + targeted scams

Full name (specific PHI categories not publicly disclosed)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

The Defense Health Agency (DHA) is a DoD combat support agency administering the Military Health System and TRICARE — covering approximately 9.6 million beneficiaries (active duty, Guard/Reserve, retirees, and dependents). DHA is headquartered in Falls Church, VA.

DHA is a HIPAA-covered entity and self-reports breaches to HHS OCR despite being a federal agency. Its Privacy and Civil Liberties Office is the breach-reporting authority.

DHA filed an HHS OCR breach report on April 14, 2026 — Unauthorized Access/Disclosure at Email, affecting 1,300 individuals. The affected population is almost certainly TRICARE beneficiaries and/or DoD civilian employees receiving care through MHS facilities, but the exact subpopulation (active duty vs. retiree vs. dependent) has not been specified in any public source.

Why this page is sparse

As of mid-May 2026, no press release, health.mil notice, TRICARE newsroom item, or news coverage (HIPAA Journal, DataBreaches.net, Military Times, Stars and Stripes, FedScoop, Federal News Network) has surfaced for this specific 1,300-person email incident. This is consistent with sub-state-AG-threshold filings: under 500 per state means no state AG trigger; under most media radars; no federal substitute-notice requirement.

This is a distinct event from the larger March 2026 DHA incident (~96,271-100,000 individuals, “unauthorized access to electronic medical records,” business associate involved), which is covered in the HIPAA Journal March 2026 report. Do not conflate the two.

Likely incident pattern

“Unauthorized Access/Disclosure at Email” at 1,300 individuals typically maps to one of three patterns:

  1. Misdirected email or mail-merge error sending PHI to the wrong recipients (most common at this size)
  2. Single compromised mailbox via phishing where ~1,300 beneficiary records were stored in attachments or threads
  3. Insider snooping through an MHS mailbox

Without a DHA substitute notice, the pattern cannot be confirmed.

Why military health records carry heightened risk

Standard MHS email-incident exposure typically includes:

  • Full name
  • DoD Benefits Number (DBN)
  • DoD ID / EDIPI (Electronic Data Interchange Personal Identifier)
  • Sponsor SSN (legacy systems)
  • Date of birth, branch of service
  • TRICARE plan
  • Appointment / clinic data
  • Diagnostic / treatment notes (when clinical correspondence is involved)

Military-context sensitivity is elevated: deployment medical records, behavioral health, and any information bearing on security clearance suitability (substance use, mental health) raise harms beyond a civilian breach of equivalent size. PTSD diagnoses, deployed-environment exposures, and command-referred mental health visits can affect career trajectory if disclosed.

These categories are not confirmed for this specific filing — read your specific notification letter for the exact data elements involved.

What DHA is offering

No public DHA notice located. DHA’s standard playbook for sub-5,000 incidents is direct letter notification, a dedicated call center via the contractor handling remediation, and typically 12 months of credit monitoring through DoD’s standing identity-protection vendor (historically ID Experts / MyIDCare under DoD contract). Confirm directly with the DHA Privacy and Civil Liberties Office ([email protected]).

Litigation posture

No class action filings located at this size. Federal sovereign immunity and the lack of a private right of action under HIPAA make class suits against DHA itself rare. Privacy Act and Federal Tort Claims Act (FTCA) claims are the usual vehicles for damages against federal agencies, but they require proof of actual damages.

What to do

  1. Watch for a DHA notification letter if you are a TRICARE beneficiary or DoD civilian employee receiving MHS care.
  2. Read your specific letter to confirm the data elements involved and the remediation offered.
  3. If your SSN was exposed, enroll in the offered credit monitoring and place free credit freezes at Equifax, Experian, TransUnion.
  4. Check your TRICARE explanation of benefits for unfamiliar claims.
  5. If your security clearance is in scope, consider whether the exposure includes information you would need to self-report on SF-86 or continuous evaluation.
  6. Stop the ongoing flow of your military health data. HealthConsent files HIPAA restriction requests covering MHS and TRICARE data flows where federal regulations permit.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.