What Is a Data Breach? Definitions, Real-World Examples, and the 2026 Rules You Need to Know

The short answer

A data breach is a security incident in which unauthorized parties gain access to, disclose, alter, destroy, or lose control of data. Laws use nearly identical wording: the EU’s GDPR defines a “personal data breach” as any security breach that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data; U.S. health privacy rules (HIPAA) similarly define a breach as an impermissible acquisition, access, use, or disclosure of protected health information that compromises its privacy or security. (eur-lex.europa.eu )

Why this matters in 2026

The scale and impact continue to grow. The FBI’s Internet Crime Complaint Center reports Americans lost nearly $21 billion to cyber-enabled crimes in 2025, a record that underscores the real-world fallout of data compromises. (fbi.gov )

Healthcare and telecom have faced some of the starkest recent examples:

• Change Healthcare’s 2024 ransomware attack ultimately affected about 192.7 million people as notifications continued through 2025—the largest healthcare data breach on record. (privacyrights.org )
• AT&T disclosed two major 2024 incidents: a dataset of roughly 73 million current and former customers appeared on the dark web, and, in a separate event, “nearly all” customers’ call/text metadata from mid‑2022 was stolen via a third‑party cloud environment. (apnews.com )

What exactly is a “data breach” under the law?

• European Union (GDPR): Any security breach leading to destruction, loss, alteration, unauthorized disclosure of, or access to personal data. Organizations must notify authorities within 72 hours when the breach risks individuals’ rights and freedoms. (eur-lex.europa.eu )
• U.S. health sector (HIPAA): A breach is presumed when PHI is improperly used or disclosed, unless a documented risk assessment shows a “low probability of compromise.” Breaches of unsecured PHI trigger notifications to affected individuals, HHS, and, for large events, the media. (ecfr.io )
• U.S. state laws (general public/consumer data): All 50 states, D.C., and key territories require breach notifications for defined personal information, typically when unencrypted data is acquired by an unauthorized party. Timelines and scopes vary by state. (ncsl.org )
• U.S. public companies (investors): Since December 18, 2023, SEC rules require disclosure of any material cybersecurity incident on Form 8‑K within four business days of determining materiality, with a narrow national‑security delay mechanism via the U.S. Attorney General. (sec.gov )
• U.S. non‑bank financial institutions: Since May 13, 2024, the FTC’s amended GLBA Safeguards Rule requires notifying the FTC within 30 days if an incident affects data of at least 500 consumers. (ftc.gov )

How breaches happen: the common paths in 2024–2026

• Stolen credentials and weak authentication: In 2024, attackers used valid usernames/passwords—often lifted by infostealer malware—to break into many customer environments on the Snowflake platform where multifactor authentication (MFA) wasn’t enabled, leading to data theft and extortion across roughly 165 organizations. (techcrunch.com )
• Third‑party and supply‑chain exposure: The Snowflake wave—and downstream breaches at firms like Ticketmaster/Live Nation—show how one vendor surface can ripple across hundreds of customers. (arstechnica.com )
• Ransomware and double extortion: Threat actors increasingly steal data before encrypting systems to pressure victims to pay. In healthcare, ransomware events have escalated, with the Change Healthcare case demonstrating system‑wide operational and privacy impacts at national scale. (privacyrights.org )

Case studies shaping the conversation

• Change Healthcare (UnitedHealth Group): Attackers accessed systems February 17–20, 2024; by late 2025, confirmed impact reached about 192.7 million individuals, spanning contact, insurance, clinical, and ID data. Regulators and state AGs received rolling notices into October 2025. (privacyrights.org )
• AT&T: In March–April 2024, a dataset for about 73 million customers (current and former) surfaced on the dark web; in July 2024, AT&T said phone/text metadata for “nearly all” customers from mid‑2022 had been exfiltrated from a third‑party cloud workspace. (apnews.com )
• The Snowflake spree (2024): Incident responders at Mandiant notified ~165 customers of potential data theft. Many affected tenants lacked MFA; credentials were reused or previously compromised. The episode crystallized the risk concentration in cloud ecosystems and the importance of identity hygiene. (techcrunch.com )

What a breach costs

Breach costs vary widely by industry and region, but healthcare remains the costliest sector. IBM’s 2025 Cost of a Data Breach analysis found average healthcare breach costs at $7.42 million—well above the cross‑industry average. (techtarget.com )

Reportability and timing: translating rules into action

• Four‑day clock for public companies: If your incident is “material,” the SEC expects an Item 1.05 Form 8‑K within four business days of making that determination. Limited delays are allowed if the Attorney General cites national‑security or public‑safety risks. Align incident response, legal, and investor‑relations workflows accordingly. (sec.gov )
• 30‑day FTC notice for non‑bank financials: Covered entities under the GLBA Safeguards Rule must notify the FTC “as soon as possible” and no later than 30 days for incidents affecting ≥500 consumers. This supplements, not replaces, state and other sectoral obligations. (ftc.gov )
• HIPAA timelines: Covered entities must notify affected individuals “without unreasonable delay,” HHS, and media (for incidents affecting >500 individuals in a state/jurisdiction), unless a documented low‑probability‑of‑compromise assessment applies. (hhs.gov )
• State notice requirements: Because every state’s law differs on definitions, triggers, and content of notices, organizations operating nationally should pre‑map obligations (including encryption safe harbors) before an incident occurs. (ncsl.org )

What isn’t a breach?

Not every security event is a reportable breach. For example, many statutes exempt properly encrypted data; HIPAA presumes a breach when PHI is improperly used or disclosed but allows the presumption to be rebutted via a formal risk assessment showing low probability of compromise. The details—and burden of proof—are in the text, not the headlines. (ecfr.io )

If you’re a consumer and think you were affected

• Act fast on breach notices: Enroll in offered credit/identity monitoring and change passwords—especially if you reused them elsewhere.
• Freeze your credit files with the major bureaus; use fraud alerts for added protection.
• Watch statements and explanation‑of‑benefits (EOB) documents for unfamiliar charges or providers.
• Beware of phishing that exploits the breach; verify sender domains and avoid clicking unsolicited links.

If you’re an organization: a 90‑day readiness checklist

• Enforce MFA—especially for privileged and third‑party/vendor access; audit for exposed credentials. The 2024 Snowflake incident showed how many victims lacked MFA. (axios.com )
• Pre‑draft playbooks for SEC/FTC/HIPAA/state notices and practice the four‑business‑day SEC scenario.
• Inventory your data supply chain: catalog where regulated personal data sits (and which vendors touch it) to accelerate scoping and targeted notifications.
• Log and monitor access to sensitive data; segment workloads; roll keys and rotate credentials after any suspected compromise.
• Run tabletop exercises with legal, PR, customer support, and cyber insurance.

Bottom line

A data breach isn’t just a technical failure—it’s a legal, operational, and reputational event with strict timelines. The past two years’ mega‑incidents (Change Healthcare; AT&T) and the SEC’s disclosure rule have made preparation non‑negotiable. Knowing how the law defines a breach, how attackers are getting in, and what the latest rules demand can be the difference between a swift recovery and a months‑long crisis. (privacyrights.org )