CardioFit Medical Group has discovered emails containing protected health information were inadvertently sent without encryption. Interventional Pain Center in Tennessee has identified unauthorized access to an email account containing PHI.

CardioFit Medical Group, California

CardioFit Medical Group, Inc., a California-based medical group providing acute, chronic, and preventive cardiology care, has started notifying certain patients about the exposure of some of their protected health information. The inadvertent HIPAA violation was identified on February 17, 2026, when CardioFit learned that patient information had been sent via emails that had not been encrypted. The emails were sent in January and February 2026 and were found to contain a limited amount of patient information.

Highly sensitive information such as Social Security numbers, bank account details, or credit card information was not included in the emails; however, the emails did contain names, demographic information, and in certain cases, limited clinical information such as diagnoses and health insurance information. Under HIPAA, email encryption is not mandatory when emails are sent internally, provided that alternative measures are implemented that provide an equivalent level of protection, such as a firewall. When protected health information is sent externally beyond the protection of a firewall, emails should be encrypted to prevent interception in transit and ensure that only the intended recipient can access the emails.

While patient data was exposed, there are no indications that the emails were accessed by unauthorized individuals, and no evidence has been found to indicate any misuse of the exposed information. In response to the breach, CardioFit has conducted a review of its privacy and security practices and has strengthened its procedures related to email encryption. CardioFit has also provided additional training to its staff to prevent similar incidents in the future. Notification letters were sent to the affected individuals on or around April 10, 2026. The data breach is not currently shown on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected.

Interventional Pain Center, Tennessee

Interventional Pain Center, a network of pain management centers in Tennessee, has identified unauthorized access to an employee’s email account that contained the personal and protected health information of 3,171 individuals. The incident was detected on December 11, 2025, and the forensic investigation confirmed that the unauthorized access was limited to a single email account, which was compromised between December 1, 2025, and December 11, 2025.

The account was reviewed to determine the types of information contained in the account and to whom it related. On or around March 17, 2026, Interventional Pain Center confirmed that the account contained files and emails that included names, addresses, zip codes, dates of birth, Social Security numbers, driver’s license numbers, medical histories, diagnoses, condition information, treatment information, prescription information, treating physician names, and health insurance information.

Interventional Pain Center secured the account to prevent further unauthorized access and has implemented additional safeguards to prevent similar incidents in the future, including enhancing its email security and monitoring controls, and providing additional training to the workforce. At the time of issuing notifications, Interventional Pain Center had found no evidence to suggest any of the exposed information had been misused.

The post Medical Group Announces PHI Exposure Due to Unencrypted Emails appeared first on The HIPAA Journal.

Email accounts have been compromised at four HIPAA-regulated organizations: Alternate Solutions Health Network in Ohio; Park Royal Hospital in Florida; 90 Degree Benefits in Minnesota; and the Charleston Fire Department in West Virginia. Almost 107,000 individuals have been affected.

Alternate Solutions Health Network, Ohio

Alternate Solutions Health Network, LLC, a Kettering, Ohio-based provider of home healthcare services, has identified unauthorized access to an employee’s email account that contained patient data. It is unclear for how long the threat actor had access to the account or when the breach was detected; however, it has taken almost a year for the affected individuals to be notified.

Alternate Solutions Health Network explained in its substitute breach notice that the forensic investigation confirmed that the account was breached on or around May 30, 2024. When the breach was detected, the account was secured, and third-party cybersecurity professionals were engaged to investigate the incident. “After an extensive investigation and manual document review, we discovered on February 14, 2025, that some personal and/or protected health information of individuals was contained in the compromised email account that was subject to unauthorized access and acquisition,” explained Alternate Solutions Health Network in the notification letters.

The types of information involved vary from individual to individual and may include first and last names, dates of birth, addresses, driver’s license numbers, physician/clinician names, clinical information, diagnostic information, and treatment information. A subset of the affected individuals also had their Social Security numbers stolen. Alternate Solutions Health Network said it will implement additional cybersecurity safeguards, enhance its employee cybersecurity training, and improve its cybersecurity policies, procedures, and protocols. The data breach was reported to the HHS’ Office for Civil Rights on April 14, 2025, as a breach affecting 93,589 individuals. Individual notification letters also started to be mailed on April 14, 2025.

Park Royal Hospital, Florida

The Pavilion at HealthPark, LLC, has announced a data breach affecting patients of Park Royal Hospital in Fort Myers, Florida. The private psychiatric hospital provides inpatient and outpatient behavioral health services, including treatment for mental health and substance use disorders. On January 14, 2025, an employee responded to a phishing email and disclosed their credentials, allowing a threat actor to access the employee’s email account and associated SharePoint account between January 14 and January 15, 2025. The breach was detected on January 17, 2025, and the email account was immediately secured.

The forensic investigation confirmed that the breach was limited to a single email account and the associated SharePoint account. No other systems or accounts were affected. The account review confirmed that the sensitive data of 9,349 patients was present in the account, including personally identifiable and protected health information such as names, admission dates, provider information, and patient status information. Individual notification letters started to be mailed to the affected individuals on March 18, 2025. Since Social Security numbers and financial information were not compromised, credit monitoring services are not being offered. Patients have been advised to monitor the statements they receive from their providers and health plans and should report any services listed that have not been received.

90 Degree Benefits, Inc., Minnesota

90 Degree Benefits, St. Paul, a third-party administrator that processes claims for companies that operate self-funded health plans, has identified an email account breach. Suspicious activity was identified in an employee’s email account in October 2024. The forensic investigation confirmed that a threat actor gained access to the account on October 18, 2024, and on or around December 17, 2024, it was confirmed that the threat actor had accessed emails and attachments in the account that contained sensitive data.

The emails and attachments were reviewed and found to contain information such as names, Social Security numbers, and/or member identification numbers. The breach was reported to the HHS’ Office for Civil Rights on April 18, 2025, as a data breach affecting 1,268 individuals. Individual notification letters were mailed to the affected individuals on April 18, 2025, and complimentary credit monitoring services have been made available. 90 Degree Benefits, St. Paul said several steps have already been taken to improve the security of its IT environment, including a review of security policies and processes and the provision of additional training to employees.

Charleston Fire Department, West Virginia

The Charleston Fire Department in West Virginia has identified unauthorized access to an employee’s email account. An account breach was suspected when the email account was used to send spam emails. The account was immediately secured, and third-party cybersecurity experts were engaged to conduct a forensic investigation. They confirmed that the breach was limited to a single email account, which was accessible between February 18, 2025, and February 21, 2025. The review of emails and attachments revealed the protected health information of 2,583 individuals had been exposed.

The exposed information was related to ambulance trips and EMS billing and included names, addresses, dates of birth, Social Security numbers, other demographic identifiers, clinical information (diagnoses/conditions, medications, dates of services), and/or insurance information. The majority of affected individuals only had their names, date of services, insurance carriers, and billing amounts exposed. Steps are being taken to strengthen email security, and complimentary credit monitoring services have been offered to the affected individuals. Individual notification letters were mailed to the affected individuals on April 22, 2025.

The post Alternate Solutions Health Network Notifies Patients About May 2024 Email Breach appeared first on The HIPAA Journal.

Bay Oral Surgery & Implant Center (Bay Oral), a network of oral & maxillofacial dental surgery centers serving the Green Bay, Marinette, and Niagara communities in Wisconsin, has recently reported a data breach to the HHS’ Office for Civil Rights (OCR) that involved the protected health information of 13,055 patients.

On February 27, 2024, Bay Oral identified suspicious activity in an employee’s email account. The password for the account was immediately changed to prevent further unauthorized access and a third-party cybersecurity firm was engaged to investigate the incident. The forensic investigation confirmed that an unauthorized individual had installed software and gained access to an employee’s email account on January 18, 2024.

The review of the emails and attachments confirmed that patients’ protected health information had been exposed. The types of information involved included names, addresses, email addresses, dates of birth, Social Security numbers, insurance card numbers, credit card numbers, banking account information, x-rays, patient health history forms, patient visit summaries, medical history questionnaires, and other types of patient health information that had been shared via email. The investigation could not determine if the unauthorized individual viewed or copied emails or attachments in the account.

In addition to immediately securing the email account, Bay Oral has taken several other steps to prevent similar incidents in the future. They include changing IT companies, implementing a 24/7 protection and monitoring solution, and implementing new policies and procedures to ensure that patients’ protected health information is not stored in email accounts.

Bay Oral said it is unaware of any reports of fraud or identity theft at the time of issuing notifications. The affected patients have been advised to be vigilant for incidents of fraud and identity theft by regularly reviewing their credit reports, credit statements, bank accounts, and other financial accounts for unauthorized activity.

The post Email Breach at Wisconsin Dental Surgery Center Affects 13,000 Patients appeared first on HIPAA Journal.

Los Angeles County Department of Health Services’ employees were targeted in a recent phishing campaign, and almost 2,800 Catholic Medical Center patients have been affected by a data breach at one of its vendors.

Los Angeles County Department of Health Services Phishing Attack

The Los Angeles County Department of Health Services was recently targeted in a phishing campaign that saw 23 employees tricked into disclosing their email account credentials after clicking a hyperlink in an email that appeared to have been sent by a trusted sender. The email accounts were accessed by an unauthorized third party between February 19, 2024, and February 20, 2024.

The Department of Health Services said the attack was reported to law enforcement which recommended delaying notifying the affected individuals so as not to interfere with the investigation. Notification letters have now been mailed to the affected individuals who have been provided with information on the steps they can take in response to the breach. The types of data exposed varied from individual to individual and may have included one or more of the following: first and last name, date of birth, home address, phone number(s), e-mail address, medical record number, client identification number, dates of service, and/or medical information (e.g., diagnosis/condition, treatment, test results, medications), and/or health plan information.

The Department of Health Services has sent awareness notifications to all members of the workforce reminding them to be vigilant when opening emails, has enhanced its training regarding identifying and responding to phishing emails, and has implemented further controls to minimize the risk of further successful attacks.

The breach has been reported to the HHS Office for Civil Rights but is not yet showing on the OCR breach portal, so it is currently unclear how many individuals have been affected.

Catholic Medical Center Patients Affected by Email Breach at Business Associate

Almost 2,800 patients of Catholic Medical Center (CMC) in New Hampshire have been affected by a data breach at one of its vendors, the accounts receivable management service provider Lamont Hanley & Associates. Lamont Hanley & Associates notified CMC on March 6, 2024, that there had been unauthorized access to an employee’s email account. The breach was detected on June 20, 2023, and it was determined that patient data may have been accessed or acquired by the unauthorized third party, although no specific evidence of data access or data theft was identified.

The account contained the protected health information of 2,792 CMC patients, including names, Social Security numbers, dates of birth, medical and claim information, health insurance information, individual identification information, and financial account information. Lamont Hanley & Associates is offering complimentary credit monitoring services to eligible individuals and has taken steps to improve security to prevent similar breaches in the future.

The post Phishers Gain Access to 23 L.A. County Department of Health Services Email Accounts appeared first on HIPAA Journal.

Email accounts have been compromised at the University of Wisconsin Hospitals and Clinics Authority and the Medical Home Network in Illinois.

University of Wisconsin Hospitals and Clinics Authority Email Account Breach

The University of Wisconsin Hospitals and Clinics Authority (UW Health) recently provided an update on a security incident that was detected in late 2023. Suspicious activity was detected in an employee’s email account and the password was immediately changed to prevent further unauthorized access. A third-party cybersecurity firm was engaged to investigate the breach and it was determined on January 5, 2024, that the email account had been accessed by an unauthorized individual at various times between Sep. 20, 2023, and Dec. 5, 2023. Some of the emails in the account were viewed, and data may have been stolen.

The account was reviewed to determine the individuals affected and the types of information that had been exposed. The review was completed on February 9, 2024, and confirmed that the account contained names, dates of birth, medical record numbers, and clinical information, such as dates of service, provider names, and diagnoses. The emails did not contain any Social Security numbers, health insurance ID numbers, or financial information. The breach was recently reported to the HHS’ Office for Civil Rights as affecting 85,902 individuals.

The affected individuals have now been notified and while UW Health has not found any evidence of misuse of patient data, patients have been advised to exercise caution regarding any emails they receive that claim to be from UW Health or other healthcare providers, and to monitor their billing statements and to report any charges for services that have not been received. UW Health also said users of the UW Health MyChart portal have been targeted in the past with scams through the use of fraudulent websites and has urged all patients to be vigilant when callers or emails request personal information. Scammers may claim to be UW Health employees when contacting people by phone, may send phishing emails using stolen UW Health logos, or may send phishing text messages requesting login credentials or linking to malicious URLs.

Medical Home Network Email Environment Compromised

MHNU Corporation, which does business as Medical Home Network (MHN) in Illinois, has recently notified 681 individuals about the exposure of some of their protected health information. Suspicious activity was identified in MHN’s email environment on or around October 11, 2023. After securing its email accounts, independent cybersecurity experts were engaged to investigate and determine the cause of the activity. The forensic investigation confirmed that an unauthorized actor gained access to the email accounts of two employees between October 4, 2023, and October 12, 2023, and emails and attached files may have been viewed or acquired.

On April 12, 2024, MHN learned that the protected health information of current and former members of CountyCare, Wellness West, and NeueHealth were stored in the compromised accounts. Those companies were notified about the incident on February 16, 2024, and MHN coordinated with the companies to effectuate notification to the affected individuals. MHN said the breached information included first and last names, patient IDs, phone numbers, dates of birth, and medical information; however, no evidence of misuse of that information had been identified at the time of issuing notifications. MHN said it takes privacy and security seriously and has taken steps to prevent similar incidents in the future.

The post Email Accounts Compromised at UW Health and Medical Home Network appeared first on HIPAA Journal.