CardioFit Medical Group has discovered emails containing protected health information were inadvertently sent without encryption. Interventional Pain Center in Tennessee has identified unauthorized access to an email account containing PHI.

CardioFit Medical Group, California

CardioFit Medical Group, Inc., a California-based medical group providing acute, chronic, and preventive cardiology care, has started notifying certain patients about the exposure of some of their protected health information. The inadvertent HIPAA violation was identified on February 17, 2026, when CardioFit learned that patient information had been sent via emails that had not been encrypted. The emails were sent in January and February 2026 and were found to contain a limited amount of patient information.

Highly sensitive information such as Social Security numbers, bank account details, or credit card information was not included in the emails; however, the emails did contain names, demographic information, and in certain cases, limited clinical information such as diagnoses and health insurance information. Under HIPAA, email encryption is not mandatory when emails are sent internally, provided that alternative measures are implemented that provide an equivalent level of protection, such as a firewall. When protected health information is sent externally beyond the protection of a firewall, emails should be encrypted to prevent interception in transit and ensure that only the intended recipient can access the emails.

While patient data was exposed, there are no indications that the emails were accessed by unauthorized individuals, and no evidence has been found to indicate any misuse of the exposed information. In response to the breach, CardioFit has conducted a review of its privacy and security practices and has strengthened its procedures related to email encryption. CardioFit has also provided additional training to its staff to prevent similar incidents in the future. Notification letters were sent to the affected individuals on or around April 10, 2026. The data breach is not currently shown on the HHS’ Office for Civil Rights website, so it is unclear how many individuals have been affected.

Interventional Pain Center, Tennessee

Interventional Pain Center, a network of pain management centers in Tennessee, has identified unauthorized access to an employee’s email account that contained the personal and protected health information of 3,171 individuals. The incident was detected on December 11, 2025, and the forensic investigation confirmed that the unauthorized access was limited to a single email account, which was compromised between December 1, 2025, and December 11, 2025.

The account was reviewed to determine the types of information contained in the account and to whom it related. On or around March 17, 2026, Interventional Pain Center confirmed that the account contained files and emails that included names, addresses, zip codes, dates of birth, Social Security numbers, driver’s license numbers, medical histories, diagnoses, condition information, treatment information, prescription information, treating physician names, and health insurance information.

Interventional Pain Center secured the account to prevent further unauthorized access and has implemented additional safeguards to prevent similar incidents in the future, including enhancing its email security and monitoring controls, and providing additional training to the workforce. At the time of issuing notifications, Interventional Pain Center had found no evidence to suggest any of the exposed information had been misused.

The post Medical Group Announces PHI Exposure Due to Unencrypted Emails appeared first on The HIPAA Journal.