Email-related breaches often expose sensitive personal information, putting organizations and patients at risk. Despite advances in cybersecurity, healthcare organizations remain vulnerable to attacks, largely due to the valuable nature of the data they hold. The following email-related breaches in healthcare were reported this week:
Related: Why HIPAA breaches related to email are so common
On October 28, 2024, BrightStar Care reported an email breach to the Massachusetts Attorney General after discovering unauthorized access to an employee’s email account. Upon investigating, BrightStar confirmed that an unauthorized party had accessed the account over a two-day period, between May 15 and May 16, 2024. This led to unauthorized exposure of sensitive consumer data emails and attachments.
The compromised data included confidential consumer information that BrightStar Care has since reviewed to determine the specific data types and individuals affected. Personalized notifications were sent to individuals, listing the types of data involved.
Suspicious activity was detected in May 2024. After concluding an investigation on August 29, 2024, BrightStar Care began issuing data breach notifications on October 28, 2024, to comply with regulatory requirements.
Potomac Medical Aesthetics (PMA), based in Maryland, reported an unintentional email breach that occurred when an internal document with patient names and email addresses was mistakenly sent to other PMA patients. The error was detected promptly, leading PMA to suspend outbound email processing and initiate a recall notice.
The breached data included patient names and email addresses. Although limited in scope, this exposure makes affected individuals vulnerable to phishing attacks. PMA has advised them to exercise caution with unsolicited emails.
The incident was reported on October 28, 2024, shortly after the disclosure error was detected. PMA swiftly issued notifications and implemented additional email protocols to prevent future breaches.
Northeast Professional Caregivers, a Canton-based healthcare organization, reported an unauthorized access incident involving an employee email account. The compromised account contained a marketing list with names, addresses, phone numbers, and types of services sought by potential and existing patients.
The accessed data was limited to demographic details and service preferences; no sensitive medical, financial, or Social Security information was included. Northeast Professional Caregivers reported the breach out of caution, although there’s no evidence of misuse or further exposure.
The breach was detected and contained in October 2024, with notifications sent out as a preventive measure to alert affected individuals to the potential risks. It was reported to the OCR on November 1, 2024.
Phishing attacks are the most common cause, where attackers trick employees into sharing login credentials or clicking malicious links, granting unauthorized access to email accounts.
Yes, if PHI is exposed through compromised internal emails, it still constitutes a HIPAA violation, as unauthorized access to protected information breaches privacy regulations.
An incident response plan should include steps for isolating affected accounts, notifying impacted individuals, conducting a root cause analysis, and reporting to regulatory authorities if required.