Excerpt from HIPAA Journal, Published on July 9, 2025
Three HIPAA-regulated entities have recently reported separate email data breaches, compromising the protected health information (PHI) of thousands of individuals. The incidents highlight persistent vulnerabilities in email systems and the ongoing risk of phishing attacks targeting healthcare providers and their vendors.
The first breach involved Peak Vista Community Health Centers in Colorado. An unauthorized party gained access to a staff member’s email account for several days, potentially exposing PHI such as names, dates of birth, medical record numbers, and clinical data of 31,227 individuals. Though there is no evidence of misuse, affected patients are being offered complimentary identity protection services.
In the second incident, Clinical Research Center of Nevada (CRCN) discovered that a compromised employee email account was accessed without authorization. The exposed data included names, contact information, diagnosis codes, and treatment details for 15,503 patients. CRCN has since improved its email security protocols and implemented multi-factor authentication.
The third breach occurred at DocGo, a mobile health services provider. An employee fell victim to a phishing email that allowed attackers to access sensitive patient data belonging to over 10,000 individuals. DocGo confirmed that the exposed data included health insurance information, treatment details, and in some cases, Social Security numbers. The organization is cooperating with law enforcement and has taken steps to improve security awareness and technical defenses.
These incidents underscore the critical need for robust email security measures across healthcare organizations. HIPAA-covered entities are advised to invest in regular staff training, secure email gateways, encryption technologies, and comprehensive breach response plans. Adhering to frameworks such as HIPAA and ISO 27001 is essential for safeguarding sensitive health data in today’s threat landscape.
To delve deeper into this topic, read the full article on HIPAA Journal.
