Beacon Health System Affected by Two Business Associate Email Breaches
Beacon Health System, a South Bend, Indiana-based non-profit health care system, has disclosed two data breaches involving two different business associates. Two breach notices have been added to the Beacon Health System website, the first on March 24, 2025, involving a business associate called CPS Solutions, a provider of services to support pharmacy operations.
The security incident at CPS Solutions was identified on December 4, 2025, and involved unauthorized access to the email account of a CPS Solutions employee. The email account was secured the same day, and the forensic investigation confirmed the account was compromised from December 2 to December 4, 2024. The account was reviewed, and on January 24, 2025, it was confirmed that emails in the account contained the protected health information of patients of Beacon Health System’s Three Rivers Health Hospital in Michigan.
The exposed data included full names, dates of birth, health insurance information, Medicaid/Medicare numbers, and medical information such as medical record numbers, clinical information, provider information, diagnosis/treatment information, and/or prescription information. Notification letters were mailed to the affected individuals on February 10, 2025. The affected individuals have been offered two years of complimentary credit monitoring and identity theft protection services.
The second breach notice was added to the Beacon Health System website on March 26, 2025, and affects certain patients of Elkhart General Hospital in Indiana. This incident occurred at the business associate Restorix, which provides hospitals with wound care services. This breach also involved a compromised email account and was detected by Restorix on May 30, 2024. The forensic investigation revealed the account had been accessed by an unauthorized individual between May 7 and May 29, 2024.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
On November 27, 2024, Beacon Health System was informed that personal and protected health information was compromised in the incident, including first and last names, dates of birth, driver’s license numbers, government identification numbers, passport numbers, Social Security numbers, patient ID numbers, medical information, prescription information, dates of service, diagnosis/condition/treatment information, certificate and/or license numbers, and/or health insurance information. Restorix sent notification letters to the affected patients on December 18, 2024.
Additional cybersecurity safeguards have been implemented, and employee cybersecurity training has been enhanced. Neither incident is currently shown on the HHS’ Office for Civil Rights breach portal, so it is unclear how many patients have been affected.
