Data Breaches Announced by Two Digestive Health Companies
Cyberattacks and data breaches have recently been announced by the national gastroenterology medical group Gastro Health and Spokane Digestive Disease Center in Washington.
Gastro Health
Gastro Health, a gastroenterology medical group with more than 200 locations in Florida, Alabama, Washington, Virginia, Ohio, Massachusetts, and Maryland, has announced an email security incident that exposed the protected health information of some of its patients.
The incident was detected on February 25, 2026, when the company learned that some of its employees had responded to phishing emails, resulting in unauthorized access to their email accounts. A separate phishing incident was identified on March 2, 2026, resulting in a further email account being subject to unauthorized access.
The review of the affected email accounts confirmed that they contained information such as names, dates of birth, Social Security numbers, and state or government-issued ID numbers. Protected health information in the accounts included diagnosis and treatment information, prescription information, provider/clinic information, medical record numbers, patient account numbers, Medicare/Medicaid numbers, and health insurance or group account numbers. The types of information involved varied from individual to individual.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Notification letters are being mailed to the affected individuals, who have been offered complimentary credit monitoring and identity theft protection services for 24 months. The number of affected individuals has yet to be publicly disclosed, although the Washington Attorney General has been informed that more than 1,800 state residents have been affected.
Spokane Digestive Disease Center
Spokane Digestive Disease Center in Washington has notified certain patients about unauthorized access to an employee’s email account. Suspicious activity was identified within the account on February 19, 2026. The account was secured, and an investigation was launched, which confirmed unauthorized access to the account on various dates between January 22, 2026, and February 18, 2026.
The account was reviewed, and on May 8, 2026, it was confirmed that information in the account included names, dates of birth, driver’s license numbers/state ID numbers, Social Security numbers, credit card information, financial account information, electronic signatures, and medical information.
The affected individuals have been offered 12 months of complimentary credit monitoring services, and steps have been taken to improve email security. The HHS’ Office for Civil Rights currently lists the data breach with a placeholder estimate of at least 501 individuals. The Washington attorney general was informed that the information of 2,093 state residents was involved.
