25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Email Accounts Breached at San Francisco Campus for Jewish Living & Altior Healthcare

Posted By on Apr 21, 2025

Email account breaches have been announced by the San Francisco Campus for Jewish Living and Altior Healthcare in California, and Bassett Healthcare Network has confirmed the unauthorized acquisition of patient data by a former Bassett Healthcare Network physician.

San Francisco Campus for Jewish Living

Hebrew Home for Aged Disabled, doing business as San Francisco Campus for Jewish Living in California, has notified 2,568 individuals about the exposure of some of their protected health information in an email security incident. The substitute breach notice does not state when the email account breach was compromised, only that the unauthorized access was detected on December 27, 2024. The email account was immediately secured to prevent further access, and an investigation was launched to confirm the nature and scope of the unauthorized activity.

The forensic investigation confirmed that the breach was limited to a single email account, with no other systems compromised. The account contained names, dates of birth, medical record numbers, dates of services, admission/discharge information, medication information, COVID testing information, payment histories, and insurance information. San Francisco Campus for Jewish Living said steps have been taken to improve email security, and the affected individuals have been offered complimentary credit monitoring services.

Altior Healthcare

Altior Healthcare in California has confirmed unauthorized access to employee email accounts as a result of responses to phishing emails. Suspicious activity was identified within its email system, and a forensic investigation was launched to determine the extent of the breach. The investigation confirmed there had been intermittent unauthorized access to email accounts between July 14, 2024, and January 8, 2025, and it is possible that the contents of the email accounts were downloaded. No other systems were compromised in the incident.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The accounts were reviewed, and that process was completed on March 15, 2025, when it was confirmed that the information potentially compromised in the incident included names, dates of service, dates of birth, provider names, medication information, and other information related to care. Altior Healthcare said it has enhanced safeguards and security measures to prevent similar incidents in the future. The breach was recently reported to the HHS’ Office for Civil Rights as affecting 1,002 individuals.

Bassett Healthcare Network

Bassett Healthcare Network in New York has notified 5,565 individuals about the unauthorized acquisition of protected health information by a Bassett Healthcare Network physician. Bassett Healthcare Network’s compliance office was notified on February 10, 2025, that a physician was collecting patient information from its systems. An internal investigation was launched, which confirmed that protected health information had been transmitted to individuals not affiliated with the Bassett Healthcare Network and had been saved to unauthorized personal devices.

The review confirmed that the patients’ full names were obtained or transmitted along with an individual’s date of birth, age, sex/gender, medical record number, email address, primary care provider, patient portal enrollment status, and zip code. For some individuals, the impacted data included medical diagnoses and procedure histories. No evidence was found to indicate that any financial data or Social Security numbers were obtained.

The physician is no longer employed by Bassett Healthcare Network, which said it has no reason to believe that the physician obtained or transmitted patient information with the intention of causing harm or endangering patients. The healthcare network said it quickly implemented tighter safeguards to better protect patient privacy and prevent similar incidents in the future.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist