Email Data Breaches Reported by Three HIPAA-Regulated Entities
Email-related HIPAA breaches have been announced by Iron County Medical Center in Missouri, Regional Center of the East Bay in California, and Winkler County Hospital District in Texas.
Iron County Medical Center, Missouri
Iron County Medical Center in Pilot Knob, Missouri, has recently issued notification letters about a December 2024 email security incident. On December 6, 2024, two employees reported receiving a suspicious email from another Iron County employee. The IT team immediately terminated all active sessions within its email tenant to block any potential unauthorized access and launched an investigation into the potential email breach.
A third-party digital forensics firm was engaged to investigate and confirmed that an unauthorized individual had accessed a single employee email account. The unauthorized activity appeared to involve only sending two emails internally. No evidence was found to indicate any further unauthorized activity, including any copying of emails in the compromised account.
The compromised account was reviewed and found to contain the protected health information of 10,239 individuals, all of whom have been notified. The information in the account varied from individual to individual and many have included names, combined with one or more of the following: date of birth, date of service, doctor or provider name, employee ID, medical billing information, information related to payment for health services, incidental health reference, medical record number, procedure information, medical history, medical treatment information and other health insurance information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
As advised by third-party security experts, additional measures have been implemented to improve email security and prevent similar incidents in the future. As a precaution against misuse of the exposed information, complimentary identity theft protection services have been offered to the affected individuals.
Regional Center of the East Bay, California
Regional Center of the East Bay in California, a provider of services and support for individuals with developmental disabilities and their families, has notified 689 individuals about an impermissible disclosure of some of their protected health information. An email containing clients’ first and last names, dates of birth, and UCI numbers was inadvertently emailed to an individual external to the agency. The affected individuals did not have any information disclosed that exposed them to identity theft; however, the incident is classed as a reportable data breach and requires notifications. The individual who received the email was requested to delete the email and confirmed they had done so. Policies and procedures are being reviewed to reduce the risk of similar incidents in the future.
Winkler County Hospital District, Texas
In June 2025, Winkler County Hospital District in Texas notified 637 patients about an insider incident involving some of their protected health information. On or around April 22, 2025, Winkler County learned that a former employee had emailed patient data to a personal email account. An investigation was launched that determined the former employee emailed the data on April 11, 2025.
The types of data involved vary from individual to individual and may have included names in combination with some or all of the following: age, gender, race, zip code, date of birth, dates of service, diagnoses, encounter numbers, medical record number, Social Security number, status at discharge, visitor identification number, and insurance information and authorization. Winkler County is reviewing its policies and procedures with respect to data privacy to reduce the risk of similar incidents in the future.
