Three healthcare organizations—Iron County Medical Center in Missouri, Regional Center of the East Bay in California, and Winkler County Hospital District in Texas—have recently reported separate data breaches involving email. These incidents involved unauthorized access or unintentional sharing of patients’ protected health information (PHI).
Iron County Medical Center, Missouri
Iron County Medical Center, based in Pilot Knob, Missouri, discovered an email security incident in December 2024. On December 6, two employees received suspicious emails that appeared to come from a fellow staff member. The IT team quickly took action by cutting off all email sessions to stop any possible data theft and started an investigation.
A digital forensics firm was brought in to help. It found that someone had accessed one employee’s email account. Luckily, the unauthorized user only sent two emails within the system. There was no sign that they copied or downloaded other data.
However, the email account did contain the personal health details of 10,239 individuals, who have all been notified. The data may have included names, birth dates, provider names, billing and insurance details, medical record numbers, treatment history, and more.
To protect those affected, the center is offering free identity theft protection and has taken steps to strengthen its email security based on expert recommendations.
Regional Center of the East Bay, California
In California, the Regional Center of the East Bay supports people with developmental disabilities. It reported a privacy breach affecting 689 individuals. The incident happened when an employee mistakenly sent sensitive information—such as names, birth dates, and unique client IDs—to someone outside the organization.
Although the information didn’t include Social Security numbers or financial data, it still qualifies as a data breach under HIPAA rules. The person who mistakenly received the email confirmed that they deleted it. The center is now reviewing its internal procedures to avoid similar mistakes in the future.
Winkler County Hospital District, Texas
In Texas, Winkler County Hospital District reported an insider breach involving a former employee. In April 2025, the hospital found that the ex-employee had sent patient data to a personal email account on April 11.
The information exposed in the breach varied by person. It may have included names, birth dates, gender, and zip codes. Social Security numbers, medical records, diagnosis details, insurance data, and discharge status were also possibly involved.
The hospital has notified 637 affected patients and is now reviewing its privacy practices to improve data protection moving forward.
Each of these incidents highlights the importance of strict email security and employee awareness when handling sensitive patient information. These organizations have taken action to address the issues and prevent future occurrences.
Read more: https://news.concur.live/massive-breach-exposes-5-4m-healthcare-records/
