Cardiofit Medical discloses PHI exposure from unencrypted patient emails

A California cardiology practice notified patients after discovering that emails containing protected health information were transmitted without encryption between January and February 2026.

What happened

Cardiofit Medical Group, a cardiology practice based in Los Angeles, California, disclosed a data breach stemming from unencrypted email transmission of protected health information (PHI). According to the organization's breach notice filed with the California Attorney General, the incident occurred between January 1 and February 17, 2026, when the organization identified that certain emails containing patient data were sent without standard encryption. The breach was publicly reported on April 9, 2026. No external threat actor has been identified. The exposed information includes patient names, demographic details, limited clinical information, and insurance information. Social Security numbers and financial account data were not involved. Cardiofit Medical Group stated there is no evidence of data misuse at this time.

Going deeper

The incident stems from internal procedural lapses in email security rather than a cyberattack. Unencrypted email transmission of PHI constitutes a reportable breach under the HIPAA Breach Notification Rule, regardless of whether interception occurred, because unsecured PHI is presumed compromised unless the covered entity can demonstrate a low probability of compromise. The combination of names, demographic data, insurance information, and clinical details can be used for medical identity theft and targeted fraud, even without financial identifiers. Cardiofit has stated it is enhancing email encryption procedures and staff training in response to the incident. Under California's updated breach notification law, SB 446, which took effect January 1, 2026, organizations must notify affected individuals within 30 days of discovering a breach and submit a sample notice to the California Attorney General within 15 days of notifying individuals.

What was said

In its breach notice filed with the California Attorney General, Cardiofit Medical Group confirmed that certain emails containing PHI were sent without encryption during January and February 2026, that the issue was discovered on February 17, 2026, and that the organization has implemented enhanced email encryption procedures and updated staff training in response. The organization indicated there is no current evidence of misuse of the exposed data.

In the know

Unencrypted email transmission of PHI is one of the most consistently documented causes of healthcare breaches. Paubox's What Healthcare Gets Wrong About HIPAA and Email Security report found that many compliance failures in healthcare email stem from manual encryption approaches, where staff are required to type a keyword or click an encryption button to trigger protection. Every message where that step is missed or skipped constitutes a potential HIPAA violation. In one OCR enforcement action cited in Paubox research, a clinic was fined $25,000 simply for sending PHI to the wrong recipient via unencrypted email. The Cardiofit incident follows that same pattern: a process that depended on human action failed, and PHI moved outside protected channels without any alert to the sender.

The big picture

Encryption failures in healthcare email are not rare edge cases. According to Paubox's How Microsoft and Google Put PHI at Risk report, even major enterprise platforms can deliver messages using deprecated encryption protocols or no encryption at all without alerting the sender, meaning organizations that rely on platform defaults rather than enforced encryption policies operate with a compliance gap they cannot see. The Cardiofit breach makes the risk concrete: a cardiology practice transmitted patient data across an unprotected channel for nearly seven weeks before discovering the problem, and the patients affected had no way of knowing their information had been exposed. Paubox seamlessly encrypts emails automatically, removing the human decision point that creates this category of breach. Under HIPAA Security Rule §164.312(e)(1), covered entities are required to implement technical safeguards to protect electronic PHI during transmission. OCR has repeatedly cited transport encryption failures in enforcement actions, and the Cardiofit case adds to a documented pattern of organizations that treat encryption as a user responsibility rather than a system default.

FAQs

Does sending unencrypted PHI always constitute a reportable HIPAA breach?

Under the HIPAA Breach Notification Rule, disclosure of unsecured PHI is presumed to be a reportable breach unless the covered entity can demonstrate through a risk assessment that there is a low probability the PHI has been compromised. Absent that demonstration, the organization must notify affected individuals, HHS, and, in some cases, the media.

What is the difference between opportunistic TLS encryption and enforced email encryption for HIPAA purposes?

Opportunistic TLS attempts encryption when the recipient's server supports it, but delivers the message unencrypted if it does not. HIPAA requires organizations to protect PHI in transmission, and a delivery pathway that can silently fall back to unencrypted transmission does not meet that standard because the sender cannot verify that protection was actually applied.

How does California's updated breach notification law affect healthcare organizations operating in the state?

Under SB 446, effective January 1, 2026, California organizations must notify affected individuals within 30 days of discovering a breach and submit a sample notice to the California Attorney General within 15 days of notifying individuals. Healthcare organizations operating in California must update their incident response timelines to meet these deadlines, which are shorter than the 60-day window under federal HIPAA requirements.

What technical control would have prevented the Cardiofit breach?

Automatic email encryption that applies to all outbound messages containing PHI by default, without requiring staff to trigger it manually, would have prevented the breach. When encryption is enforced at the platform level rather than left to individual user action, there is no opportunity for an unencrypted message to leave the organization's environment.

Why is insurance information combined with clinical data particularly sensitive, even without financial identifiers?

Insurance information combined with names, demographics, and clinical details provides enough detail to submit fraudulent insurance claims using the patient's identity, impersonate the patient in communications with providers, or construct targeted social engineering attacks referencing the patient's treatment history to appear credible.