Email hack at Healthcare Therapy Services, Inc. could expose thousands

Healthcare Therapy Services, Inc. (HTS), a multi-state therapy services provider, has announced a data security incident involving personal and protected health information (PHI) belonging to patients. The company has begun notifying affected individuals and providing resources to help them protect their information.

What happened

On April 29, 2025, Healthcare Therapy Services, Inc. (HTS) detected unusual activity within its email systems. HTS immediately launched an investigation and engaged external cybersecurity professionals to assess the incident’s impact.

On September 9, 2025, the investigation determined that an unauthorized third party may have accessed emails containing the personal information and PHI of an undetermined number of individuals. Although HTS has not found evidence of misuse, it is notifying individuals.

The information potentially involved includes names, Social Security numbers, driver’s license details, financial account information, and medical information. HTS began sending notification letters on November 7, 2025, and posted a notice to its website that same day. Impacted individuals are being offered complimentary credit monitoring and guidance on how to protect their data.

What was said

The HTS public data breach notice stated that while no evidence of misuse has been identified, the company is notifying affected individuals “out of an abundance of caution.” 

Their public notice further states, “The privacy and protection of personal and protected health information is a top priority for HTS, which deeply regrets any inconvenience or concern this incident may cause.”

The organization also explained that its notification letters provide detailed information on the type of data involved and outline steps patients can take to further protect themselves.

According to the HTS notification letter, “We are also offering you the opportunity to enroll in complimentary credit monitoring and identity theft protection services through IDX, a data breach and recovery services expert. These services include: 24 months of credit1 and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed identity theft recovery services. With this protection, IDX will help you resolve issues if your identity is compromised. To enroll, please call IDX at 1-833-274-5072.”

In the know

According to the 2025 Healthcare Email Security Report, email systems are one of the most frequently targeted attack vectors in healthcare. Since email often contains both personal information and PHI, a single compromised account can expose large amounts of sensitive data. 

Therefore, healthcare organizations and other HIPAA-covered entities must use advanced access controls, multi-factor authentication (MFA), and continuous monitoring to minimize the risk of potential data breaches and HIPAA violations.

Learn more: HIPAA Compliant Email: The Definitive Guide 

Why it matters

Email compromises are one of the ongoing cybersecurity challenges for organizations, often affecting large groups of patients and triggering lengthy investigations. It also affects the way patients seek care, resulting in an average of 4.65% reduction in hospital visits. 

Consequently, “understanding the broader effects of a health data breach can help hospitals and local healthcare systems better prepare for such incidents.”

FAQs

What is a data breach?

A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.

See also: How to respond to a data breach

What are the long-term consequences of healthcare data breaches?

In the long term, breaches can cause patients to delay or avoid care, increase public distrust in medical institutions, and lead to legal and regulatory penalties for healthcare providers.

Read also: The complete guide to HIPAA violations

What should individuals do if their data has been compromised?

If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.