Two separate employees at one of the country's largest gastroenterology groups responded to phishing emails within five days of each other, each resulting in unauthorized access to patient files containing Social Security numbers and medical records.

 

What happened

Gastro Health, a gastroenterology medical group operating more than 200 locations across Alabama, Florida, Maryland, Massachusetts, Ohio, Virginia, and Washington, has notified 35,632 individuals of two separate phishing-driven data breaches that occurred days apart. According to the Notice of Data Security Event, the first incident was discovered on February 25, 2026, when Gastro Health learned that employees had responded to phishing emails, giving an unauthorized third party access to files and systems accessible to those staff members. A second, separate phishing incident was discovered on March 2, 2026, involving a different employee and resulting in further unauthorized file access. The Indiana Attorney General filing confirms 35,632 total individuals affected. Compromised data includes names, dates of birth, Social Security numbers, government-issued ID numbers, medical record numbers, patient account numbers, Medicare and Medicaid numbers, health insurance information, diagnosis and treatment information, prescription information, and provider details. Notification letters began going out in late May 2026.

 

Going deeper

Two phishing incidents at the same organization within five days suggest either a coordinated campaign targeting multiple employees simultaneously, or a second attacker exploiting the same vulnerability window before the first incident was fully contained. Gastro Health's own breach notice describes the two incidents separately without indicating whether they were related. The review of affected files took approximately three months, with notification letters filed with state attorneys general in Massachusetts and Washington, and the Indiana AG, in late May and early June 2026. The organization is offering 24 months of complimentary identity protection to all affected individuals. No payment card information was compromised in either incident.

 

What was said

In its official breach notice, Gastro Health stated that "upon discovery, Gastro Health took immediate action to contain the incident and investigate its scope and impact," and that the organization "has no indication at this time that the impacted information has been misused." The company confirmed it is notifying affected individuals directly where contact information is available and has taken steps to enhance its security posture following both incidents.

 

In the know

Gastroenterology practices hold a category of data that makes them a consistent target for credential-based attacks. Colonoscopy and endoscopy records, cancer screening results, and chronic disease management notes combine diagnostic detail with the demographic and insurance information that enables medical identity fraud. That combination makes a compromised gastroenterology email account substantially more damaging than a breach at an administrative-only practice. The two-incident pattern at Gastro Health is also consistent with what security researchers have documented in healthcare phishing campaigns throughout 2026, where attackers who gain access through one employee account often use that foothold to identify other staff members and send follow-on lures from a trusted internal address, making the second compromise harder to detect than the first. According to Paubox's Top 3 Healthcare Email Attacks report, phishing-driven mailbox takeovers exposed 630,000 individuals across healthcare in 2025, with multi-employee compromise events accounting for a disproportionate share of the largest incidents.

 

The big picture

Two phishing incidents at the same organization within five days point to a gap that goes beyond individual employee awareness training. When a second employee responds to a phishing email while the first incident is still being investigated and contained, it suggests the organization's detection and response protocols did not include an immediate organization-wide alert or enhanced monitoring following the first compromise. For a 200-location medical group, the scale of the operation makes centralized email security monitoring and rapid incident communication across all sites particularly important. According to Paubox's Top 3 Healthcare Email Attacks report, only 5% of known phishing attacks are reported by employees to security teams, meaning the second incident at Gastro Health was likely not caught through internal reporting but through a separate detection process three months after the fact.

 

FAQs

What does it mean that two separate phishing incidents occurred within five days?

Either the same attacker ran a coordinated campaign targeting multiple employees, or a second attacker independently targeted the organization before the first breach was contained and the vulnerability addressed. In either case, the proximity of the two incidents suggests the first did not trigger an immediate organization-wide security response that would have prevented the second.

 

Why did the notification take approximately three months after discovery?

Gastro Health's file review required identifying which specific patient records were present in the accessed employee accounts, confirming what data categories were involved, and verifying contact information for each affected individual. A 200-location organization with thousands of employee email accounts can accumulate years of patient correspondence, making the review timeline consistent with similar-scale healthcare email breaches documented in 2025 and 2026.

 

Why do gastroenterology practices hold particularly sensitive data?

Gastroenterology records document conditions including colorectal cancer, Crohn's disease, ulcerative colitis, and other chronic digestive disorders alongside detailed procedural notes, biopsy results, and medication histories. Combined with Social Security numbers and insurance identifiers, this data creates a complete profile for both medical identity fraud and targeted phishing against the affected individuals.

 

What should a healthcare organization do immediately after discovering a phishing-related account compromise?

Issue an organization-wide security alert, require password resets on all email accounts as a precaution, enable enhanced monitoring for unusual login activity across the entire domain, and begin a parallel HIPAA breach assessment to determine notification obligations, all before the forensic review of the compromised account is complete. Waiting for the investigation to conclude before taking organization-wide protective action leaves the rest of the environment exposed during the investigation window.