Onsite Women's Health pays $2.5M for phishing breach affecting 357k

A single compromised employee email account at a mobile mammography provider exposed mental health records, Social Security numbers, and credit card data for 357,000 patients across its partner hospital network.

What happened

Onsite Mammography, LLC, which operates as Onsite Women's Health and provides mammography and medical imaging services to hospitals across Massachusetts, has agreed to a $2,525,000 class action settlement over a phishing-driven data breach discovered in October 2024. According to ClassAction.org, an employee responded to a phishing email, giving an unauthorized third party access to the employee's email account. Although the account was accessible for only a short period, data was exfiltrated before the breach was contained. A forensic review concluded in February 2025 confirmed that 357,265 individuals were affected. Compromised data includes names, dates of birth, Social Security numbers, driver's license numbers, credit card numbers, and medical information, including mental health records, physical health conditions, and care received. The settlement received preliminary court approval on April 13, 2026. Claims must be submitted by August 11, 2026, and the final approval hearing is scheduled for September 9, 2026.

Going deeper

The consolidated lawsuit, Clarkson et al. v. Onsite Mammography, LLC, was filed in the US District Court for the District of Massachusetts and asserted negligence, breach of implied contract, breach of fiduciary duty, invasion of privacy, unjust enrichment, and declaratory judgment. Plaintiffs argued that inadequate security measures on employee email accounts enabled the breach and that faster detection would have limited the data exposed. According to SecurityWeek, Onsite Mammography serves patients through partner medical practices and hospital locations, meaning the breach extended beyond its own patient population to individuals treated at affiliated sites. Plaintiffs also challenged the adequacy of the 12 months of credit monitoring initially offered, arguing it was insufficient given the sensitivity of the mental health and medical records involved, and that Onsite provided no assurances that stolen data had been deleted or that security had been strengthened.

What was said

In its official settlement notice, Onsite Mammography stated it denies all wrongdoing and disagreed with the claims asserted by plaintiffs, but agreed to settle to avoid the costs and risks associated with continued litigation and a potential trial. The company confirmed it has taken steps to strengthen its security posture following the breach, though the settlement does not specify the controls implemented.

In the know

Mental health records and physical condition information carry heightened sensitivity under both HIPAA and state law. Massachusetts has some of the strongest patient data protections in the country, and the combination of mental health records, Social Security numbers, and credit card data in a single breach gives affected individuals broad exposure across identity theft, financial fraud, and medical identity theft simultaneously. The three-year credit and medical data monitoring term in the settlement is longer than the one-year standard seen in many healthcare breach settlements, showing the severity of the data categories involved. That extended monitoring period was likely a direct response to plaintiff's arguments that 12 months was inadequate for the risk created by mental health and financial data exposure combined.

The big picture

Onsite Women's Health's model, providing services through partner hospitals rather than operating standalone facilities means a single email account breach propagated across an entire network of provider relationships. Patients treated at hospitals that contracted with Onsite had no direct relationship with Onsite's security practices, no visibility into which vendor was handling their imaging data, and no way to assess the risk that presented. The breach also shows what a single phished email account can cost, one employee's click generated 357,265 affected individuals, $2.5 million in settlement costs, legal fees, and years of ongoing monitoring obligations. According to Paubox's Top 3 Healthcare Email Attacks report, phishing-driven mailbox takeovers exposed 630,000 individuals across healthcare in 2025, with credential-based account access accounting for the largest share of exposed patient data among email breach types.

FAQs

Why does the breach of a single email account affect 357,000 people?

Onsite Women's Health provides imaging services across a network of partner hospitals, accumulating patient records from multiple sites in its email environment. A single employee account that handles scheduling, records, or communications across that network can hold data from tens of thousands of patients across many locations.

Why did plaintiffs argue that 12 months of credit monitoring was insufficient?

The breach exposed mental health records alongside Social Security numbers and credit card data — a combination that creates long-term identity theft and medical identity fraud risk. Mental health information can be used for targeted fraud or blackmail and does not expire the way a credit card number does, making short-term monitoring inadequate for the full scope of potential harm.

What is medical data monitoring, and how does it differ from standard credit monitoring?

Medical data monitoring scans for unauthorized use of a patient's identity in healthcare settings, such as fraudulent medical claims filed under the victim's insurance or prescriptions obtained using stolen identifying information. Standard credit monitoring does not cover medical identity theft, which makes it insufficient when medical records are compromised.

How does a mobile imaging provider end up holding mental health records?

Mammography screenings are often ordered through a patient's primary care provider or specialist, and the imaging results and associated clinical notes travel through administrative systems alongside the referral documentation. Imaging providers that integrate with hospital systems can accumulate a broader clinical context than their core function might suggest.