A phishing attack at St. John’s Riverside Hospital has exposed the sensitive information of at least 2,238 individuals.
According to Claim Depot, in September 2025, the hospital detected unauthorized access to a limited number of employee email accounts with the intention of spreading phishing emails and rerouting funds. Upon discovery, the hospital secured its systems by changing passwords, revoking session tokens, and resetting multifactor authentication (MFA). They also engaged with data security and privacy professionals to investigate the incident.
The investigation revealed that the breach exposed personally identifiable information (PII) and protected health information (PHI) of at least 2,238 individuals across the US It also revealed that the data involved could include:
According to the data breach notice, the hospital reassures affected individuals, noting that “There is no indication that personal information has been misused for the purposes of identity theft or fraud.” The breach notice further states that “Note that this describes general categories of information identified as present within the affected St. John’s Riverside Hospital accounts during the incident and includes categories that are not relevant to each individual whose information may have been present.”
According to Paubox, phishing is the leading cause of healthcare data breaches, serving as the primary entry point for more sophisticated attacks like ransomware and credential theft. Microsoft’s recent takedown of a phishing operation targeted at least 20 healthcare organizations by stealing Microsoft 365 login details. These incidents demonstrate the widespread nature of phishing attacks and how easily attackers can exploit trusted tools, making strong email security and staff awareness essential.
The use of HIPAA compliant email services, like Paubox, can reduce the risk of phishing by providing encrypted, secure communication channels that protect sensitive information from being intercepted or accessed by unauthorized users. This adds an important layer of defense for healthcare organizations against email-based threats.
Phishing is a type of cyberattack where criminals use fake emails, text messages, or websites to trick people into sharing sensitive information, such as passwords, login details, or financial data.
PII is any information that can identify an individual, such as a name or Social Security number. On the other hand, PHI is a type of PII that relates specifically to a person’s health or healthcare and is protected under HIPAA.