Two employee email accounts were compromised in a breach that may have exposed personal, medical, and financial details.
Radiologic Medical Services, P.C., which operates Muscatine Radiology and Corridor Radiology in Iowa, reported a data breach affecting at least 56,902 individuals. The breach was traced to unauthorized access of two employee email accounts between February 22 and March 19, 2024. The company detected suspicious activity on February 26, prompting an investigation.
An internal review determined that the exposed email accounts may have contained both personally identifiable information (PII) and protected health information (PHI). This includes:
The breach was officially reported to the U.S. Department of Health and Human Services on November 12, 2024, and to the Vermont Attorney General’s office on October 7, 2025. Affected individuals began receiving mailed notifications on October 6, 2025, more than a year after the initial incident.
Radiologic Medical Services stated that they took immediate steps to secure the compromised email accounts. Cybersecurity specialists were brought in to assist, and the company has complied with all relevant federal and state notification requirements. Affected individuals have been offered free credit monitoring and identity protection services.
According to Paubox report data, the healthcare sector is facing a systemic email security crisis, with 180 organizations reporting email-related breaches in 2024 alone, making email the most common entry point for cyberattacks. The trend has worsened, with 107 additional email-related breaches recorded in just the first half of 2025, several of which exposed more than half a million patient records. The Radiologic Medical Services incident reflects this growing threat, showing how even a small number of compromised employee accounts can expose tens of thousands of patients’ sensitive data.
Healthcare providers often use email to share treatment details, billing information, and insurance documents. This makes email accounts a rich target for attackers seeking both financial and medical data.
Under HIPAA, covered entities are required to notify affected individuals without unreasonable delay and no later than 60 days after discovering a breach. However, extended forensic investigations or internal reviews can delay the notification process.
Yes. If someone uses stolen medical information to receive care, it can lead to inaccurate medical records, unexpected bills, or complications in legitimate insurance claims and coverage.
Impacted individuals should take advantage of credit monitoring, request their medical records to check for inaccuracies, and notify their insurance provider of the breach to flag any suspicious activity.
Encryption can help protect data in transit or at rest, but breaches like this often result from credential compromise. Stronger measures, such as multifactor authentication and user training, are needed for email security.