Real-world inbound email breach cases and what we can learn

In 2025, email breaches are seriously impacting healthcare organizations, from rural hospitals to state agencies. Detection delays of months, unchecked misconfigurations, and compromised accounts exposing thousands of patients reveal patterns that indicate what went wrong and what needs to change.

Alternate Solutions Health Network discovers nine-month-old breach

In April 2025, Alternate Solutions Health Network in Ohio disclosed an email breach affecting approximately 93,589 individuals. The breach occurred on or around May 30, 2024, but wasn't discovered until February 14, 2025, through forensic review. This represents a detection delay of approximately nine months.

The unauthorized access centered on a single employee email account. The compromised account contained names, dates of birth, addresses, driver's license numbers, physician and clinician names, clinical information, diagnostic information, and treatment information. 

Alternate Solutions Health Network explained in its Notice of Data Security Incident, "After an extensive investigation and manual document review, we discovered on February 14, 2025, that some personal and/or protected health information of individuals was contained in the compromised email account that was subject to unauthorized access and acquisition."

The forensic investigation that eventually uncovered the breach revealed the attacker had maintained persistent access to the account for an extended period before the organization even became aware of the compromise. During those nine months, the attacker could have reviewed patient records, accessed treatment histories, and potentially exfiltrated data without any detection or intervention.

Following the discovery, Alternate Solutions Health Network stated in its Notice of Data Security Incident that "The security and privacy of the information contained within our systems is a top priority for us," and committed to implementing additional cybersecurity safeguards, enhancing employee cybersecurity training, and improving its cybersecurity policies, procedures, and protocols. The data breach was reported to the HHS' Office for Civil Rights on April 14, 2025, and individual notification letters were mailed to all affected individuals starting on that same date, offering credit monitoring services and identity theft protection.

Park Royal Hospital phishing attack extends beyond email

In January 2025, Park Royal Hospital in Fort Myers, Florida experienced a credential phishing attack that showed how email compromises can cause access to other systems. On January 14, 2025, an employee  mistakenly disclosed their email account credentials in response to a phishing email that they thought was legitimate. With those credentials in hand, the attacker gained access not only to the employee's email account but also to the organization's SharePoint environment.

Park Royal discovered the unauthorized access on January 17, 2025, and took steps to secure the compromised email account and launched an investigation with the assistance of a third-party forensic investigation firm. The forensic investigation that followed confirmed details about the scope of the incident. As stated in Park Royal's Notice of Email Phishing Incident, "The investigation confirmed that this incident was limited to the one employee's email account and SharePoint account, and did not involve Park Royal's electronic health records systems. Importantly, this incident did not disrupt Park Royal's services or operations."

The unauthorized access window occurred between January 14 and January 15, 2025. The attackers managed to access information for 9,349 patients. The exposed data included patient names, dates of admission, provider information, and status as a patient at Park Royal Hospital, protected health information stored within both the email system and SharePoint repositories.

Healthcare organizations use integrated systems where a single set of credentials can unlock multiple applications and data. In Park Royal's case, the employee's credentials served as a tool, opening both email and document management systems.

Park Royal Hospital's response included securing the compromised account within three days of the initial breach, conducting a thorough forensic investigation, and implementing additional safeguards and technical security measures to further protect and monitor their systems. On March 18, 2025, the hospital began mailing notification letters via United States Postal Service First-Class mail to all 9,349 patients whose information was involved in the incident. Since Social Security numbers and financial information were not compromised, credit monitoring services were not offered, though patients were advised to monitor statements from their providers and health plans for any services they did not receive.

Charleston Fire Department system breach

In April 2025, the Charleston Fire Department in West Virginia disclosed an email compromise that exposed patient information related to emergency medical services. The department became aware of the issue on February 21, 2025, when spam emails were being unknowingly sent from an EMS employee's email account. The department took steps to secure their system and launched an investigation with the assistance of cybersecurity experts.

Through their investigation, they determined that the employee's email account had been subjected to unauthorized access beginning on February 18, 2025. The breach window was brief, from approximately February 18 to February 21, 2025, but during those three days, attackers accessed information for 2,583 individuals who had received EMS services.

The compromised data included names, addresses, dates of birth, Social Security numbers, other demographic identifiers, clinical information such as diagnoses/conditions, medications, dates of services, and insurance information. Additionally, some individuals had their dates of service, insurance carriers, and the amounts billed for EMS treatment accessed. This type of information is sensitive because it relates to emergency situations, medical crises, accidents, injuries, mental health emergencies, and other circumstances that patients typically want to keep private.

While hospitals and large healthcare systems receive attention and regulatory scrutiny, municipal fire departments providing emergency medical services may operate with more limited IT resources and cybersecurity expertise. They handle substantial amounts of protected health information through their emergency response and billing operations, yet they may not have dedicated information security staff or sophisticated monitoring tools.

The Charleston Fire Department's email system was used for billing-related communications, which meant the affected mailbox contained information pertaining to ambulance trips and EMS billing. When these billing system emails were compromised, attackers gained visibility into both the medical circumstances that necessitated EMS response and the financial details associated with those services.

Charleston Fire Department began mailing breach notifications on April 22, 2025, to all affected individuals. Notably, the department is offering free credit monitoring to anyone who has received treatment from Charleston EMS, regardless of whether the individual received a notification letter, a proactive approach that extends protection beyond just the confirmed affected individuals. The department also indicated it was implementing additional email security measures, including enhanced monitoring and access controls, to prevent similar incidents.

Restorix Health extended access 

In early 2025, Restorix Health in Louisiana reported an email account breach that had occurred months earlier, from May 7 to May 29, 2024. The three-week period of unauthorized access affected approximately 38,553 individuals, making this one of the larger single-account compromises reported in the 2025 disclosure wave.

Restorix Health manages wound centers to treat wounds that other health centers may not have the equipment or staffing to treat, and helps develop and manage outpatient wound centers throughout Louisiana. The company initially learned of the unauthorized access on May 30, 2024, and investigated the incident, determining that a Restorix employee's email account had been accessed during the three-week period.

The compromised email account contained protected health information including names, dates of birth, driver's license numbers, ID and passport numbers, Social Security numbers, patient identification numbers, medical and prescription information, and condition, treatment and diagnosis information. 

The delay between the May 2024 breach and the early 2025 disclosure indicates the compromise wasn't detected in real-time. The company advised their healthcare partners of the incident on December 18, 2024, and filed a breach submission with the HHS' Office for Civil Rights on February 14, 2025. This detection and disclosure gap, potentially seven to nine months, meant the organization and its healthcare partners remained unaware of the compromise for an extended period after the attacker's access had ended.

Restorix Health stated in its Notice of Data Breach that "The security and privacy of the information contained within our system is a top priority for us." In response to the incident, the company said they immediately took "steps to secure our systems and engaged third-party forensic experts to assist in the investigation." Restorix's response included comprehensive breach notifications to all affected individuals, offering credit monitoring services due to the exposure of Social Security numbers and other sensitive identifiers. The organization indicated it was implementing additional cybersecurity safeguards, enhancing their cybersecurity training, and improving their policies and procedures to help minimize the likelihood of this type of incident occurring again.

The breach also shows the interconnected nature of modern healthcare delivery. Many patients may have been unaware of Restorix's involvement in their care, as the company often partners with other hospitals to provide specialized wound care services. When a breach occurs at a healthcare business associate or partner organization, affected individuals may not immediately recognize the connection to their own medical care.

Illinois Department of Healthcare and Family Services government agency targeted

On or about February 11, 2025, the Illinois Department of Healthcare and Family Services (HFS) was targeted by a phishing campaign that leveraged previously compromised government infrastructure. As HFS explained in its media notice, "The bad actor sent emails to HFS employees from another government email account the bad actor had previously hacked, so that the emails looked trustworthy to HFS employees."

HFS became aware that "a bad actor was conducting a phishing campaign targeting HFS employees and attempting to gain access to their usernames and passwords." The result of this phishing campaign was that one HFS employee fell victim, resulting in the compromise of their email account and access to documents stored in or accessible through that account.

The Illinois Department of Healthcare and Family Services administers Medicaid and other healthcare programs for the state, meaning its systems and email accounts contain information about program recipients. The breach ultimately affected 933 individuals, of which 564 were Illinois residents. The information compromised differed for each individual impacted, but may have included customer names, Social Security numbers, driver's license or state identification card numbers, financial information related to child support, child support or Medicaid identification and case numbers, and dates of birth.

Upon discovery, HFS worked with the Illinois Department of Innovation and Technology (DoIT) to block the link contained in the phishing email and reset passwords for any employees whose credentials may have been compromised. HFS also communicated with all employees about the active threat and reminded them about appropriate actions to take or not take when presented with a request for their state credentials.

This case shows that even government agencies cybersecurity resources, regulatory oversight, and security awareness programs can fall victim to email attacks. It also shows that one successful attack provides credentials and infrastructure that can be weaponized to launch additional attacks against related organizations, creating a chain of breaches.

The Department completed notifying the affected clients on May 23, 2025. The incident also prompted coordination with the agency whose email account was initially compromised to ensure that infrastructure was secured and couldn't be used to launch additional attacks against other government entities.

The collective impact of email breaches and what we can learn

Examining these email breach cases collectively reveals certain patterns and lessons about healthcare email security. According to the Paubox Healthcare Email Security Report, between January 2024 and January 2025, 180 healthcare organizations reported email-related breaches to the HHS Office for Civil Rights, demonstrating that vulnerability spans all organization types, sizes, and regions. The incidents affecting state government agencies, rural hospitals, specialty practices, and large health networks confirm this is an industry-wide problem.

Detection delays enable extended damage

Attackers use these extended access windows to exfiltrate data and conduct reconnaissance unchecked. The lesson, detection speed is critical. Organizations that discover breaches within days (like Park Royal Hospital at three days) can limit exposure more effectively than those discovering months-old compromises.

Premium tools don't equal security

According to The Healthcare Email Security Report, Microsoft 365 accounts for 43.3% of breaches, yet many organizations fail to properly configure critical settings like DMARC and SPF. The lesson, investment in premium solutions is insufficient. Only 27% of IT leaders feel confident avoiding breaches in 2025, according to the report. What matters is implementation, configuration, enforcement, and continuous monitoring. Organizations need to layer additional solutions and properly configure foundational authentication mechanisms, with 30.6% of breached organizations lacking DMARC records entirely and 34.4% running DMARC in ineffective "monitor-only" mode.

Interconnected systems amplify risk

Park Royal Hospital's phishing attack demonstrated how a single compromised credential opened both email and SharePoint systems. The lesson, assume credentials unlock multiple systems and protect accordingly. Charleston Fire Department and others show how billing-related email systems expose medical data alongside financial information, creating dual-purpose targets for attackers.

The cost of inaction

According to The Healthcare Email Security Report, the June 2025 statistic shows 169,076 individuals affected by email breaches in a single month, projecting to over two million people annually. According to IBM (cited in the report), the true average cost of a data breach in healthcare is $9.8 million. The lesson, email security is a financial and legal necessity.

Read also: Inbound Email Security

FAQs

Why are healthcare email accounts such high-value targets for attackers?

Because a single compromised mailbox can contain extensive clinical, demographic, and financial data.

How often do attackers use compromised email accounts to access other internal systems?

This happens frequently because many healthcare systems use shared or interconnected credentials.

Why do some breaches take months to discover?

Many organizations lack real-time monitoring tools or automated alerting for unusual account activity.

Do business associates face the same email breach risks as hospitals?

Yes, business associates often hold large volumes of PHI but may operate with fewer security controls.

Can email phishing attacks lead to financial fraud schemes?

Yes, attackers often search inboxes for billing, payment, and transaction-related information.