What a phishing attack looks like in a therapist's inbox

Recognizing phishing attempts in your work inbox goes beyond keeping your practice secure—it’s about protecting your clients’ privacy and preserving the trust that’s central to your therapeutic relationships. The examples below show real email breaches, how they happened, and the impact they left behind.

Healthcare Therapy Services email hack: Thousands of patients exposed

What happened

In April 2025, attackers gained unauthorized access to Healthcare Therapy Services' email systems, compromising thousands of patients' names, Social Security numbers, driver's license details, financial information, and medical records. The breach went undetected for an unknown period, and the investigation took five months to complete.

What it looks like in your inbox

This type of breach normally starts with a phishing email that appears to come from a trusted source. Here's what the initial attack email could look like:

The red flags:

• Misspelled sender domain 
• Creates artificial urgency ("24 hours or permanent suspension")
• Generic greeting instead of your name
• Threatening consequences for inaction
• Button or link to "verify" that leads to a fake login page
  
  

The consequences

HTS didn't discover the breach until April 29, 2025, and it took until September 9, over four months, to determine the full scope. Thousands of patients were affected. HTS had to notify all impacted individuals, offer 24 months of complimentary credit monitoring, CyberScan monitoring, a $1 million insurance reimbursement policy, and fully managed identity theft recovery services through IDX. The organization faced the cost of external cybersecurity professionals, forensic investigation, notification mailings, credit monitoring services, and potential regulatory penalties.

Mid South Rehab Services: Two email accounts compromise thousands

What happened

In January 2025, cybercriminals accessed two employee email accounts at Mid South Rehab Services, exposing patients' names, Social Security numbers, dates of birth, and medical records. Just two compromised accounts gave attackers access to years of patient correspondence, treatment updates, and insurance information.

What it looks like in your inbox 

This breach could have started with a credential-stealing phishing email. Here's a common example targeting healthcare providers:

The red flags

• Domain looks similar but isn't the real SimplePractice.com
• Urgent deadline creates panic
• "Do not reply" prevents you from questioning authenticity
• Link leads to fake login page that captures your username and password
  
  

The consequences

Mid South Rehab discovered the breach on January 16, 2025. The company had to secure the affected accounts, hire external cybersecurity experts for forensic investigation, and notify federal law enforcement. They established a dedicated support line for affected patients, began mailing breach notifications, and published a Notice of Data Privacy Event on their website. All impacted individuals were advised to monitor their credit, place fraud alerts or credit freezes, and watch for phishing attempts using their compromised personal details. The organization faced investigation costs, notification expenses, reputational damage, and the ongoing cost of supporting affected patients.

MJ Care: Five months of undetected email access exposes 1,832 patients

What happened

Between May and June 2022, an unauthorized individual accessed an MJ Care employee's email account and remained undetected for five months. The compromised account contained 1,832 patients' names, Social Security numbers, financial information, medical records, insurance details, and treatment information.

What it looks like in your inbox

This type of long-term access often begins with an innocent email. Here's what the initial phishing attempt might have looked like:

The red flags

• Lists specific dollar amounts to create urgency about losing money
• Provides a phone number controlled by scammers
• Threatens claim denial to pressure quick action
• "Provider portal" link leads to a fake login page
  
  

The consequences

The breach occurred between May 31 and June 24, 2022, but wasn't detected until much later. The investigation into the compromised account wasn't completed until November 2, 2022, five months after the initial access. This gave the attacker enough time to harvest 1,832 patients' complete information including Social Security numbers, financial account information, credit and debit card details, biometric information, medical records, medications, and health insurance policy information. MJ Care had to send notifications to all 1,832 affected individuals on December 29, 2022, and offer complimentary credit monitoring services to patients whose Social Security numbers were exposed. The five-month delay between the breach and discovery meant patient data potentially circulated on the dark web or was used for identity theft while patients remained unaware.

Washington Therapist: Fake tech support exposes 640 patients

What happened

In December 2022, therapist Robert S. Miller received a phone call from someone claiming to be from Iolo Software Company (where he'd recently purchased antivirus software). The "employee" said Miller's computer was hacked and offered to clean it. After Miller granted remote access, the scammer requested $300 in eBay cards, revealing the fraud. During three days of access, the attacker potentially obtained 640 patients' names, Social Security numbers, medical records, and detailed clinical notes.

What it looks like in your inbox

While this attack happened via phone, the same tactic frequently appears in email. Here's how it would look:

The red flags

• Creates panic with "data exfiltration in progress"
• Uses technical jargon to sound legitimate
• Offers "free" remote assistance (then requests payment later)
• Urgency prevents you from thinking clearly
• Legitimate companies don't monitor individual computers or reach out unsolicited
  
  

The consequences

From December 2 to December 4, 2022, the attacker had complete access to Miller's computer and potentially obtained files containing 640 patients' names, dates of birth, mailing addresses, email addresses, phone numbers, medical insurance ID numbers, Social Security numbers, and clinical information including evaluations, progress notes, mental health rating scales, and letters. Miller had to notify all 640 current and former clients about the breach through the state attorney general. He then implemented encryption technologies, strengthened all passwords, hired a third-party software company to review his systems and remove any installed malware, and offered complimentary identity theft protection services to all 640 affected clients. 

The common threads in healthcare email breaches

These four real-world examples reveal patterns that every mental health professional should recognize. Three breaches involved unauthorized access to email accounts where sensitive patient information was stored in messages and attachments, while the Washington therapist case shows how phishing tactics work across communication channels. According to research by Nemec Zlatolas, Welzer, and Lhotska on cybersecurity in healthcare, the primary attack vectors include hacking and malicious attacks, unauthorized access, man-in-the-middle attacks, impersonation attacks, and insider threats. Their systematic review also notes that ENISA's 2023 threat landscape report identifies healthcare as among the most frequently targeted sectors for cyberattacks.

The types of information exposed across all incidents represent the comprehensive records therapists maintain, not just names and contact information, but Social Security numbers, insurance details, financial information, dates of birth, medical record numbers, and detailed clinical information about patients' health, diagnoses, and treatment.

The scale of these breaches differs, from nearly 2,000 patients at MJ Care to potentially thousands at HTS and Mid South Rehab, but the impact on individual patients is equal regardless of the total number affected. Each person faces increased risks of identity theft, financial fraud, and the knowledge that their private health information may be in criminal hands.

Beyond finances, the consequences extend to patient trust and care-seeking behavior. Research shows that health data breaches result in an average 4.65% reduction in hospital visits, as patients lose confidence in healthcare providers' ability to protect their information. 

Nemec Zlatolas, Welzer, and Lhotska's research notes the need for robust cybersecurity measures in healthcare. Their systematic review of 99 research papers found a growing emphasis on electronic health records protection, data storage security, and access control, with Blockchain, artificial intelligence, and encryption technologies increasingly being adopted for healthcare data protection. The researchers highlight that careful planning, timely implementation of security solutions, and tracking attack trends are crucial, noting that healthcare systems must be updated regularly to address evolving threats.

According to "Analyzing web descriptions of cybersecurity breaches in the healthcare provider sector: A content analytics research method," cyber-attacks increased by 42% in the first half of 2022 compared to 2021, and ransomware attacks became the number one threat. The research paper also notes that 74% of breaches related to hacking/IT incidents. This trend is part of a larger pattern. According to Nemec Zlatolas, Welzer, and Lhotska's systematic review of healthcare data breaches, research analyzing U.S. data from 2011 to 2021 identified 3,822 personal health information breaches affecting over 283 million people, with hacking and IT-related incidents being the most common breach type. Their analysis found that hospitals represented approximately one-third of data breaches among various healthcare provider types. The researchers also emphasize that human factors play a critical role in healthcare breaches, often serving as the primary vector through which compromises occur. This finding is reinforced by the research paper, which states that human factors contribute to the majority of security violations in healthcare.

The research paper's analysis reveals that over a nine-year period, the paradigm of data security shifted from physical security to cybersecurity, with email emerging as the most frequent data breach location by 2019. The study identified critical attack vectors for different breach locations, finding that hacking/IT incidents are the most significant attack vector for email breaches, while unauthorized access and disclosure represent major threats to electronic medical records.

Protecting your practice from email-based attacks

The consistent thread across all these breaches is compromised email credentials leading to unauthorized access. Here are steps to protect your practice:

• Strengthen password security: Use strong, unique passwords for every account and never reuse passwords across platforms.
• Recognize and avoid phishing attempts: Train yourself and staff to identify phishing emails by being suspicious of unexpected requests to verify accounts, click urgent links, or provide login information.
• Use advanced email security: Implement HIPAA compliant email solutions like Paubox that automatically encrypt emails, detect unusual login activity, and flag suspicious messages before they reach your inbox.
• Audit and minimize stored information: Regularly review what patient information is stored in your email and move sensitive content to encrypted, HIPAA compliant systems before deleting from your inbox.
• Educate clients about secure communication: Include information in informed consent documents about secure communication methods and establish clear protocols for what can be discussed via email versus secure messaging.
• Monitor account activity: Enable login alerts on your email accounts to receive notifications about logins with location and device information, allowing you to detect unauthorized access immediately.
• Conduct regular security audits: Review who has email access, ensure former employees' credentials are revoked, verify security settings are properly configured, and confirm backups exist for communications.
• Keep systems updated: Maintain current security patches on email clients, web browsers, operating systems, and all email-accessing applications to prevent attackers from exploiting known vulnerabilities.
• Develop an incident response plan: Create a specific plan for email breaches outlining immediate steps, including who to notify (IT support, legal counsel, insurers, law enforcement) and understanding HIPAA breach notification requirements.

FAQs

What should therapists do immediately if they suspect a phishing email?

Immediately close the email without clicking links or attachments, forward it to your IT security team or a trusted service like Paubox for analysis, and report it to platforms like the Anti-Phishing Working Group.

How can therapists recover patient trust after an email breach?

Therapists can recover trust by transparently communicating the breach details, offering free credit monitoring and counseling support, and demonstrating new security measures in follow-up sessions.

How has AI changed phishing tactics targeting therapists in 2025?

AI now generates highly personalized phishing emails mimicking clients' voices or therapy-specific jargon, making attacks harder to spot without advanced detection tools.