Recognizing phishing attempts in your work inbox goes beyond keeping your practice secure—it’s about protecting your clients’ privacy and preserving the trust that’s central to your therapeutic relationships. The examples below show real email breaches, how they happened, and the impact they left behind.
In April 2025, attackers gained unauthorized access to Healthcare Therapy Services' email systems, compromising thousands of patients' names, Social Security numbers, driver's license details, financial information, and medical records. The breach went undetected for an unknown period, and the investigation took five months to complete.
This type of breach normally starts with a phishing email that appears to come from a trusted source. Here's what the initial attack email could look like:
HTS didn't discover the breach until April 29, 2025, and it took until September 9, over four months, to determine the full scope. Thousands of patients were affected. HTS had to notify all impacted individuals, offer 24 months of complimentary credit monitoring, CyberScan monitoring, a $1 million insurance reimbursement policy, and fully managed identity theft recovery services through IDX. The organization faced the cost of external cybersecurity professionals, forensic investigation, notification mailings, credit monitoring services, and potential regulatory penalties.
In January 2025, cybercriminals accessed two employee email accounts at Mid South Rehab Services, exposing patients' names, Social Security numbers, dates of birth, and medical records. Just two compromised accounts gave attackers access to years of patient correspondence, treatment updates, and insurance information.
This breach could have started with a credential-stealing phishing email. Here's a common example targeting healthcare providers:
Mid South Rehab discovered the breach on January 16, 2025. The company had to secure the affected accounts, hire external cybersecurity experts for forensic investigation, and notify federal law enforcement. They established a dedicated support line for affected patients, began mailing breach notifications, and published a Notice of Data Privacy Event on their website. All impacted individuals were advised to monitor their credit, place fraud alerts or credit freezes, and watch for phishing attempts using their compromised personal details. The organization faced investigation costs, notification expenses, reputational damage, and the ongoing cost of supporting affected patients.
Between May and June 2022, an unauthorized individual accessed an MJ Care employee's email account and remained undetected for five months. The compromised account contained 1,832 patients' names, Social Security numbers, financial information, medical records, insurance details, and treatment information.
This type of long-term access often begins with an innocent email. Here's what the initial phishing attempt might have looked like:
The breach occurred between May 31 and June 24, 2022, but wasn't detected until much later. The investigation into the compromised account wasn't completed until November 2, 2022, five months after the initial access. This gave the attacker enough time to harvest 1,832 patients' complete information including Social Security numbers, financial account information, credit and debit card details, biometric information, medical records, medications, and health insurance policy information. MJ Care had to send notifications to all 1,832 affected individuals on December 29, 2022, and offer complimentary credit monitoring services to patients whose Social Security numbers were exposed. The five-month delay between the breach and discovery meant patient data potentially circulated on the dark web or was used for identity theft while patients remained unaware.
In December 2022, therapist Robert S. Miller received a phone call from someone claiming to be from Iolo Software Company (where he'd recently purchased antivirus software). The "employee" said Miller's computer was hacked and offered to clean it. After Miller granted remote access, the scammer requested $300 in eBay cards, revealing the fraud. During three days of access, the attacker potentially obtained 640 patients' names, Social Security numbers, medical records, and detailed clinical notes.
While this attack happened via phone, the same tactic frequently appears in email. Here's how it would look:
From December 2 to December 4, 2022, the attacker had complete access to Miller's computer and potentially obtained files containing 640 patients' names, dates of birth, mailing addresses, email addresses, phone numbers, medical insurance ID numbers, Social Security numbers, and clinical information including evaluations, progress notes, mental health rating scales, and letters. Miller had to notify all 640 current and former clients about the breach through the state attorney general. He then implemented encryption technologies, strengthened all passwords, hired a third-party software company to review his systems and remove any installed malware, and offered complimentary identity theft protection services to all 640 affected clients.
These four real-world examples reveal patterns that every mental health professional should recognize. Three breaches involved unauthorized access to email accounts where sensitive patient information was stored in messages and attachments, while the Washington therapist case shows how phishing tactics work across communication channels. According to research by Nemec Zlatolas, Welzer, and Lhotska on cybersecurity in healthcare, the primary attack vectors include hacking and malicious attacks, unauthorized access, man-in-the-middle attacks, impersonation attacks, and insider threats. Their systematic review also notes that ENISA's 2023 threat landscape report identifies healthcare as among the most frequently targeted sectors for cyberattacks.
The types of information exposed across all incidents represent the comprehensive records therapists maintain, not just names and contact information, but Social Security numbers, insurance details, financial information, dates of birth, medical record numbers, and detailed clinical information about patients' health, diagnoses, and treatment.
The scale of these breaches differs, from nearly 2,000 patients at MJ Care to potentially thousands at HTS and Mid South Rehab, but the impact on individual patients is equal regardless of the total number affected. Each person faces increased risks of identity theft, financial fraud, and the knowledge that their private health information may be in criminal hands.
Beyond finances, the consequences extend to patient trust and care-seeking behavior. Research shows that health data breaches result in an average 4.65% reduction in hospital visits, as patients lose confidence in healthcare providers' ability to protect their information.
Nemec Zlatolas, Welzer, and Lhotska's research notes the need for robust cybersecurity measures in healthcare. Their systematic review of 99 research papers found a growing emphasis on electronic health records protection, data storage security, and access control, with Blockchain, artificial intelligence, and encryption technologies increasingly being adopted for healthcare data protection. The researchers highlight that careful planning, timely implementation of security solutions, and tracking attack trends are crucial, noting that healthcare systems must be updated regularly to address evolving threats.
According to "Analyzing web descriptions of cybersecurity breaches in the healthcare provider sector: A content analytics research method," cyber-attacks increased by 42% in the first half of 2022 compared to 2021, and ransomware attacks became the number one threat. The research paper also notes that 74% of breaches related to hacking/IT incidents. This trend is part of a larger pattern. According to Nemec Zlatolas, Welzer, and Lhotska's systematic review of healthcare data breaches, research analyzing U.S. data from 2011 to 2021 identified 3,822 personal health information breaches affecting over 283 million people, with hacking and IT-related incidents being the most common breach type. Their analysis found that hospitals represented approximately one-third of data breaches among various healthcare provider types. The researchers also emphasize that human factors play a critical role in healthcare breaches, often serving as the primary vector through which compromises occur. This finding is reinforced by the research paper, which states that human factors contribute to the majority of security violations in healthcare.
The research paper's analysis reveals that over a nine-year period, the paradigm of data security shifted from physical security to cybersecurity, with email emerging as the most frequent data breach location by 2019. The study identified critical attack vectors for different breach locations, finding that hacking/IT incidents are the most significant attack vector for email breaches, while unauthorized access and disclosure represent major threats to electronic medical records.
The consistent thread across all these breaches is compromised email credentials leading to unauthorized access. Here are steps to protect your practice:
Immediately close the email without clicking links or attachments, forward it to your IT security team or a trusted service like Paubox for analysis, and report it to platforms like the Anti-Phishing Working Group.
Therapists can recover trust by transparently communicating the breach details, offering free credit monitoring and counseling support, and demonstrating new security measures in follow-up sessions.
AI now generates highly personalized phishing emails mimicking clients' voices or therapy-specific jargon, making attacks harder to spot without advanced detection tools.