Acadiana Radiation Therapy Data Breach: 2,219 Patients Affected in Email Hack

On June 27, 2025, Acadiana Radiation Therapy, LLC, a Louisiana-based healthcare provider, reported a significant data breach to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights. The incident, classified as a hacking/IT incident, compromised sensitive patient information stored in the organization's email systems and affected 2,219 individuals.

This breach serves as another stark reminder of the vulnerabilities healthcare organizations face in protecting protected health information (PHI) and the critical importance of robust cybersecurity measures in medical settings.

What Happened

According to the official breach notification filed with HHS, Acadiana Radiation Therapy experienced a hacking incident that specifically targeted their email systems. The breach was discovered and reported on June 27, 2025, indicating that unauthorized individuals gained access to email accounts containing sensitive patient information.

The incident involved a business associate, suggesting that a third-party vendor or contractor may have been involved in either the breach itself or the organization's email management services. This detail is particularly significant as it highlights the extended risk surface that healthcare organizations face when working with external partners.

While specific technical details about the attack method, duration, or the identity of the threat actors have not been disclosed in the available breach notice, the classification as a hacking/IT incident indicates that cybercriminals successfully penetrated the organization's digital infrastructure.

Who Is Affected

The breach impacted 2,219 individuals who were patients or had their information stored within Acadiana Radiation Therapy's email systems. As a radiation therapy provider, the organization likely maintains detailed medical records including:

• Treatment plans and protocols
• Diagnostic imaging results
• Medical histories and diagnoses
• Personal identifying information
• Insurance information
• Contact details and emergency contacts

Patients who received services from Acadiana Radiation Therapy should be particularly vigilant about monitoring their personal information and medical records for any signs of unauthorized use.

Breach Details

Entity: Acadiana Radiation Therapy, LLC
Location: Louisiana
Entity Type: Healthcare Provider
Individuals Affected: 2,219
Breach Type: Hacking/IT Incident
Location of Breach: Email systems
Date Reported: June 27, 2025
Business Associate Involvement: Yes

The breach falls under HIPAA's Security Rule requirements, which mandate that covered entities implement appropriate administrative, physical, and technical safeguards to protect electronic PHI (ePHI). Under 45 CFR § 164.308, healthcare organizations must implement access controls and conduct regular security assessments to prevent unauthorized access to patient information.

The involvement of a business associate also triggers HIPAA's Business Associate Agreement requirements under 45 CFR § 164.502(e), which requires covered entities to ensure their partners maintain appropriate safeguards for PHI.

What This Means for Patients

For the 2,219 affected individuals, this breach represents a serious compromise of their medical privacy and potentially their personal security. Email-based breaches can be particularly concerning because:

1. Extended exposure time: Email communications often contain ongoing conversations about treatment, creating a detailed picture of a patient's medical journey
2. Multiple data types: Emails may contain not just medical information but also insurance details, contact information, and personal identifiers
3. Interconnected risks: Compromised email systems may provide access to other connected systems or databases

Patients should be aware that this type of breach could potentially lead to medical identity theft, insurance fraud, or targeted phishing attacks using their personal medical information.

How to Protect Yourself

If you are a patient of Acadiana Radiation Therapy or believe your information may have been compromised, take these immediate steps:

Immediate Actions

• Contact the provider directly to confirm whether your information was involved in the breach
• Monitor your medical records for any unauthorized treatments or services
• Review insurance statements carefully for unfamiliar charges or claims
• Check your credit reports for any new accounts or suspicious activity

Ongoing Protection

• Set up fraud alerts with major credit bureaus
• Consider credit monitoring services if not provided by the healthcare organization
• Be cautious of phishing attempts that may reference your medical information
• Update passwords for any online patient portals or medical accounts
• Keep detailed records of all communications with the healthcare provider regarding the breach

Medical Identity Theft Prevention

• Review explanation of benefits statements from your insurance company
• Monitor your medical credit reports through services like the Medical Information Bureau
• Verify your medical history during future healthcare visits
• Report suspicious activity immediately to both your healthcare provider and insurance company

Prevention Lessons for Healthcare Providers

This breach offers several critical lessons for healthcare organizations seeking to strengthen their cybersecurity posture:

Email Security Enhancement

• Implement multi-factor authentication (MFA) for all email accounts
• Deploy advanced email security solutions including anti-phishing and malware protection
• Regular security training for staff on email-based threats
• Email encryption for all communications containing PHI

Business Associate Management

• Strengthen Business Associate Agreements with specific security requirements
• Regular security assessments of all business partners
• Clear incident response protocols involving business associates
• Ongoing monitoring of third-party access to PHI

HIPAA Compliance Measures

• Regular risk assessments as required by 45 CFR § 164.308(a)(1)
• Access controls to limit PHI exposure
• Audit logs to track access to patient information
• Incident response plans that meet HIPAA breach notification requirements

Technical Safeguards

• Network segmentation to limit breach impact
• Regular software updates and patch management
• Endpoint detection and response solutions
• Data loss prevention tools to monitor PHI movement

Healthcare organizations must remember that under HIPAA's Breach Notification Rule (45 CFR § 164.400-414), they have strict timelines for notifying patients, HHS, and potentially the media about breaches affecting 500 or more individuals.

The Acadiana Radiation Therapy breach serves as a reminder that cybersecurity is not optional in healthcare—it's a critical component of patient care and regulatory compliance. Organizations that fail to implement adequate safeguards not only risk regulatory penalties but also compromise the trust and safety of the patients they serve.

Learn how HIPAA Agent can help protect your practice.