Bardmoor Cancer Center Email Breach Exposes 991 Patient Records

Bardmoor Cancer Center, a healthcare provider in Florida, recently disclosed a significant email security breach that compromised the protected health information (PHI) of 991 patients. The incident, classified as a hacking/IT incident, was reported to the Department of Health and Human Services (HHS) on June 27, 2025, and involved a business associate.

This breach serves as another stark reminder of the ongoing cybersecurity challenges facing healthcare organizations and the critical importance of securing email communications containing sensitive patient data.

What Happened

Bardmoor Cancer Center experienced a cybersecurity incident that specifically targeted their email systems. The breach has been categorized as a hacking/IT incident, indicating that unauthorized individuals gained access to the organization's email infrastructure through technical means.

The incident involved a business associate, which is significant from a HIPAA compliance perspective. Under HIPAA regulations, business associates are third-party entities that handle PHI on behalf of covered entities and must maintain the same level of security and privacy protections as the healthcare provider itself.

While specific details about the attack vector, duration, or the exact nature of the compromised information have not been publicly disclosed, the incident was serious enough to warrant reporting to federal authorities and affected patients.

Who Is Affected

The breach impacted 991 individuals who were patients of Bardmoor Cancer Center. As a cancer treatment facility, the compromised information likely included highly sensitive medical data related to:

• Cancer diagnoses and treatment plans
• Medication records and chemotherapy protocols
• Laboratory results and imaging reports
• Insurance information and billing records
• Personal identifying information including names, addresses, and contact details
• Social Security numbers (potentially)
• Financial account information (potentially)

Cancer patients are particularly vulnerable to the consequences of healthcare data breaches due to the sensitive nature of their medical conditions and the potential for discrimination in employment, insurance, or other areas of life.

Breach Details

Entity: Bardmoor Cancer Center
Location: Florida
Entity Type: Healthcare Provider
Individuals Affected: 991
Breach Type: Hacking/IT Incident
Location of Breach: Email systems
Date Reported to HHS: June 27, 2025
Business Associate Involved: Yes

The involvement of a business associate adds complexity to this incident. Under HIPAA's Business Associate Rule (45 CFR § 164.308), covered entities must ensure that their business associates implement appropriate safeguards to protect PHI. When a business associate experiences a breach, they must notify the covered entity within 60 days of discovery.

What This Means for Patients

For the 991 affected patients, this breach represents a serious violation of their privacy rights under HIPAA's Privacy Rule (45 CFR § 164.502). The exposure of cancer-related medical information can have far-reaching consequences:

Immediate Risks

• Identity theft using compromised personal information
• Medical identity theft where criminals use patient information to obtain medical services
• Financial fraud if payment information was accessed
• Targeted phishing attacks using leaked personal details

Long-term Concerns

• Insurance discrimination based on cancer history
• Employment implications if medical conditions become known
• Emotional distress from privacy violation
• Ongoing vulnerability to future targeted attacks

Under HIPAA regulations, Bardmoor Cancer Center is required to provide breach notification to affected individuals without unreasonable delay, but no later than 60 days after discovery of the breach (45 CFR § 164.404).

How to Protect Yourself

If you are a patient of Bardmoor Cancer Center or believe your information may have been compromised, take these immediate steps:

Monitor Your Accounts

• Review medical statements and insurance claims for unauthorized services
• Check credit reports from all three major bureaus for suspicious activity
• Monitor financial accounts for unauthorized transactions
• Set up fraud alerts with credit reporting agencies

Secure Your Information

• Change passwords for healthcare portals and related accounts
• Enable two-factor authentication where available
• Be cautious of phishing emails that may reference your medical information
• Consider credit freezes to prevent new accounts from being opened

Know Your Rights

• Request breach details from the healthcare provider
• Understand what information was compromised
• Ask about protective measures being implemented
• Consider legal consultation if you suffer damages

Report Suspicious Activity

• Contact your healthcare provider immediately if you notice unauthorized use
• File complaints with the FTC for identity theft issues
• Report to HHS Office for Civil Rights for HIPAA violations
• Contact local law enforcement for criminal activity

Prevention Lessons for Healthcare Providers

This incident highlights critical security measures that healthcare organizations must implement to protect patient data:

Email Security Best Practices

• Implement email encryption for all PHI communications
• Use secure email gateways with advanced threat protection
• Deploy multi-factor authentication for email access
• Conduct regular security awareness training for staff
• Establish clear email policies for handling PHI

Business Associate Management

• Conduct thorough due diligence before selecting business associates
• Implement comprehensive Business Associate Agreements (BAAs)
• Regularly audit business associate security practices
• Require breach notification procedures in contracts
• Monitor business associate compliance with HIPAA requirements

Technical Safeguards

• Deploy endpoint detection and response solutions
• Implement network segmentation to limit breach scope
• Conduct regular penetration testing and vulnerability assessments
• Maintain incident response plans with clear procedures
• Ensure regular security updates and patch management

Administrative Safeguards

• Designate a HIPAA Security Officer with appropriate authority
• Conduct regular risk assessments as required by 45 CFR § 164.308
• Implement workforce training programs on cybersecurity
• Establish audit controls to monitor system access
• Document all security measures and incident responses

The Bardmoor Cancer Center breach serves as a reminder that healthcare organizations must remain vigilant against evolving cyber threats. With healthcare data breaches increasing in frequency and sophistication, robust cybersecurity measures are not just regulatory requirements—they are essential to maintaining patient trust and safety.

Patients affected by this breach should remain alert to potential misuse of their information and take proactive steps to protect themselves. Healthcare providers can learn from this incident by strengthening their own security postures and ensuring comprehensive protection of patient data across all systems and business relationships.

Learn how HIPAA Agent can help protect your practice.