Fidelis Care New York Email Breach Exposes 1,680 Members' Data

Fidelis Care New York, a health plan serving Missouri residents, recently disclosed a significant data breach that compromised the personal information of 1,680 individuals. The breach, reported on October 31, 2025, involved unauthorized access and disclosure of member information through the organization's email systems.

What Happened

The breach at Fidelis Care New York was classified as an unauthorized access/disclosure incident that occurred within the organization's email infrastructure. While the health plan reported the incident to the Department of Health and Human Services' Office for Civil Rights (OCR), specific details about how the breach occurred, what security measures failed, or the exact timeline of events have not been publicly disclosed.

This type of email-based breach typically occurs when cybercriminals gain unauthorized access to email accounts containing sensitive patient information, or when employees inadvertently send protected health information (PHI) to unauthorized recipients. Email remains one of the most vulnerable attack vectors in healthcare cybersecurity.

Who Is Affected

The breach impacted 1,680 Fidelis Care New York members whose personal and health information was potentially compromised. As a health plan operating in Missouri, Fidelis Care New York maintains extensive records of member information necessary for insurance operations, including:

• Personal identifiers (names, addresses, phone numbers)
• Protected Health Information (PHI) under HIPAA
• Insurance policy details
• Medical history and treatment information
• Potentially financial information related to coverage

All affected individuals should have received direct notification from Fidelis Care New York as required under HIPAA's Breach Notification Rule, which mandates that covered entities notify affected individuals within 60 days of discovering a breach.

Breach Details

According to the OCR breach report, key details of the incident include:

• Entity: Fidelis Care New York
• Entity Type: Health Plan
• Location: Email systems
• Breach Classification: Unauthorized Access/Disclosure
• Individuals Affected: 1,680
• Date Reported to OCR: October 31, 2025
• Business Associate Involvement: No business associate was involved

The absence of business associate involvement suggests this was an internal security incident rather than a breach at a third-party vendor. This places the full responsibility for the breach and subsequent response directly on Fidelis Care New York.

What This Means for Patients

For the 1,680 affected individuals, this breach represents a serious compromise of their protected health information. Under HIPAA regulations, specifically the Security Rule (45 CFR §164.306), health plans like Fidelis Care New York are required to implement appropriate administrative, physical, and technical safeguards to protect PHI.

The timing of this breach is particularly significant given recent changes to New York's data breach notification requirements. In late December 2024, Governor Kathy Hochul signed legislation that:

• Requires breach notifications within 30 days of discovery (effective immediately)
• Expands the definition of "private information" to include medical information starting March 25, 2025
• Applies to both HIPAA-covered entities and non-HIPAA regulated entities maintaining health information

This means affected individuals may receive notifications under both federal HIPAA requirements and New York state law, potentially providing additional protections and remedies.

How to Protect Yourself

If you are among the affected Fidelis Care New York members, take these immediate steps:

Monitor Your Accounts

• Review all medical and insurance statements for unauthorized services or claims
• Check your Explanation of Benefits (EOB) statements carefully
• Monitor credit reports for new medical debt or accounts

Stay Vigilant Against Identity Theft

• Place fraud alerts on your credit reports with all three major bureaus
• Consider freezing your credit to prevent new accounts from being opened
• Be alert for phishing emails or calls requesting additional personal information

Document Everything

• Keep copies of all breach notification letters
• Maintain records of any suspicious activity related to your health information
• Save documentation of steps taken to protect yourself

Contact Fidelis Care New York

• Reach out to the health plan directly if you haven't received notification
• Ask specific questions about what information was compromised
• Inquire about additional protective measures being offered

Prevention Lessons for Healthcare Providers

This breach highlights critical security vulnerabilities that healthcare organizations must address:

Email Security Measures

• Implement end-to-end encryption for all emails containing PHI
• Deploy advanced email filtering and monitoring systems
• Establish clear policies for email communication of sensitive information

Access Controls

• Enforce multi-factor authentication for all email accounts
• Implement role-based access controls limiting who can access PHI
• Regularly audit and update user permissions

Staff Training

• Provide comprehensive HIPAA Security Rule training focusing on email security
• Conduct regular phishing simulation exercises
• Establish clear protocols for reporting suspected security incidents

Incident Response

• Develop and regularly test breach response procedures
• Ensure compliance with both federal HIPAA requirements and applicable state laws
• Maintain relationships with cybersecurity experts and legal counsel

The HIPAA Security Rule requires covered entities to conduct regular risk assessments and implement appropriate safeguards based on identified vulnerabilities. Email systems, given their central role in healthcare communication, deserve particular attention in these assessments.

Healthcare organizations must also prepare for evolving state-level requirements, such as New York's expanded breach notification laws, which may impose additional obligations beyond federal HIPAA requirements.

Learn how HIPAA Agent can help protect your practice.