Treasure Coast Hospice Data Breach: 13,230 Patients Affected in Email Security Incident

Health & Palliative Services of the Treasure Coast, Inc., operating as Treasure Coast Hospice ("Treasure Health"), has reported a significant data breach affecting 13,230 individuals. The Florida-based healthcare provider disclosed the incident to the Department of Health and Human Services on September 19, 2025, marking another concerning breach in the healthcare sector.

What Happened

Treasure Coast Hospice experienced an unauthorized access and disclosure incident involving their email systems in September 2024. The breach was classified as involving unauthorized access/disclosure with the location of the breach identified as email systems.

The healthcare provider operates hospice services through two licensed entities: Hospice of the Treasure Coast (d/b/a Treasure Coast Hospice, St. Lucie) and Hospice of Martin & St. Lucie (d/b/a Treasure Coast Hospice, Martin), both licensed since 1982. These services provide palliative care and hospice services to residents of Martin, St. Lucie, and Okeechobee counties in Florida.

While the organization has reported the incident to federal authorities, specific details about how the breach occurred, the duration of unauthorized access, or the exact nature of the email compromise have not been disclosed in available documentation.

Who Is Affected

The breach has impacted 13,230 individuals who received services from or had interactions with Treasure Coast Hospice. Given the nature of hospice care, those affected likely include:

• Current and former hospice patients
• Family members of patients
• Healthcare proxies and power of attorney holders
• Emergency contacts listed in patient records
• Healthcare professionals involved in patient care coordination

The organization has begun notifying affected individuals about the September 2024 security incident, though the timeline between the incident occurrence and patient notification represents a significant delay.

Breach Details

According to the breach report filed with the HHS Office for Civil Rights:

• Entity: Health & Palliative Services of the Treasure Coast, Inc d/b/a Treasure Coast Hospice
• Location: Florida
• Individuals Affected: 13,230
• Breach Type: Unauthorized Access/Disclosure
• Breach Location: Email
• Date Reported to HHS: September 19, 2025
• Incident Date: September 2024

The breach involved email systems, which in healthcare settings typically contain highly sensitive information including protected health information (PHI), treatment plans, family communications, and coordination details between healthcare providers.

Email-based breaches in healthcare often result from:

• Compromised email accounts through phishing attacks
• Insider threats with unauthorized access
• Misconfigured email security settings
• Business email compromise (BEC) schemes
• Malware infections affecting email systems

What This Means for Patients

For the 13,230 individuals affected by this breach, the exposure of information through compromised email systems could have several implications:

Immediate Concerns:

• Protected health information may have been accessed by unauthorized parties
• Personal identifying information could be at risk
• Family medical details and end-of-life care information may have been exposed
• Communication between families and healthcare providers could have been compromised

Long-term Risks:

• Potential for medical identity theft
• Privacy violations regarding sensitive health conditions
• Possible exploitation of vulnerable families during difficult times
• Risk of targeted scams or fraud attempts

The healthcare nature of this information makes it particularly valuable to cybercriminals, as medical records can sell for significantly more than other types of personal data on the dark web.

How to Protect Yourself

If you received services from Treasure Coast Hospice and believe you may be affected by this breach, consider taking these protective steps:

Immediate Actions:

• Monitor all financial accounts for unauthorized activity
• Review credit reports from all three major credit bureaus
• Watch for unexpected medical bills or insurance claims
• Be alert for phishing attempts referencing your medical care

Ongoing Protection:

• Consider placing a fraud alert or credit freeze on your accounts
• Monitor your Explanation of Benefits (EOB) statements carefully
• Keep detailed records of all medical treatments and bills
• Report any suspicious activity to your healthcare providers immediately

Communication Vigilance:

• Be cautious of unsolicited contact claiming to be from healthcare providers
• Verify any requests for personal information through official channels
• Report suspicious communications to the Federal Trade Commission

Prevention Lessons for Healthcare Providers

This breach highlights critical security considerations for healthcare organizations, particularly those serving vulnerable populations:

Email Security Fundamentals:

• Implement multi-factor authentication for all email accounts
• Deploy advanced threat protection for email systems
• Conduct regular security awareness training for staff
• Establish secure communication protocols for sensitive information

Access Controls:

• Limit email access based on job responsibilities
• Implement regular access reviews and updates
• Monitor for unusual email activity patterns
• Establish clear policies for handling PHI in electronic communications

Incident Response:

• Develop comprehensive breach response plans
• Establish clear notification timelines for affected individuals
• Maintain detailed incident documentation
• Coordinate with law enforcement and regulatory bodies when appropriate

Compliance Considerations: The significant delay between the September 2024 incident and the September 2025 HHS notification raises questions about compliance with HIPAA breach notification requirements, which generally require notification within 60 days of discovery.

Moving Forward

The Treasure Coast Hospice breach serves as a reminder of the ongoing cybersecurity challenges facing healthcare providers, particularly those serving vulnerable populations. Email systems, while essential for healthcare communication, require robust security measures to protect sensitive patient information.

Healthcare organizations must prioritize cybersecurity investments, staff training, and incident response capabilities to prevent similar breaches. The sensitive nature of hospice care information makes these protections even more critical.

For affected individuals and families, this incident underscores the importance of remaining vigilant about personal information security and taking proactive steps to protect against potential fraud or identity theft.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.