Onsite Mammography Email Breach Exposes 357,265 Patient Records

A major healthcare data breach has rocked the medical imaging industry, with Onsite Mammography, a Massachusetts-based business associate, reporting a massive email security incident that compromised the protected health information (PHI) of 357,265 individuals. The breach, reported to the Department of Health and Human Services (HHS) on April 21, 2025, represents one of the largest healthcare data incidents of the year.

What Happened

Onsite Mammography fell victim to a hacking/IT incident that specifically targeted their email systems. As a business associate operating in Massachusetts, the company provides mammography services to healthcare organizations, making this breach particularly concerning given the sensitive nature of medical imaging data.

The incident was classified as an email-based cyberattack, suggesting that hackers gained unauthorized access to the company's email infrastructure. While the HHS Office for Civil Rights (OCR) breach report provides limited details about the specific attack vector, email-based breaches typically involve tactics such as:

• Phishing attacks targeting employee credentials
• Business email compromise (BEC) schemes
• Malware infiltration through email attachments
• Brute force attacks on email servers
• Exploitation of unpatched email system vulnerabilities

The scale of this breach – affecting over 350,000 individuals – indicates that the attackers likely had prolonged access to Onsite Mammography's email systems or that the compromised accounts contained extensive patient communication records.

Who Is Affected

The breach impacts 357,265 individuals who had their protected health information stored within Onsite Mammography's email systems. This likely includes:

Patients who received mammography services through healthcare providers that contracted with Onsite Mammography. Given the company's role as a business associate, they would have access to patient information necessary to provide mobile mammography services.

Healthcare provider partners whose patient communications may have been stored in the compromised email systems.

Current and former patients whose medical records, appointment information, or test results were transmitted via email.

As a Massachusetts-based operation, the majority of affected individuals are likely located in New England, though mobile mammography services can extend across multiple states.

Breach Details

Entity Type: Business Associate
Breach Classification: Hacking/IT Incident
Attack Vector: Email systems
Timeline: Reported April 21, 2025
Scale: 357,265 individuals affected

The classification as a "hacking/IT incident" in email systems suggests this was not an accidental disclosure or theft of physical devices, but rather a deliberate cyberattack. Email breaches in healthcare settings are particularly dangerous because:

1. Email contains rich PHI data including patient names, dates of birth, medical record numbers, and detailed health information
2. Long retention periods mean years of patient communications may be compromised
3. Wide distribution as emails often involve multiple healthcare providers and staff members
4. Ongoing access where attackers may monitor communications in real-time

What This Means for Patients

If you received mammography services from a healthcare provider that used Onsite Mammography, your personal health information may have been compromised. The exposed data could include:

• Personal identifiers: Full name, date of birth, address, phone number
• Medical information: Mammography results, medical history, physician notes
• Insurance details: Policy numbers, coverage information
• Appointment data: Scheduling information, facility locations
• Communication records: Email exchanges about your care

This information could be used for identity theft, medical fraud, or sold on dark web marketplaces. Patients should remain vigilant for:

• Unauthorized medical charges or insurance claims
• Identity theft attempts
• Phishing emails referencing your medical information
• Suspicious activity on credit reports

How to Protect Yourself

If you believe you may be affected by this breach, take these immediate steps:

1. Monitor Medical Records
Review all medical bills, insurance statements, and explanation of benefits (EOB) forms for unauthorized services or charges.

2. Check Credit Reports
Obtain free credit reports from all three major bureaus and look for suspicious activity. Consider placing a fraud alert or credit freeze.

3. Watch for Breach Notifications
Onsite Mammography is required by HIPAA to send individual breach notifications within 60 days. Keep an eye out for official communications.

4. Secure Your Accounts
Change passwords for healthcare portals, insurance accounts, and any other medical-related online services.

5. Report Suspicious Activity
Immediately report any signs of medical identity theft to your healthcare providers, insurance company, and local law enforcement.

6. Document Everything
Keep records of all communications and actions taken in response to the breach.

Prevention Lessons for Healthcare Providers

This breach highlights critical security gaps that healthcare organizations and their business associates must address:

Email Security Fundamentals

• Implement multi-factor authentication on all email accounts
• Deploy advanced threat protection for email systems
• Regular security awareness training for all staff
• Email encryption for all PHI communications

Business Associate Management

• Conduct thorough security assessments of all business associates
• Ensure business associate agreements (BAAs) include specific security requirements
• Regular monitoring and auditing of business associate security practices
• Incident response coordination protocols

Technical Safeguards

• Network segmentation to isolate email systems
• Regular penetration testing and vulnerability assessments
• Endpoint detection and response (EDR) solutions
• Automated backup and recovery procedures

Administrative Controls

• Comprehensive incident response plans
• Regular security risk assessments
• Staff training on phishing recognition
• Clear policies for PHI handling in email communications

The healthcare industry continues to be a prime target for cybercriminals, with email systems representing a particularly vulnerable attack surface. Organizations must adopt a proactive, multi-layered approach to cybersecurity that goes beyond basic compliance requirements.

This breach serves as a stark reminder that business associates handling PHI face the same security challenges and regulatory obligations as covered entities. The scale of this incident – affecting over 350,000 individuals – demonstrates how quickly a single security failure can cascade into a major privacy disaster.

Healthcare organizations must prioritize cybersecurity investments, particularly in email security, staff training, and business associate oversight. The cost of prevention is always less than the cost of a breach – both financially and in terms of patient trust.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.