PET Imaging of Houston Medical Center Breach Affects 1,236 Patients

PET Imaging of Houston Medical Center, a Texas-based healthcare provider, has reported a significant email security breach that compromised the protected health information (PHI) of 1,236 patients. This incident, reported to the Department of Health and Human Services on June 27, 2025, highlights the ongoing cybersecurity challenges facing healthcare organizations across the United States.

What Happened

PET Imaging of Houston Medical Center experienced a hacking/IT incident that specifically targeted their email systems. The breach involved unauthorized access to the healthcare provider's email infrastructure, potentially exposing sensitive patient information stored within email communications.

The incident also involved a business associate, indicating that a third-party vendor or service provider connected to PET Imaging of Houston Medical Center may have played a role in the security compromise. Under HIPAA regulations, business associates are required to maintain the same level of protection for PHI as covered entities themselves.

While specific technical details about the attack vector remain undisclosed, email-based breaches typically occur through:

• Phishing attacks targeting employee credentials
• Malware infections that provide unauthorized system access
• Compromised email accounts through weak or stolen passwords
• Insider threats from employees or contractors

Who Is Affected

The breach impacted 1,236 individuals who were patients of PET Imaging of Houston Medical Center. As a specialized medical imaging facility, the affected patients likely received diagnostic imaging services such as:

• Positron Emission Tomography (PET) scans
• Combined PET/CT imaging
• Nuclear medicine procedures
• Other advanced diagnostic imaging services

Patients who received services at this facility should assume their information may have been compromised and take appropriate protective measures.

Breach Details

Entity: PET Imaging of Houston Medical Center
Location: Texas
Entity Type: Healthcare Provider
Individuals Affected: 1,236
Breach Type: Hacking/IT Incident
Location of Breach: Email systems
Date Reported to HHS: June 27, 2025
Business Associate Involvement: Yes

This breach falls under HIPAA's Breach Notification Rule (45 CFR §164.400-414), which requires covered entities to notify the Department of Health and Human Services of breaches affecting 500 or more individuals within 60 days of discovery. The involvement of a business associate also triggers additional reporting and investigation requirements under HIPAA's Business Associate Agreements provisions.

What This Means for Patients

Email-based healthcare breaches can expose various types of protected health information, including:

• Patient names and contact information
• Social Security numbers
• Insurance information and policy numbers
• Medical diagnoses and treatment information
• Imaging results and reports
• Appointment scheduling details
• Payment and billing information

The exposure of this information puts patients at risk for:

• Identity theft using personal identifiers
• Medical identity theft for fraudulent healthcare services
• Insurance fraud through misuse of policy information
• Financial fraud if payment information was compromised
• Discrimination based on disclosed medical conditions

Under HIPAA's Individual Rights provisions (45 CFR §164.524), affected patients have the right to request access to their medical records and information about how their PHI was used and disclosed.

How to Protect Yourself

If you are a patient of PET Imaging of Houston Medical Center, take these immediate steps:

Monitor Your Accounts

• Review medical bills and insurance statements for unauthorized services
• Check credit reports from all three major bureaus (Experian, Equifax, TransUnion)
• Monitor bank and credit card statements for suspicious transactions
• Watch for unexpected medical bills from unknown providers

Secure Your Identity

• Place fraud alerts on your credit reports
• Consider credit freezes if you're concerned about identity theft
• Update passwords for healthcare portals and insurance accounts
• Enable two-factor authentication where available

Stay Vigilant

• Be wary of phishing emails claiming to be from healthcare providers
• Verify unexpected communications by calling providers directly
• Report suspicious activity immediately to your insurance company and financial institutions
• Keep detailed records of all communications related to the breach

Contact the Provider

Reach out to PET Imaging of Houston Medical Center directly for:

• Specific information about what data was compromised
• Details about credit monitoring services they may provide
• Steps they're taking to prevent future breaches
• Copies of official breach notification letters

Prevention Lessons for Healthcare Providers

This incident underscores critical HIPAA compliance requirements that all healthcare organizations must address:

Email Security Measures

• Implement encryption for all email communications containing PHI
• Use secure email gateways to filter malicious content
• Deploy multi-factor authentication for email access
• Conduct regular security awareness training for all staff

Business Associate Management

Under HIPAA's Business Associate Rule (45 CFR §164.502(e)), covered entities must:

• Execute comprehensive Business Associate Agreements (BAAs)
• Conduct due diligence on third-party security practices
• Monitor business associate compliance regularly
• Ensure incident response coordination with all partners

Incident Response Planning

• Develop comprehensive breach response procedures
• Conduct regular tabletop exercises to test response capabilities
• Maintain updated contact lists for regulatory notifications
• Document all breach response activities for compliance purposes

Technical Safeguards

HIPAA's Security Rule (45 CFR §164.300-318) requires:

• Access controls to limit system access to authorized users only
• Audit logs to track all system activities
• Data integrity controls to protect PHI from alteration or destruction
• Transmission security to protect PHI during electronic transmission

Healthcare organizations must also conduct regular risk assessments under HIPAA's Security Rule to identify vulnerabilities and implement appropriate safeguards.

The PET Imaging of Houston Medical Center breach serves as a reminder that email security remains a critical vulnerability for healthcare organizations. As cyber threats continue to evolve, healthcare providers must maintain robust security measures and comprehensive HIPAA compliance programs to protect patient information.

Patients affected by this breach should remain vigilant and take proactive steps to protect their personal and medical information. Healthcare organizations can learn from this incident by strengthening their email security, business associate oversight, and incident response capabilities.

Learn how HIPAA Agent can help protect your practice.