PET Imaging of Sugar Land Email Breach Affects 1,808 Patients

PET Imaging of Sugar Land, a Texas-based healthcare provider, has reported a significant data breach to the Department of Health and Human Services (HHS) Office for Civil Rights. The incident, which affected 1,808 individuals, involved unauthorized access to the organization's email systems containing protected health information (PHI).

What Happened

On June 27, 2025, PET Imaging of Sugar Land disclosed a hacking/IT incident that compromised their email infrastructure. The breach originated from cybercriminals who successfully infiltrated the organization's network systems, gaining unauthorized access to email accounts containing sensitive patient information.

The incident involved a business associate, indicating that a third-party vendor or service provider was connected to the breach. This adds complexity to the incident, as it involves multiple parties' responsibilities under HIPAA regulations.

According to the breach notification, the attack specifically targeted the organization's email systems, which contained protected health information of patients who received services from the medical imaging facility.

Who Is Affected

The breach impacted 1,808 patients who received services from PET Imaging of Sugar Land. These individuals had their protected health information potentially accessed by unauthorized parties through the compromised email systems.

Legal firms Strauss Borrelli PLLC and Federman & Sherwood are currently investigating the incident. These leading data breach law firms are examining whether PET Imaging of Sugar Land maintained adequate security protocols as required by HIPAA and other data privacy regulations.

Breach Details

Entity: PET Imaging of Sugar Land
Location: Texas
Entity Type: Healthcare Provider
Individuals Affected: 1,808
Breach Type: Hacking/IT Incident
Breach Location: Email Systems
Date Reported to HHS: June 27, 2025
Business Associate Involvement: Yes

The breach falls under the HIPAA Security Rule requirements, which mandate that covered entities implement appropriate administrative, physical, and technical safeguards to protect electronic protected health information (ePHI). Email systems are particularly vulnerable and require specific protections under these regulations.

What This Means for Patients

Patients affected by this breach may face several risks:

Identity Theft and Medical Identity Theft

With access to protected health information, cybercriminals could potentially use this data to:

• File fraudulent insurance claims
• Obtain prescription medications
• Access medical services under patients' identities
• Commit financial fraud

Privacy Violations

The unauthorized access represents a significant violation of patient privacy rights protected under HIPAA's Privacy Rule. Patients have the right to expect their medical information remains confidential and secure.

Legal Recourse

The ongoing investigations by Strauss Borrelli PLLC and Federman & Sherwood suggest that affected patients may have legal options. These firms are examining whether the healthcare provider failed to implement adequate security measures, which could constitute a violation of their duty to protect patient data.

How to Protect Yourself

If you are a patient of PET Imaging of Sugar Land, take these immediate steps:

Monitor Your Accounts

• Review all medical insurance statements for unauthorized claims
• Check credit reports for suspicious activity
• Monitor bank and credit card statements regularly
• Watch for unexpected medical bills or services

Set Up Fraud Alerts

• Contact major credit bureaus (Experian, Equifax, TransUnion) to place fraud alerts
• Consider freezing your credit if you notice suspicious activity
• Sign up for identity monitoring services

Medical Records Monitoring

• Request copies of your medical records to verify accuracy
• Report any unauthorized medical services or prescriptions
• Contact your insurance provider if you notice fraudulent claims

Stay Informed

• Watch for official notifications from PET Imaging of Sugar Land
• Keep documentation of all breach-related communications
• Consider consulting with legal counsel if you experience harm from the breach

Prevention Lessons for Healthcare Providers

This incident highlights critical security vulnerabilities that healthcare organizations must address:

Email Security Implementation

Under the HIPAA Security Rule (45 CFR § 164.312), covered entities must implement:

• Encryption of ePHI in transit and at rest
• Access controls limiting who can view sensitive information
• Multi-factor authentication for email systems
• Regular security assessments of email infrastructure

Business Associate Management

Since this breach involved a business associate, it emphasizes the importance of:

• Comprehensive Business Associate Agreements (BAAs)
• Regular security assessments of third-party vendors
• Clear incident response protocols involving business associates
• Ongoing monitoring of business associate security practices

Incident Response Planning

Healthcare providers must maintain robust incident response plans that include:

• Immediate containment procedures
• Forensic investigation protocols
• Patient notification procedures
• Regulatory reporting requirements

Regular Security Training

Staff training on email security best practices, including:

• Recognizing phishing attempts
• Proper handling of ePHI in email communications
• Incident reporting procedures
• Password security and management

The HIPAA Breach Notification Rule (45 CFR § 164.404-414) requires covered entities to notify affected individuals within 60 days of discovering a breach affecting 500 or more individuals. This incident demonstrates the ongoing challenges healthcare providers face in protecting patient data in an increasingly complex cyberthreat landscape.

Healthcare organizations must prioritize cybersecurity investments and maintain comprehensive compliance programs to protect patient information and avoid costly breaches that can damage both finances and reputation.

Learn how HIPAA Agent can help protect your practice.