PET Imaging of Tulsa Email Breach Exposes 3,159 Patient Records

A significant cybersecurity incident at PET Imaging of Tulsa has compromised the protected health information (PHI) of 3,159 patients, highlighting ongoing vulnerabilities in healthcare email systems. The Oklahoma-based medical imaging provider reported the hacking incident to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights, adding another entry to the notorious "Wall of Shame" database.

What Happened

On June 27, 2025, PET Imaging of Tulsa notified the public of a hacking incident that compromised their email systems. The breach originated from a hacking or IT incident that specifically targeted the organization's network infrastructure, allowing unauthorized access to sensitive patient information stored within their email environment.

The incident represents a classic example of email-based healthcare data breaches, which continue to plague medical providers across the United States. While PET Imaging of Tulsa has not released additional details about the specific nature of the attack, the breach was significant enough to warrant federal reporting requirements under HIPAA's Breach Notification Rule.

According to breach notification procedures, ION began mailing data breach notification letters to impacted individuals on June 27, 2025, the same day the incident was publicly reported. This timeline suggests the organization acted swiftly to comply with HIPAA notification requirements once the breach was discovered and assessed.

Who Is Affected

The data breach impacted 3,159 individuals who were patients of PET Imaging of Tulsa. These affected individuals likely received medical imaging services from the Oklahoma-based healthcare provider, and their protected health information was stored in or transmitted through the compromised email systems.

Patients who received services at PET Imaging of Tulsa should monitor their mailboxes for official breach notification letters that began arriving on June 27, 2025. These notifications will provide specific details about what information may have been accessed and what steps patients can take to protect themselves.

The relatively contained number of affected individuals suggests this was a targeted attack on a specific healthcare provider rather than a broader healthcare system compromise. However, any breach affecting over 3,000 patients represents a significant privacy incident requiring careful attention from affected individuals.

Breach Details

The PET Imaging of Tulsa breach is classified as a "Hacking/IT Incident" with the location specifically identified as email systems. This classification indicates that cybercriminals gained unauthorized access to the organization's email infrastructure, potentially accessing years of patient communications, medical records attachments, and other sensitive healthcare information.

Email-based breaches in healthcare settings are particularly concerning because medical providers routinely use email to:

• Communicate patient test results
• Share medical records with specialists
• Coordinate care between providers
• Send appointment confirmations and reminders
• Process insurance authorizations

The fact that this incident targeted PET Imaging of Tulsa's network infrastructure suggests a sophisticated attack that may have involved multiple systems beyond just email. Hackers who successfully penetrate network infrastructure often have broader access to organizational data and systems.

While specific details about the attack vector, duration of unauthorized access, or potential data exfiltration have not been disclosed, the federal reporting indicates that protected health information was definitely compromised during the incident.

What This Means for Patients

For the 3,159 affected patients, this breach potentially exposes a wide range of sensitive information typically found in medical imaging provider communications and records. This may include:

• Full names, addresses, and contact information
• Medical record numbers and patient identifiers
• Insurance information and billing details
• Imaging test results and radiology reports
• Physician communications and referral information
• Appointment histories and scheduling details
• Medical conditions and diagnostic information

Patients should understand that compromised healthcare information can be used for identity theft, insurance fraud, and medical identity theft. Unlike financial information, medical identity theft can be particularly difficult to detect and resolve, potentially affecting future healthcare coverage and treatment decisions.

The breach notification letters being sent to affected individuals should provide specific details about what information was potentially accessed and what protective measures patients can take. Patients who believe they should have received a notification but have not should contact PET Imaging of Tulsa directly.

How to Protect Yourself

If you are among the 3,159 affected patients, or if you're concerned about protecting your medical information generally, consider taking these protective steps:

Immediate Actions:

• Carefully review the official breach notification letter when it arrives
• Monitor all medical and insurance statements for unauthorized activity
• Check your credit reports for any suspicious medical debt or accounts
• Contact your insurance provider to discuss potential fraud monitoring

Ongoing Protection:

• Consider placing fraud alerts on your credit reports
• Monitor explanation of benefits (EOB) statements from your insurance company
• Keep detailed records of all your legitimate medical treatments and providers
• Report any suspicious medical bills or insurance claims immediately
• Review your medical records periodically for accuracy

Long-term Vigilance:

• Remain alert to medical identity theft for years following the breach
• Be cautious about unsolicited medical offers or services
• Verify the legitimacy of any medical providers before sharing information
• Consider identity monitoring services that include medical identity protection

Prevention Lessons for Healthcare Providers

The PET Imaging of Tulsa incident offers important lessons for healthcare organizations seeking to protect patient information:

Email Security is Critical: Healthcare providers must implement robust email security measures, including encryption, multi-factor authentication, and advanced threat protection. Email systems containing PHI require enterprise-level security controls.

Network Infrastructure Protection: The targeting of network infrastructure suggests providers need comprehensive cybersecurity strategies that go beyond basic antivirus software. This includes network segmentation, intrusion detection systems, and regular security assessments.

Incident Response Planning: The rapid notification timeline suggests PET Imaging of Tulsa had incident response procedures in place. All healthcare providers should have detailed breach response plans that enable quick assessment and notification.

Regular Security Training: Staff education about email security, phishing recognition, and safe computing practices remains essential for preventing successful cyber attacks.

Vendor Risk Management: Healthcare providers should carefully evaluate the security practices of any third-party vendors with access to their email systems or network infrastructure.

The healthcare industry continues to face escalating cyber threats, with email systems representing a particularly attractive target for cybercriminals. Organizations like PET Imaging of Tulsa must balance operational efficiency with robust security measures to protect patient privacy.

This incident serves as a reminder that healthcare data breaches can affect patients long after their medical treatment is complete, emphasizing the ongoing importance of cybersecurity in medical practice management.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.