Twin Cities Pain Clinic Data Breach: 3,572 Patients' PHI Exposed in Email Compromise

A Minnesota healthcare provider has become the latest victim of cybercriminals targeting medical practices, with Twin Cities Pain Clinic (TCPC) reporting a significant data breach that exposed sensitive information belonging to 3,572 patients. The incident, reported to the Department of Health and Human Services on September 4, 2025, involved a business email compromise that potentially exposed both personal identifiable information and protected health information.

What Happened

Twin Cities Pain Clinic experienced what they describe as a "business email compromise" (BEC) that affected their email systems. According to the breach notification sent to affected patients on September 4, 2025, the incident involved unauthorized access to the clinic's email environment, where sensitive patient data was stored or transmitted.

Business email compromise attacks typically involve cybercriminals gaining unauthorized access to legitimate business email accounts through various methods, including phishing, social engineering, or credential theft. Once inside, attackers can access, steal, or manipulate sensitive information contained in emails and attachments.

The breach has attracted the attention of Strauss Borrelli PLLC, a leading data breach law firm, which has announced it is investigating the incident. This suggests the breach may have significant legal implications and could potentially lead to class action litigation.

Who Is Affected

The breach impacted 3,572 individuals who were patients or had some relationship with Twin Cities Pain Clinic. Located in Minnesota, TCPC is a healthcare provider specializing in pain management services. All affected individuals should have received direct notification from the clinic about the incident.

Patients affected by this breach may include current and former patients of the clinic, as well as potentially other individuals whose information was stored in the compromised email system, such as emergency contacts or family members referenced in medical communications.

Breach Details

According to the Department of Health and Human Services Office for Civil Rights breach report, the incident is classified as a hacking/IT incident specifically targeting the clinic's email system. The breach was reported on September 4, 2025, though the exact timeline of when the breach occurred and was discovered has not been disclosed in available documentation.

The investigation by Strauss Borrelli PLLC indicates that the breach involved "sensitive personal identifiable information and protected health information belonging to an undetermined number of individuals." While the HHS report specifies 3,572 affected individuals, the law firm's statement suggests the full scope may still be under investigation.

This discrepancy between the reported number and the ongoing investigation suggests that TCPC may still be working to determine the complete extent of the breach and exactly which patients' information was accessed or potentially exfiltrated.

What This Means for Patients

For the 3,572 affected patients, this breach represents a serious compromise of their most sensitive information. Protected health information (PHI) typically includes:

• Medical diagnoses and treatment information
• Prescription medication details
• Insurance information
• Social Security numbers
• Dates of birth
• Contact information
• Payment and billing details

Given that Twin Cities Pain Clinic specializes in pain management, the compromised information may include particularly sensitive details about patients' medical conditions, pain levels, controlled substance prescriptions, and treatment histories. This type of information could be especially valuable to identity thieves or could be used for medical identity theft.

The involvement of a major data breach law firm in investigating the incident suggests that affected patients may have grounds for legal action, particularly if the clinic failed to implement adequate security measures to protect patient information as required under HIPAA.

How to Protect Yourself

If you are a patient of Twin Cities Pain Clinic or believe you may have been affected by this breach, take these immediate steps:

Monitor Your Accounts: Regularly check your medical insurance statements, credit reports, and financial accounts for any suspicious activity. Look for medical services you didn't receive or insurance claims you didn't authorize.

Review Medical Records: Contact your healthcare providers to review your medical records for any unauthorized additions or changes that could indicate medical identity theft.

Consider Credit Monitoring: While the available information doesn't specify whether TCPC is offering credit monitoring services, consider enrolling in identity theft protection services, especially if your Social Security number was potentially compromised.

Stay Alert for Phishing: Be cautious of any suspicious emails, phone calls, or text messages that reference your medical information or claim to be from healthcare providers. Cybercriminals often use stolen data for follow-up social engineering attacks.

Know Your Rights: Under HIPAA, you have the right to know how your health information is used and shared. You can also request restrictions on how your PHI is used and disclosed.

Document Everything: Keep records of all communications related to the breach and any steps you take to protect yourself. This documentation could be valuable if you decide to pursue legal action.

Prevention Lessons for Healthcare Providers

The Twin Cities Pain Clinic breach serves as another reminder of the critical importance of email security in healthcare settings. Healthcare providers can learn several important lessons from this incident:

Email Security is Critical: Business email compromise attacks are increasingly targeting healthcare organizations. Providers must implement robust email security measures, including multi-factor authentication, email encryption, and advanced threat protection.

Employee Training: Regular cybersecurity training helps staff recognize phishing attempts and social engineering tactics that often lead to business email compromises.

Access Controls: Limiting access to sensitive information and implementing role-based access controls can minimize the impact of a breach when it occurs.

Incident Response Planning: Having a comprehensive breach response plan enables organizations to respond quickly and effectively when incidents occur, potentially limiting the scope of data exposure.

Regular Security Assessments: Conducting regular vulnerability assessments and penetration testing can help identify weaknesses before cybercriminals exploit them.

Vendor Management: If third-party email services are used, ensure they meet HIPAA requirements and have appropriate security controls in place.

The ongoing investigation into the Twin Cities Pain Clinic breach will likely provide additional insights into how the incident occurred and what could have been done to prevent it. Healthcare providers should stay informed about the findings and adjust their security practices accordingly.

As cyber threats continue to evolve and target healthcare organizations, maintaining HIPAA compliance and protecting patient information requires constant vigilance and proactive security measures. The cost of prevention is always less than the cost of a breach – both in terms of financial impact and damage to patient trust.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.