This issue reads best with full editorial layout — read on encryptedchart.com →

You are sitting in your office on a Tuesday morning. The front desk has just opened the day's email. There is a referral from a primary care office across town. There is a fax-to-email PDF of a lab result for a patient coming in this afternoon. There is a billing inquiry from a vendor portal. There is a renewal notice from your malpractice carrier. There is a message from a patient asking to reschedule a standing appointment.

This is normal. This is the entire morning.

What you may not have thought about is that everything I just described is sitting in the same place. The referral PDF, the lab result, the billing thread, the carrier notice, the patient message. They all live in your front desk email account. Some of them are also syncing into OneDrive or Google Drive. They are accessible to anyone who can log in to that account.

Last month, three different healthcare operations got breached because someone did exactly that. The attackers did not pick a lock. They walked through the front door with a working key.

The three stories share a pattern

On May 22, Acadia Healthcare Company began notifying patients about a breach that happened in late March. Attackers had used social engineering to talk their way into a single email account and the SharePoint folder connected to that account. Names, addresses, dates of birth, treatment information, health insurance details, and in some cases Medicare numbers and Social Security numbers were copied out of those files. Acadia's actual patient chart system was never touched. The attackers did not need it. The email account had enough.

Around the same window, Stockton Cardiology Medical Group, an independent physician practice serving the San Joaquin Valley in California, was notifying patients about its own breach. The triggering event was a series of suspicious emails sent to employees. The practice deleted the messages and thought the matter was handled. On January 17, it learned that files had in fact been accessed. On February 17, the Genesis ransomware group claimed responsibility and posted 645 gigabytes of stolen practice data to the dark web. An independent specialty practice. A series of emails. Six hundred forty-five gigabytes.

And in mid-April, Microsoft's Defender team published a report on a phishing campaign it had tracked across 26 countries during a three-day window. The campaign hit 35,000 user accounts across 13,000 organizations. Healthcare and life sciences was the single largest target category, accounting for 19 percent of victims. Ninety-two percent of those victims were in the United States. The campaign used professional-looking emails that read like normal internal communications. The clinicians and front desk staff who opened them had no obvious reason to think anything was wrong.

Three different operations. Three different scales. The same opening move.

Why this lands different for solo and small-group practice

A large health system has a security team watching email traffic, secondary systems walled off from email, and a help desk that staff are trained to call when something feels off. Most of those controls cost money the system has and you do not.

In a solo or small-group practice, the email account at the front desk is not a supporting system. It is the practice. Your patient records may live in the EHR, but the documents that surround those records, the referrals, the faxed lab results, the prior authorization correspondence, the insurance verification PDFs, the vendor agreements you saved last quarter, the password reset confirmations for every vendor portal you use, the vendor invoices with your bank routing number on them, all of that lives in the email account or in the cloud drive that account has access to.

A single password protects all of it. If that password is reused on a personal account that has been part of any data breach in the last five years, the attacker already has it and is just deciding when to use it. If multi-factor login is not turned on, the password is the only barrier. If multi-factor login IS turned on but uses SMS text codes that can be intercepted, the barrier is thinner than it looks.

This is what Acadia learned about its own email setup on May 22, in writing, on letterhead, sent to patients.

What it costs once it happens

Once someone has accessed patient information through your email account, several clocks start at the same time.

You have 60 days from the day you should have known about the breach to notify every affected patient, your state attorney general in most states, and the federal HIPAA office at HHS. That clock does not wait for you to be ready. And if the date you first knew gets argued about later, you do not get to pick it. You have to defend it.

The federal HIPAA office has spent 2026 settling case after case that all came back to the same root cause. The required risk analysis, the document that asks “where are our risks and what are we doing about them,” had not been done, or had been done sloppily, or had been done years ago and never updated. In April, four practices that had been hit with ransomware paid a combined $1.165 million in settlements on that exact finding. In May, an employer-sponsored health plan paid $245,000 for the same gap. On May 18, the office announced it is reorganizing into three divisions, one of them now named the Health Information Privacy, Data, and Cybersecurity Division. The office is smaller and slower than it was three years ago. But the cases it does take are landing on the same line over and over.

Then comes the lawsuit layer. Recent class action settlements involving independent and specialty practices have landed in the low single-digit millions on patient counts well under one hundred thousand. Cardiovascular Consultants in Arizona resolved its 2023 breach class for $3.85 million on 484,000 records, with the opt-out window running through June 1. That dollar figure does not come from one government fine. It comes from defense lawyers, settlement contributions, credit monitoring for every affected patient, and the cyber-insurance renewal premium that follows.

The numbers add up in a way that a single-location practice cannot absorb the way a hospital can.

Three things to do this week, in order

One. Turn on multi-factor login for every account that touches patient information. That means the front desk email account, every staff member's email account, the EHR portal, the patient portal admin login, every billing service login, every fax-to-email account, every cloud drive, every vendor portal that sends you anything with a patient name on it. If multi-factor login is currently off on any of those, turn it on today. If it is currently using SMS text codes, switch to an authenticator app where possible. The attacker who logs in is logging in because that single password was enough.

Two. Spend thirty minutes doing a written inventory of what is actually sitting in your email account and what your cloud drive is synced to. Open the email. Open the drive. Look at what is there. Patient names attached to insurance forms. Lab PDFs sitting unread in the inbox folder. The contract you signed with your billing service in 2022. The vendor invoices with your bank routing number on them. The exported patient list someone made for a marketing campaign in 2023 that nobody deleted. Write down what categories of patient information are in there. That written inventory is the first document in your annual risk analysis.

Three. If your most recent risk analysis is more than twelve months old, or you cannot put your hand on it, this is the week to start a new one. The risk analysis is the document the federal HIPAA office cites in nearly every settlement of the past 18 months. Practices that have a current, documented, acted-on risk analysis are not in trouble after one phishing email. Practices that do not are the ones who end up in settlements that name that same root cause over and over.

Acadia and Stockton Cardiology and the 35,000 accounts Microsoft tracked are not in trouble because they had no security. They are in trouble because what they had was not enough to stop a working password.

The lesson is not that you need to spend the money a health system spends. You cannot, and you do not need to. The lesson is that the things that actually stop this from happening are simple and within reach of a one-person, two-person, three-person practice. Multi-factor login on every account. A written sense of what lives where. A risk analysis you can actually point at when the question gets asked.

Three breaches last month. All started with one email. The next one is being drafted right now.

Run a current risk analysis before someone makes you.
The Encrypted Chart Vault includes the annual risk assessment template calibrated for independent practice, plus the breach response runbook for the 24-hour, 14-day, and 60-day timeline if something does happen. National edition $299. New York edition $349 (adds SHIELD Act and state-specific addenda).
Get the Vault →
With security,
Brad
Brad Lieberman, JD (retired), MSN, PMHNP-BC
Founder, The Encrypted Chart
www.encryptedchart.com · Vault: store.encryptedchart.com/l/binder
[email protected]
  1. Acadia Healthcare data breach notification, May 22, 2026. classaction.org coverage
  2. Stockton Cardiology Medical Group breach disclosure (Genesis ransomware, 645 GB). HIPAA Journal
  3. Microsoft Defender Research Team, Q1 2026 email threat landscape. Microsoft Security Blog
  4. HHS OCR, Announces Restructuring of its Office for Civil Rights, May 18, 2026. HHS press release
  5. HHS OCR, Settles Four HIPAA Security Rule Ransomware Investigations, April 23, 2026. HHS press release
  6. HHS OCR, Star Group Health Plan settlement, $245,000. Medcomply summary
  7. Cardiovascular Consultants $3.85M class action settlement (Arizona, 484,000 records). HIPAA Journal

Keep Reading

© 2026 The Encrypted Chart · The Encrypted Chart is published by Lieberman Consulting, LLC, a consulting firm — not a law firm. Content is educational, not legal advice..
beehiivPowered by beehiiv