OutcomesOne, a Florida-based medication therapy management firm, suffered a targeted hour-long phishing attack on July 1, 2025, compromising a single employee’s email account. The breach exposed protected health information (PHI) of nearly 150,000 individuals, including names, demographic details, medical provider names, health insurance data (specifically Aetna plan members), and medication records. While Social Security numbers were unaffected, the attacker accessed sensitive files and emails within the compromised account. The incident was swiftly reported and contained, but the exposed data triggered potential class-action lawsuits and regulatory scrutiny. The breach underscores persistent vulnerabilities in healthcare cybersecurity, particularly from phishing-as-a-service (PhaaS) attacks, which now account for 35% of ransomware entry points in 2025. Despite rapid response, the scale of affected individuals and the nature of compromised PHI highlight systemic risks in email-based threats.
Source: https://www.bankinfosecurity.com/hour-long-email-phishing-breach-affects-phi-150000-a-29603
TPRM report: https://www.rankiteo.com/company/outcomesone
"id": "out3402634100125",
"linkid": "outcomesone",
"type": "Breach",
"date": "7/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '149,094',
'industry': 'Healthcare IT',
'location': 'Florida, USA',
'name': 'OutcomesOne',
'type': 'Technology Firm (Medication Therapy '
'Management)'}],
'attack_vector': 'Phishing Email',
'customer_advisories': ['Sample Breach Notification Letter Filed with '
'California AG'],
'data_breach': {'data_encryption': ['Not Mentioned (Assumed Unencrypted Based '
'on Context)'],
'data_exfiltration': ['Likely (Files and Emails Accessed)'],
'file_types_exposed': ['Emails',
'Attached Files (Potentially Documents '
'with PHI)'],
'number_of_records_exposed': '149,094',
'personally_identifiable_information': ['Names',
'Demographic '
'Information',
'Health Insurance '
'Details',
'Medication '
'Information'],
'sensitivity_of_data': 'High (Health and Insurance Data, but '
'No SSNs)',
'type_of_data_compromised': ['Protected Health Information '
'(PHI)',
'Personally Identifiable '
'Information (PII)']},
'date_detected': '2025-07-01',
'description': 'A Florida-based technology firm, OutcomesOne, which provides '
'medication therapy management and other services to health '
"plans, experienced a phishing attack affecting one employee's "
'email account for approximately one hour. The breach '
'potentially compromised protected health information (PHI) of '
'nearly 150,000 individuals, including names, demographic '
'information, medical provider names, health insurance '
'details, and medication information. Social Security numbers '
'were not affected. The incident was discovered on July 1, '
'2025, when an employee noticed unusual activity in their work '
'email account and reported it to the security team. The '
'compromised account was promptly secured, and no other '
'accounts were affected. The breach primarily involved '
'patients under Aetna Health Insurance plans. Several law '
'firms are investigating the incident for potential class '
'action litigation.',
'impact': {'brand_reputation_impact': ['Negative Publicity',
'Loss of Trust Among Affected Patients',
'Potential Long-Term Reputational '
'Damage'],
'customer_complaints': ['Potential (Class Action Investigations '
'Initiated)'],
'data_compromised': ['Names',
'Demographic Information',
'Medical Provider Names',
'Health Insurance Information (Aetna)',
'Medication Information'],
'downtime': 'Approximately 1 hour (duration of unauthorized '
'access)',
'identity_theft_risk': ['Low (No Social Security Numbers '
'Compromised)'],
'legal_liabilities': ['Potential Class Action Lawsuits',
'Regulatory Investigations (HIPAA)',
'Possible Fines or Penalties'],
'operational_impact': ['Investigation and Remediation Efforts',
'Breach Notification Process',
'Potential Legal and Regulatory Scrutiny'],
'systems_affected': ['Single Employee Email Account']},
'initial_access_broker': {'entry_point': 'Phishing Email (Compromised '
'Employee Credentials)',
'high_value_targets': ['Employee Email Account with '
'PHI Access']},
'investigation_status': 'Ongoing (Class Action Investigations; Regulatory '
'Filings Pending)',
'lessons_learned': ['Strict access controls and periodic re-approval for '
'regulated data (e.g., PHI) are critical.',
'Prohibit storing sensitive data in insecure locations '
'(e.g., email accounts).',
'Encourage employees to report suspicious activity '
'immediately to limit damage.',
'Multifactor authentication (MFA) should be pervasive, '
'preferably using authenticator apps (not SMS).',
'Credentials should be stored in password vaults to '
'mitigate infostealer risks.',
'Generative AI and adversary-in-the-middle techniques are '
'increasing phishing sophistication.',
'Prohibiting personal use of work devices can reduce the '
'attack surface by ~40%.',
'Employee training must address cognitive biases (e.g., '
'urgency, curiosity) exploited in phishing.'],
'motivation': ['Data Theft',
'Potential Financial Gain (Class Action Litigation Risk)',
'Exfiltration of Sensitive Health Data'],
'post_incident_analysis': {'corrective_actions': ['Enhanced MFA '
'Implementation '
'(Authenticator Apps)',
'Stricter Access Controls '
'for PHI (Encryption, Least '
'Privilege)',
'Improved Employee Training '
'on Phishing and Reporting',
'Network Segmentation to '
'Limit Breach Scope',
'Prohibition of Personal '
'Use on Corporate Devices',
'Deployment of Advanced '
'Threat Detection (e.g., '
'Adversary-in-the-Middle '
'Protection)'],
'root_causes': ['Successful Phishing Attack '
'Exploiting Human Error',
'Inadequate Email Security '
'Controls (e.g., Lack of MFA or '
'Behavioral Monitoring)',
'Potential Over-Permissive Access '
'to Sensitive Data (PHI in Email)',
'Lack of Real-Time Detection for '
'Unusual Activity (Detected by '
'Employee, Not Automated '
'Systems)']},
'recommendations': ['Implement stricter email security controls (e.g., DMARC, '
'anti-phishing filters).',
'Enforce MFA across all accounts, especially those with '
'access to sensitive data.',
'Conduct regular phishing simulations and security '
'awareness training.',
'Encrypt all PHI at rest and in transit.',
'Monitor for unusual activity in real-time with '
'behavioral analytics.',
'Segment networks to limit lateral movement in case of '
'breaches.',
'Develop and test incident response plans specifically '
'for phishing and credential theft.',
'Prohibit personal use of corporate devices to reduce '
'exposure to phishing.'],
'references': [{'source': 'Information Security Media Group (ISMG)'},
{'source': 'California Attorney General (Breach Notification '
'Letter)'},
{'source': 'Oregon Attorney General (Breach Report)'},
{'source': 'SpyCloud Research (2025 Phishing Trends)'},
{'source': 'Hales Law Group (Anthem Breach Reference)'}],
'regulatory_compliance': {'legal_actions': ['Potential Class Action Lawsuits '
'(Under Investigation)'],
'regulations_violated': ['Health Insurance '
'Portability and '
'Accountability Act '
'(HIPAA)'],
'regulatory_notifications': ['State Regulators '
'(California, Oregon)',
'Pending HHS/HIPAA '
'Breach Reporting Tool '
'Submission']},
'response': {'communication_strategy': ['Breach Notification Letters to '
'Affected Individuals',
'Public Disclosure to State '
'Regulators (California, Oregon)'],
'containment_measures': ['Immediate Securing of Compromised '
'Email Account',
'Prevention of Lateral Movement'],
'enhanced_monitoring': ['Likely Implemented Post-Incident (Not '
'Explicitly Stated)'],
'incident_response_plan_activated': 'Yes (Prompt Securing of '
'Compromised Email Account)',
'remediation_measures': ['Investigation into Accessed '
'Files/Emails',
'Breach Notification to Affected '
'Individuals and Regulators']},
'stakeholder_advisories': ['Breach Notification Letters to Affected '
'Individuals',
'Disclosures to State Regulators'],
'title': 'Hour-Long Email Phishing Breach Affects PHI of 150,000 at '
'OutcomesOne',
'type': ['Phishing', 'Data Breach', 'Unauthorized Access'],
'vulnerability_exploited': ['Human Error (Phishing Susceptibility)',
'Lack of Multi-Factor Authentication (MFA) '
'Enforcement',
'Potential Weak Email Security Controls']}