Onsite Mammography, a leading provider of in-office breast health services across the United States, has confirmed a major data breach impacting over 350,000 individuals. According to a notice submitted to the Maine Attorney General’s Office and shared with affected individuals, unauthorized access to one employee’s email account led to the exposure of personal and health-related information.
The breach was discovered in October 2024 after Onsite observed suspicious activity linked to a single employee’s email account. Immediate measures were taken to secure the email environment, and independent cybersecurity experts were enlisted to conduct a comprehensive investigation. Investigators concluded that the compromised account contained sensitive patient information, although access to the broader network was not affected.
Phishing Attack Behind the Compromise
While the company initially withheld the specific method of the breach, Onsite Mammography later confirmed that the incident was the result of a successful phishing attack. In a statement to SecurityWeek, the organization clarified that an employee was tricked into providing credentials, granting an unauthorized actor limited access to their inbox.
Further investigation determined that the intruder accessed personal data, including health-related information (PHI) belonging to hundreds of thousands of individuals. However, the company emphasized there was no evidence to suggest misuse of the stolen data at this time. Immediate reporting to law enforcement and cybersecurity remediation steps were undertaken following the breach.
Affected individuals are being offered complimentary credit monitoring and identity theft protection services as a precaution.
Legal Action and Steps for Affected Patients
Several consumer advocacy law firms have launched investigations into the breach to explore whether victims are entitled to financial compensation. Firms like Levi & Korsinsky have stressed the long-term risks posed by such breaches, including identity theft and financial fraud, and have indicated that organizations failing to safeguard personal data could be held legally liable.
ALSO READ: “DFIR Capability Maturity Assessment Framework” by ALGORITHA
Patients affected by the breach are encouraged to monitor their credit reports closely and be vigilant about potential scams. Cybersecurity experts recommend using secure, monitored data protection tools to track any unauthorized use of personal information and to avoid clicking suspicious links or sharing sensitive information over unsecured channels.