On February 25, 2026, Evergreen Healthcare Group disclosed a data breach tied to unauthorized access to its cloud-based healthcare platform, potentially exposing highly sensitive patient information from one care facility.
What happened
Evergreen Healthcare Group (EHG), operated by Couve Healthcare Consulting, LLC, reported that it detected unauthorized activity in its cloud-based healthcare platform on or about December 3, 2025. An internal investigation later determined that an unknown party may have accessed or copied files containing personal and medical information belonging to current or former residents of Golden Sonora Care Center.
The breach was publicly disclosed on February 25, 2026. Beginning February 24, 2026, notification letters were mailed to affected individuals. The incident is classified as medium severity due to it only affecting one facility, but the data involved is considered highly sensitive, as it includes Social Security numbers and medical information.
What was said
In its website notice, Evergreen Healthcare Group stated, “On or about December 3, 2025, EHG became aware of unauthorized activity within its cloud-based healthcare platform. Upon becoming aware of this activity, EHG immediately implemented its incident response plan and began an investigation into the nature and scope of the issue. This preliminary investigation found evidence that certain files may have been accessed by an unauthorized party.”
The company also indicated it is notifying affected individuals and providing a list of the specific types of information impacted, along with complimentary Cyberscout credit monitoring services.
In the know
Healthcare organizations use cloud-based email services, like Microsoft 365 and Google Workspace, for sending protected health information (PHI), including lab reports and treatment instructions. These platforms depend on Transport Layer Security (TLS) to encrypt messages while they travel between mail servers. Although best practice is to use newer, more secure versions such as TLS 1.2 or 1.3, many organizations assume that enabling a feature called “Force TLS” fully prevents unauthorized access.
In practice, however, “Force TLS” can create a false sense of security because it prioritizes message delivery over encryption. When a recipient’s email server does not support modern TLS, cloud platforms often fall back on insecure delivery methods without notifying the sender.
For example, Google Workspace may transmit messages using outdated protocols like TLS 1.0 or 1.1, which the NSA has deprecated due to known weaknesses. Microsoft 365, on the other hand, may block those older protocols but still send the message as unencrypted plain text.
Since these fallback behaviors usually occur without warnings, bounce messages, or audit logs, healthcare organizations may not realize that patient data was exposed during transit. Recognizing these built-in failure paths helps explain why default cloud email settings may not meet HIPAA’s technical safeguard requirements.
Why it matters
Although the breach appears limited to residents of a single facility, the exposed data includes Social Security numbers and medical information, making affected individuals vulnerable to identity theft, insurance fraud, and targeted phishing.
Incidents like this show the risks associated with cloud-based healthcare platforms and reinforce why we must implement continuous monitoring and rapid incident response in long-term care environments.
The bottom line
Healthcare organizations must use advanced security measures, including regular risk assessments and breach monitoring tools, such as HIPAA compliant emails, to reduce exposure before attackers exploit vulnerabilities.
Learn more: HIPAA Compliant Email: The Definitive Guide (2026 Update)
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
Read also: What is the difference between PII and PHI?
Can data breaches lead to identity theft?
Yes. When personal and health information is accessed without authorization, there is an increased risk of identity theft, insurance fraud, and unauthorized use of medical records. Patients should monitor their accounts and take preventive measures to reduce potential harm.
Are there any costs associated with placing a fraud alert or credit freeze?
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.
.jpg)
