On November 25, 2025, Excellent Home Care Services discovered that an employee’s email account had been accessed by an unauthorized third party for a brief period.
The breach potentially affected individuals residing in Bronx, Kings, Nassau, New York, and Queens counties. Although the company was able to identify the type of file that may have been accessed, it could not determine exactly how many files were viewed.
After identifying the incident, Excellent immediately secured the affected account, reset credentials, restricted access, and reviewed and updated Microsoft 365 security settings.
Letter notifications were sent to all affected individuals on December 17, 2025, and Excellent offered identity monitoring services at no cost to help mitigate potential misuse of personal information.
According to the notice of security incident, “Excellent immediately secured the account and began an investigation with external support to understand what information may have been involved. Although we were able to identify the type of file that could have been accessed, we could not determine how many files were viewed. Out of an abundance of caution, we are notifying all individuals whose information may have appeared in that file type.”
The email breach counts as a HIPAA data breach because an unauthorized person gained access to an employee’s email account that contained protected health information (PHI). HIPAA requires that any time PHI is accessed or shared without permission in a way that could compromise its privacy or security, it must be treated as a reportable breach.
The Excellent Home Care Services incident follows a trend seen in cases like the Integrated Oncology Network (ION) breach in late 2024, where a phishing attack on a third-party provider exposed sensitive patient information for tens of thousands of people.
Although Excellent’s breach affected fewer individuals and was limited to certain New York counties, both incidents show that email account compromises continue to be a major risk for patient data, even in smaller organizations.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Any unauthorized access, use, or disclosure of PHI that compromises its privacy or security.
Covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovering the breach.
Affected individuals, the HHS Office for Civil Rights (OCR) for breaches affecting 500 or more people, and in some cases, the media.