2 min read
People Encouraging People reports data breach affecting over 13K
Caitlin Anthoney Oct 10, 2025 6:10:32 PM

People Encouraging People (PEP), a Maryland-based nonprofit organization specializing in behavioral healthcare, has reported a data breach that exposed the personal and protected health information (PHI) of 13,083 individuals. The incident occurred in December 2024 and was disclosed to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) in September 2025.
What happened
According to PEP’s breach notice, the organization detected unauthorized activity on its computer network around December 21, 2024. An internal investigation determined that an unauthorized third party accessed and potentially acquired data between December 18 and December 23, 2024.
The compromised information varies by individual but may include names, Social Security numbers, dates of birth, addresses, driver’s license numbers, financial account details, and medical data such as diagnoses, medications, and treatment information.
Following the discovery, PEP secured its systems, reviewed the relevant data, and began notifying the affected individuals. The organization posted a notice on its website and submitted an official report to the OCR on September 19, 2025.
What was said
“Upon becoming aware of this event, People Encouraging People promptly took steps to investigate, assess the security of our systems, restore functionality to our environment, and notify potentially affected individuals,” explains PEP’s breach notice.
Further, “As part of our ongoing commitment to the privacy of personal information, we have safeguards in place to protect data in our care. We are working to review and further enhance these protections as part of our ongoing commitment to data security. We are also reporting this incident to the U.S. Department of Health and Human Services Office for Civil Rights and relevant state authorities.”
In the know
People Encouraging People is a nonprofit behavioral healthcare provider founded in 1979. Headquartered in Baltimore, Maryland, PEP offers rehabilitation, residential, vocational, and specialized assistance programs for individuals with disabilities and mental health challenges. The organization also provides services for individuals who are deaf or blind, supporting their integration into the community.
As a healthcare provider handling PHI, PEP is considered a HIPAA-covered entity. Under HIPAA, covered entities must implement technical, administrative, and physical safeguards to protect sensitive health information from unauthorized access or disclosure.
Read also: When is a non-healthcare company a covered entity?
Why it matters
The PEP breach shows the ongoing cybersecurity risk for small and mid-sized healthcare organizations, specifically not-for-profit entities with limited IT support. Behavioral health agencies, in particular, handle very sensitive information that would lead to identity theft or personal harm if breached.
Medical violations in 2025 are still at the forefront of OCR reports, showcasing an industry need for improved data safeguard systems. Even small entities like PEP are susceptible to cyberattacks by hackers seeking profitable health and financial data.
Related: 2025 Healthcare Email Security Report
The bottom line
The breach at People Encouraging People shows how cyber threats continue to affect the healthcare sector, including nonprofits serving vulnerable populations. These organizations must improve data encryption, limit access to sensitive files, and adopt HIPAA compliant communication solutions like Paubox Email Suite to reduce the impact and frequency of future incidents.
Learn more: HIPAA Compliant Email: The Definitive Guide
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
What should individuals do if their data has been compromised?
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
Are there any costs associated with placing a fraud alert or credit freeze?
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.