Retina Group of Florida recently reported a data breach affecting the protected health information (PHI) of 152,691 individuals, according to the U.S. Department of Health and Human Services (HHS) breach report.
What happened
On September 3, 2025, Retina Group of Florida, an ophthalmology practice headquartered in Fort Lauderdale, filed official notice with HHS’ Office for Civil Rights (OCR), disclosing a major data breach.
While details remain limited, breaches of PHI typically include data, like medical history, diagnoses, treatment details, and insurance information. The ophthalmology practice is expected to begin notifying affected individuals in the coming weeks.
What the research shows
Recent findings show that healthcare organizations may be overestimating their ability to defend against cyber threats. More specifically, a 2025 Paubox report noted that “92% of healthcare IT leaders say they’re confident in their ability to prevent email-based data breaches. That should be reassuring. It’s not.” The report found that many protections are either outdated or misconfigured, with gaps in encryption and detection systems.
The study also found that 56% of healthcare organizations spend less than 10% of their IT budgets on cybersecurity, which is much lower than in other industries. Additionally, when these tools are implemented, they often frustrate staff, with 86% of IT leaders saying their current email security tools cause workflow friction, leading to risky workarounds.
As Andrew Hicks of Frazier & Dieter Advisory states, “Too often, organizations rely on infosec policies, user training, or manually enforced controls— rather than implementing automated, policy-driven email encryption solutions. This overreliance on human-dependent safeguards introduces unnecessary risk and undermines the integrity of outbound email protection strategies.”
Paubox CEO Hoala Greevy also warns that attackers are moving faster than outdated defenses: “We’ve seen email threats evolve faster than many tools meant to stop them. It’s not just about phishing anymore—it’s about deception at scale.”
By the numbers
- 152,691 individuals impacted.
- 22 treatment centers across Florida.
- 23 board-certified retina specialists and surgeons.
Learn more: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access to, uses, or discloses protected health information (PHI) without permission. Examples of breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
What should individuals do if their data has been compromised?
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
What are the penalties for violating HIPAA?
As of March 2025, HIPAA violations incur fines from $141 to $2,134,831 per violation, depending on culpability. Tier 1 penalties apply to unintentional violations ($141–$35,581), while Tier 2 covers breaches due to reasonable cause ($1,424–$71,162). Tier 3 applies to willful neglect corrected within 30 days ($14,232–$71,162), and Tier 4 penalizes uncorrected willful neglect with the highest fines ($71,162–$2,134,831).
These fines adjust annually for inflation, and severe cases may result in criminal charges, reputational harm, and mandatory corrective actions.
