Twin Cities Pain Clinic email breach may have exposed patient data

A recent business email compromise at Twin Cities Pain Clinic has triggered a data breach investigation and credit monitoring offer.

What happened

Twin Cities Pain Clinic (TCPC) identified suspicious activity in an employee’s email account on or around July 9, 2025. An investigation led by external counsel and forensic experts confirmed on July 31 that an unauthorized user had accessed both the email account and limited files stored in SharePoint. On August 18, TCPC determined that personal information belonging to patients may have been exposed.

The forensic team did not find evidence that any data was downloaded or removed from the clinic’s systems. However, out of caution, affected individuals are being notified.

Going deeper

The compromised data varied by individual but may have included names, birth dates, Social Security numbers, contact information, financial account details, insurance data, and health information such as medical records and treatment notes. No misuse of this information has been confirmed.

In response, TCPC took several internal steps, including resetting login credentials and hardening its IT systems. Legal counsel is reviewing the clinic’s security practices, and updated security protocols and staff training resources are being implemented.

What was said

In a letter to affected individuals, TCPC Chief Operating Officer Sheila Thompson stated the clinic’s commitment to protecting personal data and apologized for the incident. A dedicated call center has been established to address concerns for 90 days following notification.

The clinic is offering 24 months of free credit monitoring and fraud assistance through Cyberscout, a TransUnion company. 

FAQs

What is a business email compromise (BEC)?

A BEC is a type of cyberattack where an unauthorized party gains access to a corporate email account, often to steal sensitive data or impersonate staff for fraudulent purposes.

Why notify individuals if there’s no evidence of data misuse?

Under many state and federal guidelines, entities are required or strongly encouraged to notify individuals when sensitive data may have been exposed, even if there’s no proof of misuse.

How does SharePoint fit into this breach?

In addition to the compromised email account, the unauthorized user accessed limited files stored in TCPC’s SharePoint system, which may have included personal health information.

What makes credit monitoring effective in these cases?

Credit monitoring alerts individuals to new activity on their credit report, such as applications for loans or new accounts, which can be an early warning sign of identity theft.