When we talk about protecting sensitive data, healthcare organizations are often at the top of the list for cybercriminals.

This week, we saw another clear reminder: Onsite Mammography, operating under the Onsite Women’s Health brand, disclosed a data breach that compromised personal and health information of over 357,000 patients.

Here’s what happened—and what we can learn from it:

In October 2024, Onsite discovered that an employee’s email account had been compromised through a phishing attack. After a detailed investigation, which wrapped up in February 2025, they confirmed that the unauthorized access was limited to just the email account—no other internal systems were breached.

However, the inbox contained a wide range of sensitive data, including: Names, Social Security numbers, Dates of birth, Driver’s license numbers, Credit card numbers, and Medical information (including mental and physical health details and care received).

The breach impacted 357,265 patients, and Onsite has already notified those affected, as well as regulators like the Maine Attorney General’s Office. They’re offering 12 months of free credit monitoring and identity protection.

Importantly, Onsite said there’s no evidence that the stolen information has been misused so far.

They acted quickly by:

• Engaging cybersecurity experts
• Notifying law enforcement
• Sending direct notifications to impacted individuals