Florida Physician Specialists: Network Intrusion Exposes 276K Patient Records

"Florida Physician Specialists (FPS), a Florida-based network providing lab testing, imaging, and clinical research services, has confirmed a hacking incident that compromised the personal and protected health…"

Florida Physician Specialists (FPS), a Florida-based network providing lab testing, imaging, and clinical research services, has confirmed a hacking incident that compromised the personal and protected health information of 276,498 individuals. The breach, reported to the U.S. Department of Health and Human Services (HHS) on April 24, 2026, stemmed from unauthorized network access that occurred nearly five months prior, in late November 2025.

What Happened

FPS confirmed that threat actors gained unauthorized access to its network environment between November 27 and November 29, 2025. While the organization has not publicly disclosed the exact date of discovery, an internal investigation was launched shortly after, culminating in a document review that concluded on April 6, 2026. On April 24, 2026, the same day FPS notified HHS, the provider began mailing breach notification letters to affected individuals. The roughly five-month gap between intrusion and public notification is consistent with the average dwell time and forensic timeline observed across healthcare sector incidents, though it leaves victims exposed to fraud risk well before mitigation steps can be taken.

What Was Taken

The forensic document review identified an extensive set of sensitive data elements potentially exfiltrated or accessed during the intrusion window. Exposed data categories include:

Full names
Social Security numbers
Driver's license numbers
Other government-issued identification numbers
Financial account information, including credit and debit card data
Medical and health insurance information

The combination of government identifiers, financial instruments, and protected health information (PHI) makes this dataset particularly valuable on dark web marketplaces and substantially increases the risk of identity theft, synthetic identity fraud, insurance fraud, and targeted phishing against the 276,498 affected individuals.

Why It Matters

This incident continues an unbroken trend of high-volume breaches targeting U.S. healthcare ancillary service providers, particularly imaging centers, diagnostic labs, and clinical research operators. These organizations are attractive targets because they aggregate complete patient identity packages from multiple referring physicians and health systems, often with weaker segmentation and monitoring than hospital networks. With breach costs in healthcare averaging around $11 million per incident and class action litigation now a near-certain consequence of any six-figure HHS filing, FPS faces significant downstream financial, regulatory, and reputational exposure. For patients, the leaked combination of SSNs and medical records cannot be reissued or recalled, creating lifetime fraud risk.

The Attack Technique

FPS has characterized the event as a "hacking incident" against its network but has not publicly attributed the activity to a named threat actor or ransomware group at the time of disclosure. The narrow three-day access window (Nov 27 to Nov 29, 2025) is notable: it suggests either rapid containment after detection, or a focused smash-and-grab exfiltration consistent with initial access broker handoffs or short-cycle data theft extortion crews. No ransomware leak site posting has been publicly tied to FPS as of reporting, which may indicate either negotiated suppression, pure data-theft extortion, or that the actor has not yet listed the victim. Common initial access vectors in comparable healthcare intrusions include compromised VPN credentials, exploitation of edge appliances, and phishing leading to session token theft.

What Organizations Should Do

Healthcare providers and ancillary services operators should treat the FPS incident as a prompt to validate the following controls:

Enforce phishing-resistant MFA on all remote access, VPN, email, and administrative interfaces, eliminating SMS and push-only factors where possible.
Reduce PHI and PII retention windows by aligning document review and disposal schedules with HIPAA minimum-necessary principles, shrinking the blast radius of any single intrusion.
Deploy network segmentation between clinical, imaging, billing, and research environments to prevent lateral movement from a single compromised endpoint into PHI repositories.
Implement egress monitoring and DLP tuned to detect large outbound transfers of structured PHI/PII, particularly to cloud storage providers and anonymizing services.
Continuously monitor identity providers and edge devices for anomalous logins, impossible travel, and exploitation of known CVEs in VPN, firewall, and remote access products.
Pre-stage incident response and breach counsel retainers, and rehearse HHS Office for Civil Rights notification workflows so that the discovery-to-disclosure timeline meets the 60-day HIPAA Breach Notification Rule deadline.

Sources: Florida Physician Specialists notifies HHS of breach impacting over 250k