Back to Blog
SecurityMarch 21, 20266 min read

Healthcare Data Breaches Hit Home Care: Protect Your Agency in 2026

Marcus T.

CareCade Foundation

Healthcare Data Breaches Hit Home Care: Protect Your Agency in 2026

In November 2025, Excellent Home Care Services in New York discovered unauthorized access to an employee email account. The breach exposed client names, addresses, Social Security numbers, Medicare IDs, and medical information for families across five New York counties.

That same month, Community Nurse—a Massachusetts home health agency—learned that 6,746 patients had their data potentially compromised through a vendor breach at Doctor Alliance.

These aren't isolated incidents. They're part of a growing pattern targeting home care agencies.

The Numbers Are Alarming

Simplify Your Home Care Operations

CareCade helps DDA and HCBS providers manage scheduling, EVV, and billing in one platform.

Book a Demo View Pricing

According to the HHS Office for Civil Rights, 57 million individuals were affected by healthcare data breaches in 2025. Over 642 large breaches (affecting 500+ people) were reported, with nearly 1,000 still under investigation as of January 2026.

Home care agencies are increasingly targeted because:

  • Valuable data: Client records contain everything identity thieves need—SSNs, medical histories, insurance information
  • Smaller security budgets: Unlike hospitals, many home care agencies lack dedicated IT security staff
  • Distributed workforce: Caregivers accessing systems from multiple locations and devices creates vulnerabilities
  • Vendor dependencies: EVV systems, billing software, and communication tools all handle PHI

Why 76% of HIPAA Penalties Cite the Same Failure

Here's what should concern every home care administrator: 76% of all HIPAA enforcement actions in 2025 included penalties for risk analysis failure.

A risk analysis isn't a one-time checkbox. It's an ongoing process of identifying where your client data lives, who can access it, and what threats exist. Most agencies that get breached never did a proper risk analysis—or did one years ago and never updated it.

The second most common penalty reason? Breach notification failures. Agencies that don't have incident response procedures scramble when breaches occur, missing notification deadlines and compounding their legal exposure.

How Breaches Happen in Home Care

Email Compromise

The Excellent Home Care breach started with a compromised email account. This is the most common attack vector:

  1. Caregiver receives phishing email that looks legitimate
  2. They click a link and enter credentials
  3. Attacker now has access to that email account
  4. Any PHI in emails or attachments is exposed

Prevention: Multi-factor authentication makes stolen passwords useless. Passkey authentication eliminates phishing entirely.

Vendor Breaches

Community Nurse's data was exposed through a vendor—Doctor Alliance—not their own systems. When you share PHI with software providers, billing services, or EVV vendors, their security becomes your security.

Prevention: Require Business Associate Agreements. Verify vendors have SOC 2 certification and strong security practices.

Lost or Stolen Devices

A caregiver's phone containing client schedules and notes gets stolen. If the device isn't encrypted and protected, that's a reportable breach.

Prevention: Require encryption, strong authentication, and remote wipe capability for all devices accessing PHI.

Insider Threats

Sometimes breaches come from within—staff accessing records they shouldn't, or departing employees taking client lists.

Prevention: Role-based access controls ensure staff only see data relevant to their role. Audit logging tracks who accessed what and when.

What Attackers Are Doing Differently in 2026

Security experts note a disturbing shift in tactics. Attackers are moving beyond simple ransomware to more destructive approaches:

  • Corrupting backups before deploying ransomware, so agencies can't recover
  • Damaging infrastructure to prolong downtime
  • Compromising clinical systems in ways that affect care delivery
  • Multi-stage operations that establish persistence before striking

Healthcare is being treated as a "high-value supply chain" with coordinated, professional attacks rather than opportunistic hits.

Protecting Your Agency: A Security Checklist

Authentication

  • Multi-factor authentication required for all users
  • Consider passkey authentication to eliminate phishing risk
  • Strong password policies (if still using passwords)
  • Automatic session timeouts
  • Immediate access revocation when staff depart

Encryption

  • Data encrypted in transit (TLS 1.2+)
  • Data encrypted at rest (AES-256)
  • Mobile devices encrypted
  • Backup data encrypted

Access Controls

  • Role-based permissions (caregivers see only their clients)
  • Principle of least privilege
  • Regular access reviews
  • Audit logging of all PHI access

Vendor Management

  • Business Associate Agreements with all vendors
  • Verify vendor security certifications
  • Understand what data vendors can access
  • Incident notification procedures in contracts

Incident Response

  • Written breach response procedure
  • Designated incident response team
  • Contact information for legal counsel
  • Template notification letters ready
  • Regular tabletop exercises

The Cost of Getting It Wrong

HIPAA violations can result in fines up to $1.5 million per violation category per year. But the real costs go beyond fines:

  • Lost clients: Families choose agencies they trust with their loved ones' information
  • Staff turnover: Good caregivers don't want to work for agencies with security problems
  • Operational disruption: Breach response consumes months of administrative time
  • Legal exposure: Class action lawsuits from affected individuals
  • Reputation damage: One headline can undo years of community trust

Technology That Actually Helps

The right software makes security easier, not harder. When evaluating home care management systems, look for:

Encryption everywhere: PHI should be encrypted at rest and in transit—not just "available" as an option, but the default.

Modern authentication: Passkeys (Face ID, Touch ID, Windows Hello) eliminate phishing. TOTP two-factor authentication adds protection for password-based login.

Comprehensive audit logging: Every access to sensitive data logged with timestamps and user identification.

Multi-tenant isolation: If you're using cloud software, your data should be completely separated from other agencies—not just logically separated, but in separate databases.

Role-based access: Caregivers should only see their assigned clients. Billing staff shouldn't see clinical notes. Access should match job responsibilities.

Start Today

You don't need a six-figure security budget to protect your agency. Start with these steps:

  1. Enable MFA everywhere—today. This single step prevents most account compromises.

  2. Conduct a risk analysis—or update your existing one. Document where PHI lives and who can access it.

  3. Review vendor agreements—ensure you have BAAs in place and understand each vendor's security practices.

  4. Train your team—security awareness training prevents the human errors that cause most breaches.

  5. Choose secure software—your care management system should make security easier, not something you bolt on.

The agencies that avoided breaches in 2025 weren't lucky. They were prepared. Your clients trust you with their health information. That trust is worth protecting.

Related Articles

Learn about CareCade's security features →

Ready to transform your care management?

Join agencies across Washington who are bringing transparency to developmental disabilities care.

Get Early AccessRead More Articles

Send Feedback

How's your experience?

Page: /blog/healthcare-data-breaches-home-care-2026