Cyber Incident Victim: ProPath Services, LLC

ProPath Services, LLC, a Texas-based pathology service provider, experienced a data security incident involving unauthorized access to two employee email accounts. The breach occurred between May 4, 2020, and September 14, 2020, though the company did not publicly disclose the exact date it initially discovered the compromise. On January 28, 2020, ProPath’s investigation confirmed that the accessed accounts contained identifiable personal information and protected health information belonging to patients who had undergone laboratory or pathology testing services. The compromised data included patient names, dates of birth, test orders, diagnosis and clinical treatment details, medical procedure information, and physician names. A subset of affected individuals also had more sensitive data exposed, such as Social Security numbers, financial account information, driver’s license numbers, health insurance details, and passport numbers. ProPath stated it found no evidence of actual misuse of the information but opted to notify patients as a precautionary measure.

In response to the incident, ProPath implemented technical and administrative safeguards to reduce the risk of recurrence. The company enhanced security protocols for its email system and conducted additional employee training focused on recognizing malicious email threats. Affected individuals received notifications directing them to resources on ProPath’s website for guidance on monitoring their accounts and protecting personal information, though the company did not specify whether it offered credit monitoring or identity theft protection services. The breach impacted an undisclosed number of patients whose data resided in the compromised email accounts during the four-month access period. ProPath did not disclose whether external cybersecurity experts or law enforcement were involved in the investigation or whether regulatory agencies had been formally notified of the incident.