Park Royal Hospital Data Breach Affects 9,349 Patients

On March 18, 2025, The Pavilion at HealthPark, LLC, doing business as Park Royal Hospital, disclosed a data breach that affected 9,349 individuals in the United States. The breach occurred as a result of an email phishing incident between January 14 and January 15, 2025. During this time, an employee at Park Royal Hospital inadvertently provided their email account credentials to an unauthorized party after responding to a phishing email that appeared legitimate. This allowed the unauthorized party to access the employee’s email account and associated SharePoint account.

A forensic investigation confirmed that the incident was limited to this single employee’s accounts and did not involve the hospital’s electronic health records systems. However, the unauthorized party was able to access certain emails and files containing sensitive information. The types of consumer information exposed in this breach included names, dates of admission, provider information, and status as a patient at Park Royal. This information is considered both personally identifiable information (PII) and protected health information (PHI), as it can be used to identify individuals and relates to their healthcare status.

The breach was reported to the U.S. Department of Health and Human Services, and the incident is listed in the HHS breach portal. Additionally, Park Royal Hospital posted a detailed notice to consumers on its website.

Park Royal Hospital's response

Upon discovering the incident on January 17, 2025, Park Royal Hospital immediately secured the affected email account and engaged a third-party forensic firm to investigate. The hospital determined that the breach was contained to the single employee’s email and SharePoint accounts and did not disrupt hospital operations or impact electronic health record systems.

To notify those affected, Park Royal Hospital began mailing notification letters via United States Postal Service First-Class mail on March 18, 2025. The hospital also established a dedicated, toll-free incident response line at (888) 408-3029, available Monday through Friday from 9:00 a.m. to 9:00 p.m. Eastern Time (excluding major U.S. holidays), to assist individuals with questions about the breach.

If you believe your information may have been involved, it is important to monitor statements from your healthcare providers and health insurance plans. If you notice any services you did not receive, contact your provider or health plan immediately.

Since the breach involved access via phishing, there is no evidence that financial or Social Security information was exposed, but vigilance is still recommended. Park Royal Hospital has implemented additional safeguards and technical security measures to further protect and monitor its systems in response to this incident.

For more information about the hospital and its services, visit the Park Royal Hospital website.