2 Health Data Leaks: Intuitive Surgical and GuardDog Telehealth

When we get diagnosed with something, we might not share it with other people out of embarrassment. And it’s okay, because you have the right to protect your health information. Sadly, it’s not guaranteed that the people who can access our health data can protect it.

The 2 healthcare data leaks involve Intuitive Surgical, which was hit by a phishing attack, and GuardDog Telehealth, which was collecting and selling patient data to law firms.

According to the HIPAA Journal, there were over 7,300 data breaches reported to the OCR between 2009 and 2025. These breaches have affected the health information of over 935 million people. And this year, there have been major cases involving health data.

One case involves Intuitive Surgical (a major robotic surgery company in the US). This company is known for developing and selling minimally invasive medical technology, such as “da Vinci” and “Ion systems.”

The company disclosed that it suffered from a cyberattack where attackers sent phishing emails. This provided bad actors with access to internal business applications and allowed them to compromise employee credentials. Then, hackers entered Intuitive’s administrative network, allowing them to access and obtain sensitive information, such as follows:

As of the moment of this writing, Intuitive has not provided further details about the breach, including when the attack happened, when it was detected, the bad actors responsible for the attack, and how many people were affected.

As per Intuitive’s statement (published in March 2026), the company had “quickly activated its incident response protocols.” Additionally, Intuitive reassures that its products are secure, including da Vinci and Ion.

Intuitive is currently investigating the attack, reviewing its security protocols, and prioritizing employee training.

Another case involves GuardDog Telehealth, a small telehealth business based in Houston, Texas. This company offers preventative care, chronic care management, care coordination, and concierge nursing.

Here’s the timeline and details of the breach:

GuardDog Telehealth’s predecessor, Critical Care Nurse Consulting (CCNC), was improperly sharing records with law firms. This was from 2022 to 2024. Then, Unit 387 (a data broker company) masked itself as CCNC to request data.

In 2024, GuardDog continued the practice and began its operations as a client for Health Gorilla.

In 2026, Epic sued GuardDog, Health Gorilla, Unit 387, and SelfRx for accessing and selling data without authorization. Plus, Epic stressed that GuardDog was wrong when it claimed that it needed data to treat its patients, when in fact, the company was selling it to law firms. S

In March 2026, GuardDog admitted to accessing data and sharing it with law firms. It also confirmed that HealthGorilla was aware of the practice and the role of data broker, Unit 387.

On March 17, GuardDog agreed to delete every patient data it had collected within one week, as well as waive appeal rights and face a permanent ban if approved by the judge. But there will be no financial penalties.

However, Health Gorilla had criticized the filing and called it “incomplete and misleading.” It claimed that GuardDog did not disclose any non-treatment use of patient data and that it would be able to provide proof. It also called Epic’s lawsuit an “attack on interoperability that could negatively impact patient safety.”

Now, why should you be concerned about all this?

You should be concerned because your health information is sensitive. It’s not safe with the hands of companies and data brokers. And when your health data is compromised, you could suffer from various risks, such as the following:

• Risk 1: Data Exposure - When a health company gets breached, your medical data gets exposed. It can get uploaded and sold on the dark web. And once it’s there, it’ll be hard to remove. You might manage to delete a copy, but chances are that your data has already been copied by others. This means that your health data will be floating on the dark web forever, putting you at risk.
  
• Risk 2: Medical Identity Theft - If a fraudster manages to buy your health data on the dark web, they can use it for medical identity theft. For example, fraudsters could use your name to claim medical insurance. Also, they could pretend to be you and access medical care, leaving you with a charge for care you won’t receive.
  
• Risk 3: Scams - Aside from identity theft, scammers can use your health information to scam you. For instance, they can send you personalized phishing emails pretending to be your healthcare provider. Since the email mentions everything about your health correctly, you’ll likely trust that the email is really from your provider.
  
• Risk 4: Emotional & Social Damage - Sometimes, it’s hard or embarrassing to share health diagnoses, such as mental health issues or HIV. It’s understandable because of the stigma or discrimination around these conditions. Sadly, when your healthcare data gets leaked, your health information could get exposed. This might damage you emotionally and strain your relationships with family, friends, and even employers.

Overall, these medical data leak incidents pose a risk to your health and safety. Regretfully, we can’t fully stop health organizations from collecting our data, because they do need our information to provide us care. However, it is their job to protect the data they collect.

What you can do is ensure that you’re prepared. Know how scammers can target you using your health data. If there’s a data breach, make sure that you freeze your credit to stop fraudsters from damaging your identity. It’s also worth trying dark web monitoring, which might help you know if your data is on the dark web and, potentially, delete it.

The largest data breach involves Anthem Inc. The breach was first reported in 2015 and remained unresolved until 2024, affecting 78.8 million people. Hackers stole details, including birthdays, names, Social Security numbers, addresses, and employment data.

According to the Information Commissioner’s Office, about 80% of data breaches are caused by human error. This includes being victimized by phishing emails or even mistakenly sending personal data to the wrong recipients.