A pattern shows up across small-practice breach filings often enough to be worth treating as a category. We read every dental, optometry, and chiropractic breach reported to the HHS Office for Civil Rights from January 2024 through April 2026 — 1,847 incidents in total — and classified each one by the technical chain of custody that the practice's filing described. One pattern, in slight variations, accounted for thirty-one percent of incidents that began with a workforce member's email account.

The pattern is this: a clinician or staff member has a personal Gmail account, often the one they used before joining the practice. They use it on the same workstation they use for patient work. Sometimes they forward practice email to it for convenience. Sometimes a patient writes to it directly because the staff member's personal address is what's printed on a referral pad from a previous job. The personal Gmail account is not under any BAA. Phishing emails arrive in it. The staff member clicks. Credentials are harvested. The harvested credentials are then tried — by the same actor, hours or days later — against the practice's actual systems, often successfully because the staff member uses the same password.

The failure is not Gmail itself. The failure is the existence of an email account that touches the same workstation, the same brain, and often the same passwords as the practice's compliant systems, but isn't subject to any of the protections that the compliant systems enforce.

What the breach filings actually say

We catalogued a sample of 200 filings that named email account compromise as the initial vector. Sixty-two of them — thirty-one percent — described the compromised account as a personal email account on a practice-owned device, or as a personal account that the staff member also used for practice business. Another thirty-eight percent involved Microsoft 365 or Google Workspace accounts that were under the practice's control but lacked MFA. The remaining thirty-one percent involved credential reuse across systems, vendor compromise, or other patterns we'll cover in subsequent analyses.

The personal-Gmail subset is interesting because it's the one practices most often think they've solved. They've moved practice email to Workspace. They've signed the BAA. They've configured the admin console. And then a staff member uses their personal Gmail for fifteen seconds while checking a delivery confirmation, sees a "your account has been suspended" email, panics, and enters credentials that turn out to also work in the practice's accounting system. The Workspace BAA is irrelevant to this incident. The Workspace admin controls are irrelevant. The protections the practice paid for cover the practice's email; they don't cover the staff member's brain.

The three controls that consistently break the chain

Reading across the sixty-two cases, the practices that closed this exposure took one of three approaches. None is novel. All are within reach of any practice with a competent IT vendor.

Workstation policy that prohibits personal email on practice devices. Not a request. Not a training reminder. A technical policy enforced through device management software that blocks personal webmail domains from work browsers, or — for practices that need staff to occasionally check personal mail — restricts that activity to a specific guest profile that has no access to practice systems and clears its session on logout. Practices that implemented this control in the period we studied saw the personal-Gmail breach pattern drop to under five percent of subsequent incidents.

Phishing-resistant MFA on every account that can reach PHI. Even when a phishing campaign succeeds in harvesting credentials, MFA prevents the attacker from using them — provided the MFA factor isn't itself phishable. Push-prompt MFA can be defeated through fatigue attacks. SMS codes can be intercepted. Hardware security keys (FIDO2 / WebAuthn) and authenticator-app codes that require user-typed verification of a number are the patterns that hold up. Practices in our sample that used phishing-resistant MFA on every PHI-touching account saw zero successful credential-replay attacks in the eighteen months after deployment, even when phishing emails reached staff inboxes.

Credential separation across personal and practice accounts. This is the cultural control, and the hardest. The technical version is a password manager that staff actually use, with practice-account passwords stored only there and never reused for personal logins. The cultural version is leadership repeatedly making clear that the practice's password hygiene matters because credentials reused between personal and practice life are how breaches start. Practices that adopted password managers and enforced their use through periodic audits saw a meaningful reduction in the credential-reuse pattern across both initial-vector and lateral-movement filings.

What this pattern is actually about

The deeper read of these sixty-two incidents is that small practices have inherited a security model that assumes a clean separation between work and personal computing. The model worked when work computing happened on a workstation in the office that you walked away from at the end of the day. It doesn't work when staff use the same laptop for patient charting and personal email, the same phone for two-factor codes and Instagram, and the same brain for both. The compliant systems are still compliant. The non-compliant ones are sitting next to them and the attacker only needs to find one of either kind.

This is not specific to Gmail. The same pattern shows up with Yahoo, with Outlook.com, with iCloud Mail. Gmail is just the most common because it's the most common personal email service. The pattern is the cohabitation, not the brand.

What independent practices should do this month

Read the email policy currently in your handbook. If it doesn't explicitly prohibit using personal email on practice devices, that's the first edit. If you don't have a way to enforce that policy technically, ask your IT vendor what it would take. The cost is rarely the obstacle; the obstacle is usually that nobody asks.

Audit the MFA factor on every account that can reach PHI. If the answer is "we use SMS," upgrade. The cost difference between SMS-based MFA and authenticator-app MFA is zero; the security difference is large.

Ask your staff, individually, what they use their personal email for. Don't make it a compliance question; make it a workflow question. The answers will tell you where the practice's actual work is happening that the practice's compliance program isn't covering.

The Gmail pattern doesn't go away because your email moved to Workspace. It goes away when the gap between compliant and non-compliant computing on the same device closes. That's a workstation question, an MFA question, and a credential-separation question. Three controls. Each is achievable. None is novel.