In June 2020, MEDNAX — a national health solutions company providing physician services management, including neonatology and pediatric subspecialty care, to approximately 120,000 patients annually — suffered a phishing attack that compromised multiple employee Microsoft Office 365 email accounts. The attackers used the compromised accounts to access MEDNAX’s business systems and extract patient data. Approximately 1.29 million patients were affected. Exposed data included patient names, dates of service, diagnoses, health insurance information, Social Security numbers, claims information, and other health data. MEDNAX filed an HHS OCR breach notification on 25 September 2020 covering patients from across its managed medical practices. MEDNAX notified affected patients and offered credit monitoring. HHS OCR opened an investigation. The breach occurred during an unprecedented period of healthcare phishing attacks during COVID-19. MEDNAX operates through over 4,400 affiliated physicians across hospitals in 38 states. The phishing compromise of multiple Office 365 accounts highlighted the inadequacy of password-only authentication for healthcare email systems and the persistent risk of business email compromise (BEC) in healthcare — where attackers access systems through legitimate employee email accounts rather than hacking directly.