Access Information Management Data Breach 2026: 1,522 Healthcare Records Exposed via Records-Management Vendor. What To Do
Access Information Management Shared Services, LLC, a Woburn, Massachusetts records-management vendor providing paper storage, secure shredding, scanning, and electronic records hosting to healthcare clients, filed an HHS OCR breach on February 28, 2026 affecting 1,522 individuals. No entity notice, AG filing, or press coverage has surfaced. Downstream covered entities not yet named. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Feb 28, 2026
HHS OCR filing (incident date, discovery date, and notification dates not publicly disclosed)
Feb 28, 2026
Attacker gained access
Feb 28, 2026
Breach detected
Feb 28, 2026
HHS OCR filing (incident date, discovery date, and notification dates not publicly disclosed)
Feb 28, 2026
Attacker gained access
Feb 28, 2026
Breach detected
Data exposed
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Access Information Management (often called Access Corp) is a records-management vendor headquartered in Woburn, Massachusetts. Founded in 2004 by Dennis Barnedt, the company is led by CEO Rob Alston and President John Chendo and is backed by Summit Partners. Services include:
- Offsite paper records storage
- Secure shredding
- Climate-controlled media vaulting
- Digital imaging / document scanning
- Electronic records hosting
- Document-management software
Many healthcare clients (hospitals, clinics, physician practices) use Access to store and digitize legacy paper medical records — making Access a HIPAA business associate. In 2020, Access acquired Triyam, a healthcare data archival vendor, and six other US records-management firms, expanding its healthcare footprint.
The corporate services arm filed with HHS OCR on February 28, 2026 — Hacking/IT Incident at “Other” (unusual location code) — confirming 1,522 affected individuals.
The “Other” location classification is consistent with a scanned-records or document-imaging platform compromise rather than the typical email or network-server pattern.
Why this page is sparse
As of mid-May 2026 — more than 75 days after the OCR filing — every secondary channel returns empty:
- No entity notice on accesscorp.com. The main site footer offers a “Data Breach Response” service page (ironically, as a vendor service) but does not host an incident notice for this breach.
- Massachusetts AG February 2026 breach notification letters index: no Access Information Management filing surfaced (though portal pagination may be at fault; recommend manual check).
- HIPAA Journal February 2026 monthly report: no Access mention. The 1,522 individual count is below the threshold for narrative coverage in their roundups (they emphasize 6-figure+ incidents).
- No ransomware leak-site listing observed for “Access Information Management” or “Access Corp” on Ransomware.live or major aggregators.
- No DataBreaches.net article located.
- No Boston Globe coverage.
- No class action filings or plaintiffs’ firm investigation announcements.
The HHS OCR row is the only public artifact.
Downstream impact (potential)
Because Access is a HIPAA business associate rather than a direct healthcare provider, the 1,522 affected individuals are patients of downstream covered entities — hospitals, clinics, or physician practices whose records Access stored or digitized. Those covered entities have not been publicly named in the OCR filing.
If you receive a notification letter from a healthcare provider you have visited, and the letter references Access Information Management, Access Corp, or a records-management vendor compromise, this is likely the underlying incident.
What was potentially exposed
Given Access’s service mix, plausible exposure categories include:
- Scanned medical records and archived chart data
- Patient names, dates of birth, addresses
- Medical record numbers
- Account / billing numbers
- Possibly SSN, insurance IDs (if those appeared in scanned documents)
This is inference, not fact. Do not assume any specific category until either Access or a downstream covered entity issues a notice.
What to do
- Watch for a notification letter from any healthcare provider you have visited that mentions a records-management or document-imaging vendor compromise.
- Read the letter carefully to confirm what data elements were involved in your case.
- Place free credit freezes at Equifax, Experian, TransUnion as a baseline precaution.
- Pull free credit reports at
annualcreditreport.comand watch for unfamiliar accounts. - If you know your former provider used Access for records storage, contact that provider’s privacy officer to ask whether your records were in scope.
- Stop the ongoing flow of your archived medical records. HealthConsent files HIPAA restriction requests covering records-management vendor and document-imaging pathways.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Access Corp Homepage
- HHS OCR Breach Portal (primary source)
- Massachusetts AG Data Breach Notification Letters Index
- HIPAA Journal February 2026 Healthcare Data Breach Report (no Access mention)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.