Active breach tracker Woburn, MA Disclosed February 28, 2026

Access Information Management Data Breach 2026: 1,522 Healthcare Records Exposed via Records-Management Vendor. What To Do

Access Information Management Shared Services, LLC, a Woburn, Massachusetts records-management vendor providing paper storage, secure shredding, scanning, and electronic records hosting to healthcare clients, filed an HHS OCR breach on February 28, 2026 affecting 1,522 individuals. No entity notice, AG filing, or press coverage has surfaced. Downstream covered entities not yet named. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Feb 28, 2026

HHS OCR filing (incident date, discovery date, and notification dates not publicly disclosed)

Feb 28, 2026

Attacker gained access

Feb 28, 2026

Breach detected

Data exposed

02

Health records

Don't expire and can't be reissued

Likely scanned medical records, hospital archives, or document-imaging-system content given vendor's service profile

03

Contact & insurance

Phishing + targeted scams

Full name (specific PHI categories not publicly disclosed)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Access Information Management (often called Access Corp) is a records-management vendor headquartered in Woburn, Massachusetts. Founded in 2004 by Dennis Barnedt, the company is led by CEO Rob Alston and President John Chendo and is backed by Summit Partners. Services include:

  • Offsite paper records storage
  • Secure shredding
  • Climate-controlled media vaulting
  • Digital imaging / document scanning
  • Electronic records hosting
  • Document-management software

Many healthcare clients (hospitals, clinics, physician practices) use Access to store and digitize legacy paper medical records — making Access a HIPAA business associate. In 2020, Access acquired Triyam, a healthcare data archival vendor, and six other US records-management firms, expanding its healthcare footprint.

The corporate services arm filed with HHS OCR on February 28, 2026 — Hacking/IT Incident at “Other” (unusual location code) — confirming 1,522 affected individuals.

The “Other” location classification is consistent with a scanned-records or document-imaging platform compromise rather than the typical email or network-server pattern.

Why this page is sparse

As of mid-May 2026 — more than 75 days after the OCR filing — every secondary channel returns empty:

  • No entity notice on accesscorp.com. The main site footer offers a “Data Breach Response” service page (ironically, as a vendor service) but does not host an incident notice for this breach.
  • Massachusetts AG February 2026 breach notification letters index: no Access Information Management filing surfaced (though portal pagination may be at fault; recommend manual check).
  • HIPAA Journal February 2026 monthly report: no Access mention. The 1,522 individual count is below the threshold for narrative coverage in their roundups (they emphasize 6-figure+ incidents).
  • No ransomware leak-site listing observed for “Access Information Management” or “Access Corp” on Ransomware.live or major aggregators.
  • No DataBreaches.net article located.
  • No Boston Globe coverage.
  • No class action filings or plaintiffs’ firm investigation announcements.

The HHS OCR row is the only public artifact.

Downstream impact (potential)

Because Access is a HIPAA business associate rather than a direct healthcare provider, the 1,522 affected individuals are patients of downstream covered entities — hospitals, clinics, or physician practices whose records Access stored or digitized. Those covered entities have not been publicly named in the OCR filing.

If you receive a notification letter from a healthcare provider you have visited, and the letter references Access Information Management, Access Corp, or a records-management vendor compromise, this is likely the underlying incident.

What was potentially exposed

Given Access’s service mix, plausible exposure categories include:

  • Scanned medical records and archived chart data
  • Patient names, dates of birth, addresses
  • Medical record numbers
  • Account / billing numbers
  • Possibly SSN, insurance IDs (if those appeared in scanned documents)

This is inference, not fact. Do not assume any specific category until either Access or a downstream covered entity issues a notice.

What to do

  1. Watch for a notification letter from any healthcare provider you have visited that mentions a records-management or document-imaging vendor compromise.
  2. Read the letter carefully to confirm what data elements were involved in your case.
  3. Place free credit freezes at Equifax, Experian, TransUnion as a baseline precaution.
  4. Pull free credit reports at annualcreditreport.com and watch for unfamiliar accounts.
  5. If you know your former provider used Access for records storage, contact that provider’s privacy officer to ask whether your records were in scope.
  6. Stop the ongoing flow of your archived medical records. HealthConsent files HIPAA restriction requests covering records-management vendor and document-imaging pathways.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.