Access2Day Health Data Breach 2025: 4,908 Affected in January Email Account Compromise · SSNs and Health Data Exposed
Access2Day Health, the Louisiana-based employer-sponsored medical clinic operator, identified suspicious activity on employee email accounts on January 31, 2025. A review confirmed unauthorized access to emails containing names, Social Security numbers, dates of birth, treatment and diagnosis information, and member IDs for 4,908 individuals. The HHS OCR filing was made on May 23, 2025; complimentary credit monitoring is being offered.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jan 31, 2025
Unauthorized actor briefly accesses certain Access2Day Health employee email accounts; suspicious activity is identified the same day and the environment is secured
Jan 31, 2025
Suspicious activity detected; A2D launches investigation into the nature and scope of the email account activity
Mar 31, 2025
Mailbox review concludes; A2D notifies relevant covered entities that individuals' information was contained in the affected emails
May 23, 2025
HIPAA breach notification filed with the HHS Office for Civil Rights reporting 4,908 affected individuals (Hacking/IT Incident, Email)
Aug 1, 2025
A2D posts substitute 'Notice of Data Event' on its website and begins individual notifications with complimentary credit-monitoring enrollment information
Jan 31, 2025
Unauthorized actor briefly accesses certain Access2Day Health employee email accounts; suspicious activity is identified the same day and the environment is secured
Jan 31, 2025
Suspicious activity detected; A2D launches investigation into the nature and scope of the email account activity
Mar 31, 2025
Mailbox review concludes; A2D notifies relevant covered entities that individuals' information was contained in the affected emails
May 23, 2025
HIPAA breach notification filed with the HHS Office for Civil Rights reporting 4,908 affected individuals (Hacking/IT Incident, Email)
Aug 1, 2025
A2D posts substitute 'Notice of Data Event' on its website and begins individual notifications with complimentary credit-monitoring enrollment information
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Access2Day Health (A2D), a Bossier City, Louisiana-based operator of employer-sponsored medical clinics across Louisiana, Alabama, Mississippi, and Texas, identified suspicious activity on certain employee email accounts on January 31, 2025. The company’s investigation concluded that an unauthorized actor briefly accessed an email account that day, and a subsequent review of the involved mailboxes determined that 4,908 individuals’ information was present in the affected emails. The incident was filed with the HHS Office for Civil Rights as a Hacking/IT Incident involving Email on May 23, 2025, and a substitute Notice of Data Event was later posted on the entity’s website.
Because A2D is a business associate that delivers care on behalf of plan sponsors and covered entities, it notified those covered entities of the incident on March 31, 2025 before issuing direct notice to affected individuals. There is no public attribution of the intrusion to a known ransomware or extortion group, and A2D states there is no evidence of actual or attempted fraud or identity theft tied to the event.
Timeline
- January 31, 2025 — An unauthorized actor briefly gains access to certain Access2Day Health employee email accounts. A2D identifies the suspicious activity the same day and secures the environment.
- January 31, 2025 — A2D launches an investigation into the nature and scope of the email account activity.
- March 31, 2025 — Mailbox review concludes. A2D notifies relevant covered entities that information related to individuals was present in the affected emails.
- May 23, 2025 — HIPAA breach notification is filed with HHS OCR reporting 4,908 affected individuals; the portal entry categorizes the event as a Hacking/IT Incident at Email and lists A2D as a business associate.
- August 2025 — A2D posts its substitute Notice of Data Event on its website and begins individual notifications, including instructions to enroll in complimentary credit monitoring.
What was exposed
According to the entity’s own Notice of Data Event, the information potentially involved for individuals includes:
- Names
- Addresses
- Social Security numbers
- Dates of birth
- Treatment and diagnosis information
- Procedure information
- Visit information
- Member ID numbers
A2D states there is no evidence of actual or attempted fraud or identity theft as a result of the event. That phrasing is standard substitute-notice language and reflects what the entity has observed; it does not mean exposed data will not surface in future fraud.
What the entity is offering
A2D is offering complimentary credit monitoring to individuals who may be impacted. Enrollment instructions are included in individual notification letters. The duration of the monitoring offer is not stated in the substitute notice posted on the company website; affected individuals should refer to their personal notification letter for the enrollment code and term.
A2D has also stated that it reviewed relevant processes and procedures and provided additional training to employees as part of its response. A dedicated incident hotline is staffed at 1-833-918-6121, Monday through Friday from 8:00 a.m. to 8:00 p.m. Central Time.
Class-action and regulatory posture
As of this update, the HHS OCR portal entry remains open under regulatory review. No class-action filings naming Access2Day Health have been identified in publicly available court records or class-action trackers reviewed for this page. The relatively contained scope (under 5,000 individuals) and the absence of public ransomware-group attribution may reduce, but does not eliminate, plaintiff-bar interest in this incident.
What to do if you may be affected
- Freeze your credit with Equifax, Experian, and TransUnion. Because Social Security numbers were among the exposed fields, a security freeze is materially more protective than monitoring alone. Freezes are free and reversible at any time.
- Enroll in the offered credit monitoring. Even if you also freeze your credit, the monitoring service is worth using. The enrollment code in your individual notification letter is single-use, so follow the letter’s instructions rather than searching for the offer online.
- Watch for medical identity theft. Treatment, diagnosis, procedure, and visit information were exposed, so review every Explanation of Benefits and request your insurer’s claims history if you see services you did not receive.
- Be alert to targeted phishing. Threat actors holding name, address, date of birth, and visit-level context can craft convincing follow-on lures. Treat unexpected calls, emails, or text messages referencing your Access2Day Health visits with skepticism, and call the company at the number on your notification letter to verify any communication.
- Call the A2D incident line at 1-833-918-6121 if you believe you may be affected and have not received a letter, or if you have specific questions about your data.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record of the May 23, 2025 filing (Hacking/IT Incident, Email, Business Associate, 4,908 individuals).
- Access2Day Health — Notice of Data Event (PDF) — entity’s substitute notice with incident date, exposed data elements, response actions, and credit-monitoring offer.
- Access2Day Health — Notice of Data Event page — landing page hosting the substitute notice and incident hotline contact.
- ClaimDepot — Access2Day Health Data Breach Affects 4,908 People — independent summary confirming the 4,908 count and state-level notification footprint.
- Access2Day Health — corporate site — entity description, headquarters (Bossier City, LA), and clinic-network footprint.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Access2Day Health — Notice of Data Event (substitute notice, PDF)
- Access2Day Health — Notice of Data Event landing page
- ClaimDepot — Access2Day Health Data Breach Affects 4,908 People
- Access2Day Health — corporate site (entity description, headquarters)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.