Active breach tracker LA Disclosed May 23, 2025

Access2Day Health Data Breach 2025: 4,908 Affected in January Email Account Compromise · SSNs and Health Data Exposed

Access2Day Health, the Louisiana-based employer-sponsored medical clinic operator, identified suspicious activity on employee email accounts on January 31, 2025. A review confirmed unauthorized access to emails containing names, Social Security numbers, dates of birth, treatment and diagnosis information, and member IDs for 4,908 individuals. The HHS OCR filing was made on May 23, 2025; complimentary credit monitoring is being offered.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jan 31, 2025

Unauthorized actor briefly accesses certain Access2Day Health employee email accounts; suspicious activity is identified the same day and the environment is secured

Jan 31, 2025

Suspicious activity detected; A2D launches investigation into the nature and scope of the email account activity

Mar 31, 2025

Mailbox review concludes; A2D notifies relevant covered entities that individuals' information was contained in the affected emails

May 23, 2025

HIPAA breach notification filed with the HHS Office for Civil Rights reporting 4,908 affected individuals (Hacking/IT Incident, Email)

Aug 1, 2025

A2D posts substitute 'Notice of Data Event' on its website and begins individual notifications with complimentary credit-monitoring enrollment information

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers

02

Health records

Don't expire and can't be reissued

Treatment and diagnosis information

03

Contact & insurance

Phishing + targeted scams

Names Addresses Dates of birth Procedure information Visit information Member ID numbers
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Access2Day Health (A2D), a Bossier City, Louisiana-based operator of employer-sponsored medical clinics across Louisiana, Alabama, Mississippi, and Texas, identified suspicious activity on certain employee email accounts on January 31, 2025. The company’s investigation concluded that an unauthorized actor briefly accessed an email account that day, and a subsequent review of the involved mailboxes determined that 4,908 individuals’ information was present in the affected emails. The incident was filed with the HHS Office for Civil Rights as a Hacking/IT Incident involving Email on May 23, 2025, and a substitute Notice of Data Event was later posted on the entity’s website.

Because A2D is a business associate that delivers care on behalf of plan sponsors and covered entities, it notified those covered entities of the incident on March 31, 2025 before issuing direct notice to affected individuals. There is no public attribution of the intrusion to a known ransomware or extortion group, and A2D states there is no evidence of actual or attempted fraud or identity theft tied to the event.

Timeline

  • January 31, 2025 — An unauthorized actor briefly gains access to certain Access2Day Health employee email accounts. A2D identifies the suspicious activity the same day and secures the environment.
  • January 31, 2025 — A2D launches an investigation into the nature and scope of the email account activity.
  • March 31, 2025 — Mailbox review concludes. A2D notifies relevant covered entities that information related to individuals was present in the affected emails.
  • May 23, 2025 — HIPAA breach notification is filed with HHS OCR reporting 4,908 affected individuals; the portal entry categorizes the event as a Hacking/IT Incident at Email and lists A2D as a business associate.
  • August 2025 — A2D posts its substitute Notice of Data Event on its website and begins individual notifications, including instructions to enroll in complimentary credit monitoring.

What was exposed

According to the entity’s own Notice of Data Event, the information potentially involved for individuals includes:

  • Names
  • Addresses
  • Social Security numbers
  • Dates of birth
  • Treatment and diagnosis information
  • Procedure information
  • Visit information
  • Member ID numbers

A2D states there is no evidence of actual or attempted fraud or identity theft as a result of the event. That phrasing is standard substitute-notice language and reflects what the entity has observed; it does not mean exposed data will not surface in future fraud.

What the entity is offering

A2D is offering complimentary credit monitoring to individuals who may be impacted. Enrollment instructions are included in individual notification letters. The duration of the monitoring offer is not stated in the substitute notice posted on the company website; affected individuals should refer to their personal notification letter for the enrollment code and term.

A2D has also stated that it reviewed relevant processes and procedures and provided additional training to employees as part of its response. A dedicated incident hotline is staffed at 1-833-918-6121, Monday through Friday from 8:00 a.m. to 8:00 p.m. Central Time.

Class-action and regulatory posture

As of this update, the HHS OCR portal entry remains open under regulatory review. No class-action filings naming Access2Day Health have been identified in publicly available court records or class-action trackers reviewed for this page. The relatively contained scope (under 5,000 individuals) and the absence of public ransomware-group attribution may reduce, but does not eliminate, plaintiff-bar interest in this incident.

What to do if you may be affected

  • Freeze your credit with Equifax, Experian, and TransUnion. Because Social Security numbers were among the exposed fields, a security freeze is materially more protective than monitoring alone. Freezes are free and reversible at any time.
  • Enroll in the offered credit monitoring. Even if you also freeze your credit, the monitoring service is worth using. The enrollment code in your individual notification letter is single-use, so follow the letter’s instructions rather than searching for the offer online.
  • Watch for medical identity theft. Treatment, diagnosis, procedure, and visit information were exposed, so review every Explanation of Benefits and request your insurer’s claims history if you see services you did not receive.
  • Be alert to targeted phishing. Threat actors holding name, address, date of birth, and visit-level context can craft convincing follow-on lures. Treat unexpected calls, emails, or text messages referencing your Access2Day Health visits with skepticism, and call the company at the number on your notification letter to verify any communication.
  • Call the A2D incident line at 1-833-918-6121 if you believe you may be affected and have not received a letter, or if you have specific questions about your data.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.