AdventHealth Daytona Beach Data Breach 2026: 821 Outpatient Lab Patients Exposed by Construction Workers. Paper Records Lost. What To Do
AdventHealth Daytona Beach, a Florida acute-care hospital undergoing a $220M expansion, lost outpatient laboratory order paperwork in November 2025 when construction workers installing a pneumatic tube system discarded paperwork from a relocating lab department. 821 patients exposed. Names, diagnoses, and insurance policy numbers in scope — no SSN. No credit monitoring offered. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Sep 1, 2025
Outpatient service dates begin for affected individuals (records subsequently lost)
Sep 1, 2025
Attacker gained access
Sep 14, 2025
Outpatient service dates end for affected individuals
Nov 25, 2025
Loss identified by the outpatient laboratory team during departmental relocation; discovered construction workers had discarded paperwork
Jan 20, 2026
HHS OCR filing
Sep 1, 2025
Outpatient service dates begin for affected individuals (records subsequently lost)
Sep 1, 2025
Attacker gained access
Sep 14, 2025
Outpatient service dates end for affected individuals
Nov 25, 2025
Loss identified by the outpatient laboratory team during departmental relocation; discovered construction workers had discarded paperwork
Jan 20, 2026
HHS OCR filing
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
AdventHealth Daytona Beach (formerly Florida Hospital Memorial Medical Center) is a Florida acute-care community hospital operated by AdventHealth, a non-profit faith-based health system. The hospital is currently undergoing a $220M expansion project, slated for completion in fall 2026.
This is not a cyber incident. During a departmental relocation of the outpatient laboratory from the first floor to the second floor, construction workers installing a new pneumatic tubing system accessed and discarded paperwork in an area containing outpatient lab orders. The orders were physically thrown away by construction workers — not stolen, not hacked, not misplaced by hospital staff.
The outpatient lab orders covered patient service dates from September 1 to September 14, 2025. The loss was identified by the outpatient laboratory team on November 25, 2025. AdventHealth Daytona Beach filed with HHS OCR on January 20, 2026 — within HIPAA’s 60-day notification window — confirming 821 affected individuals.
This is a process-failure breach, not a malicious one. But the contractor-coordination failure is a recurring pattern in healthcare facilities undergoing expansion.
What was on the lost paperwork
Per the entity’s notice:
- Full name, home address, date of birth
- Telephone number, email address
- Diagnosis codes
- Health condition(s)
- Health insurance policy number
Explicitly NOT in scope: Social Security number, financial account information, driver’s license. Lab orders typically don’t carry SSNs, which materially limits identity-theft exposure.
The diagnosis-code exposure is genuinely sensitive: ICD-10 codes can disclose specific medical conditions to anyone who recovers the paperwork or finds it in waste streams.
What AdventHealth Daytona Beach is offering
Public reporting does not mention credit monitoring or a dedicated call center. Given (a) no SSN or financial data was exposed and (b) AdventHealth stated “no evidence the lab orders were or will be misused,” credit monitoring was likely not offered. Standard practice for paper-records breaches without SSN exposure is a notice letter plus process improvements, not Experian or IDX coverage.
If you received a notification letter, it will list any monitoring offered and the dedicated response line.
What to do
- Read your specific notification letter to confirm what data elements were involved in your case.
- Pull free copies of your medical records from AdventHealth Daytona Beach for the September 1-14, 2025 service window — confirm the diagnoses and lab orders on file match your expected care.
- Be alert to social engineering referencing your specific September 2025 lab visit details — that level of context combined with public name + address could lend credibility to phishing.
- Watch your insurance Explanation of Benefits statements for unfamiliar lab claims.
- Stop the ongoing flow of your hospital lab records. HealthConsent files HIPAA restriction requests so the diagnostic and lab order data exposed in this breach is not continuously re-shared through claims and HIE pathways.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- AdventHealth Daytona Beach Hospital Page
- AdventHealth: $220M Expansion Project Coverage
- HIPAA Journal: AdventHealth Daytona Beach Coverage
- CalHIPAA: January 2026 Healthcare Data Breach Activity
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.