Active breach tracker Daytona Beach, FL Disclosed January 20, 2026

AdventHealth Daytona Beach Data Breach 2026: 821 Outpatient Lab Patients Exposed by Construction Workers. Paper Records Lost. What To Do

AdventHealth Daytona Beach, a Florida acute-care hospital undergoing a $220M expansion, lost outpatient laboratory order paperwork in November 2025 when construction workers installing a pneumatic tube system discarded paperwork from a relocating lab department. 821 patients exposed. Names, diagnoses, and insurance policy numbers in scope — no SSN. No credit monitoring offered. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Sep 1, 2025

Outpatient service dates begin for affected individuals (records subsequently lost)

Sep 1, 2025

Attacker gained access

Sep 14, 2025

Outpatient service dates end for affected individuals

Nov 25, 2025

Loss identified by the outpatient laboratory team during departmental relocation; discovered construction workers had discarded paperwork

Jan 20, 2026

HHS OCR filing

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth

02

Health records

Don't expire and can't be reissued

Diagnosis codes

03

Contact & insurance

Phishing + targeted scams

Full name Home address Telephone number Email address Health condition(s) Health insurance policy number
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

AdventHealth Daytona Beach (formerly Florida Hospital Memorial Medical Center) is a Florida acute-care community hospital operated by AdventHealth, a non-profit faith-based health system. The hospital is currently undergoing a $220M expansion project, slated for completion in fall 2026.

This is not a cyber incident. During a departmental relocation of the outpatient laboratory from the first floor to the second floor, construction workers installing a new pneumatic tubing system accessed and discarded paperwork in an area containing outpatient lab orders. The orders were physically thrown away by construction workers — not stolen, not hacked, not misplaced by hospital staff.

The outpatient lab orders covered patient service dates from September 1 to September 14, 2025. The loss was identified by the outpatient laboratory team on November 25, 2025. AdventHealth Daytona Beach filed with HHS OCR on January 20, 2026 — within HIPAA’s 60-day notification window — confirming 821 affected individuals.

This is a process-failure breach, not a malicious one. But the contractor-coordination failure is a recurring pattern in healthcare facilities undergoing expansion.

What was on the lost paperwork

Per the entity’s notice:

  • Full name, home address, date of birth
  • Telephone number, email address
  • Diagnosis codes
  • Health condition(s)
  • Health insurance policy number

Explicitly NOT in scope: Social Security number, financial account information, driver’s license. Lab orders typically don’t carry SSNs, which materially limits identity-theft exposure.

The diagnosis-code exposure is genuinely sensitive: ICD-10 codes can disclose specific medical conditions to anyone who recovers the paperwork or finds it in waste streams.

What AdventHealth Daytona Beach is offering

Public reporting does not mention credit monitoring or a dedicated call center. Given (a) no SSN or financial data was exposed and (b) AdventHealth stated “no evidence the lab orders were or will be misused,” credit monitoring was likely not offered. Standard practice for paper-records breaches without SSN exposure is a notice letter plus process improvements, not Experian or IDX coverage.

If you received a notification letter, it will list any monitoring offered and the dedicated response line.

What to do

  1. Read your specific notification letter to confirm what data elements were involved in your case.
  2. Pull free copies of your medical records from AdventHealth Daytona Beach for the September 1-14, 2025 service window — confirm the diagnoses and lab orders on file match your expected care.
  3. Be alert to social engineering referencing your specific September 2025 lab visit details — that level of context combined with public name + address could lend credibility to phishing.
  4. Watch your insurance Explanation of Benefits statements for unfamiliar lab claims.
  5. Stop the ongoing flow of your hospital lab records. HealthConsent files HIPAA restriction requests so the diagnostic and lab order data exposed in this breach is not continuously re-shared through claims and HIE pathways.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.