AgeRight Clinical Services Data Breach 2025: 4,859 Senior-Care Patients Exposed in 32-Day Network Intrusion. What To Do.
AgeRight Clinical Services, the on-site senior-care clinical arm of Marquis Companies (Portland, OR), discovered a 32-day network intrusion on August 17, 2025. Names, Social Security numbers, dates of birth, government IDs, diagnoses, treatment details, insurance and financial information were exposed for 4,859 nursing-facility patients. Oregon AG notice and individual letters mailed November 21, 2025; HHS OCR filed December 5, 2025. Shamis & Gentile P.A. opened a class-action investigation.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Aug 9, 2025
Unauthorized third party gains access to AgeRight Clinical Services' network (start of access window)
Aug 17, 2025
AgeRight Clinical Services detects the intrusion and begins containment with outside cybersecurity counsel
Sep 10, 2025
End of unauthorized-access window; intruder activity confirmed terminated
Nov 21, 2025
AgeRight Clinical Services notifies the Oregon Attorney General and mails individual notification letters to 4,859 affected patients
Nov 21, 2025
Disclosed publicly
Dec 5, 2025
HIPAA breach notification filed with HHS Office for Civil Rights: 4,859 affected; Hacking/IT Incident; Network Server
Jan 1, 2026
Shamis & Gentile P.A. opens a class-action investigation on behalf of affected patients
Aug 9, 2025
Unauthorized third party gains access to AgeRight Clinical Services' network (start of access window)
Aug 17, 2025
AgeRight Clinical Services detects the intrusion and begins containment with outside cybersecurity counsel
Sep 10, 2025
End of unauthorized-access window; intruder activity confirmed terminated
Nov 21, 2025
AgeRight Clinical Services notifies the Oregon Attorney General and mails individual notification letters to 4,859 affected patients
Nov 21, 2025
Disclosed publicly
Dec 5, 2025
HIPAA breach notification filed with HHS Office for Civil Rights: 4,859 affected; Hacking/IT Incident; Network Server
Jan 1, 2026
Shamis & Gentile P.A. opens a class-action investigation on behalf of affected patients
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
AgeRight Clinical Services is the on-site clinical-care arm of Portland, Oregon based Marquis Companies, one of the larger family-owned senior-care operators in the Pacific Northwest. It sits inside the AgeRight Care Management Solutions umbrella alongside AgeRight Advantage (an Institutional Special Needs Medicare plan), the AgeRight PAC Network, and AgeRight Care at Home. AgeRight Clinical Services itself deploys physicians, nurse practitioners, and physician assistants into senior living and skilled-nursing facilities so that residents receive primary care, urgent assessment, and chronic-disease management without leaving the building.
That role places the entity in direct possession of the full medical record of an unusually frail patient population. On August 17, 2025, the company detected an unauthorized third party inside its network. Forensic review later established that the intruder had access from August 9, 2025 through September 10, 2025 — a 32-day dwell time. AgeRight notified the Oregon Attorney General and mailed individual letters on November 21, 2025, and filed with HHS OCR on December 5, 2025 reporting 4,859 affected individuals in a Hacking/IT Incident at a Network Server. Independent claims-aggregator reporting cites a slightly higher count of 4,897 patients; this page uses the OCR-portal figure as the authoritative number.
Timeline
- August 9, 2025. Unauthorized third party first gains access to AgeRight Clinical Services’ network (start of access window per forensic review).
- August 17, 2025. AgeRight detects the intrusion, secures the environment, and engages outside cybersecurity counsel and forensic investigators.
- September 10, 2025. End of confirmed unauthorized-access window. The 32-day dwell time is consistent with a credential-driven or remote-access compromise rather than a smash-and-grab.
- November 21, 2025. AgeRight files a breach notice with the Oregon Attorney General and mails individual notification letters to all 4,859 affected patients on the same day.
- December 5, 2025. HIPAA breach notification filed with HHS Office for Civil Rights: 4,859 affected; Hacking/IT Incident; Network Server.
- January 2026. Shamis & Gentile P.A. opens a class-action investigation on behalf of affected patients. No complaint has been filed as of this writing.
What was exposed
Per AgeRight Clinical Services’ individual notification letter and the state attorney general filing, the records taken from the network varied by patient but could include any combination of the following:
- Full name and home address
- Date of birth
- Social Security number
- Government-issued identification number (driver’s license / state ID)
- Medical diagnoses
- Treatment details
- Health insurance information
- Financial account information
The intrusion method has not been publicly disclosed, and no ransomware group has publicly claimed the attack on any dark-web leak site of which we are aware. The combination of SSN, government ID, diagnosis detail, and financial account data on the same record is the high-risk profile — a single leaked record contains everything an attacker needs for both identity theft and medical-identity fraud.
Why this population is especially exposed
AgeRight Clinical Services’ patient base is by definition older adults in nursing facilities, assisted living, memory-care units, and post-acute rehabilitation. That demographic carries elevated exposure on every axis a thief cares about:
- Near-universal Medicare and Medicaid coverage. Medical-identity fraud against seniors is a well-documented criminal market. Fraudulent claims billed under a victim’s Medicare or Medicaid number are often noticed only at the next Explanation of Benefits cycle, if at all, and seniors in memory care may never review an EOB.
- Cognitive impairment in a meaningful subset. Many AgeRight patients have dementia, post-stroke cognitive deficits, or delirium. They are not in a position to spot a phishing call that names their diagnosis or medication, nor to detect a new credit account opened in their name.
- Power-of-attorney finance management. Many of these patients have an adult child, spouse, or court-appointed conservator handling banking and bills. The financial account information exposed here may be the joint or POA-linked account, exposing a second family member as well.
- Diminished detection capacity. Seniors in long-term care often do not use online banking actively, may not see their physical mail for weeks at a time, and may not recognize a fraudulent charge or new-account opening until family does the next quarterly review.
- Social-engineering vulnerability. With diagnosis and treatment detail in hand, an attacker can credibly impersonate the facility, the attending physician, the pharmacy, or a Medicare representative.
If you are an adult child, spouse, or POA for an AgeRight Clinical Services patient, treat this notice as if it arrived addressed to a vulnerable adult and assume the protective steps below need to be done for them, not merely shown to them.
What the entity is offering
The contents of the individual notification letter as publicly summarized include:
- A description of the data elements involved in the recipient’s specific record.
- Guidance on placing fraud alerts and free credit freezes with the three nationwide consumer reporting agencies.
- A dedicated incident response line for patient questions about the breach.
- A statement that AgeRight has engaged outside cybersecurity professionals and has implemented additional safeguards to prevent recurrence.
The duration and provider of any complimentary credit-monitoring offering have not been independently published. As of this writing, AgeRight has not posted a dedicated substitute-notice web page. The exact monitoring terms (12 months vs. 24 months, identity-restoration bundle yes/no, $1M reimbursement coverage yes/no) are set out in each individual’s letter. Read your letter carefully and enroll using the activation code printed in it.
Class-action posture
Shamis & Gentile P.A., a Florida-based plaintiff firm with a substantial data-breach practice, opened an investigation into the AgeRight Clinical Services breach in early 2026. No named complaint has been filed as of this writing. The likely theories — failure to implement reasonable cybersecurity safeguards, negligence, breach of fiduciary duty, breach of implied contract, and unjust enrichment — track the standard healthcare-breach playbook. The fact that AgeRight serves a demographic with elevated identity-theft consequences, combined with the 32-day dwell time and the SSN-plus-financial-account combination, materially strengthens the damages theory if a complaint is filed.
This page will be updated as the docket develops.
What to do
- Place free credit freezes at Equifax, Experian, and TransUnion. With SSN and financial account number exposed on the same record, freezing is the single highest-leverage step. If the affected individual is your parent or POA grantor, do this for them with their permission or under your power of attorney.
- Enroll in any credit monitoring offered in the notification letter using the activation code in the letter.
- Watch the linked checking and savings accounts. Call the bank, ask them to flag the account for ACH fraud, and consider changing the account number rather than only disputing transactions.
- Request a new Medicaid card with a different identifier through Oregon Medicaid (or the relevant state Medicaid program) and flag the file for medical-identity fraud monitoring.
- Review Medicare and insurance Explanation of Benefits statements for the next 24 months for services or prescriptions the patient did not receive. Report anything unfamiliar to the insurer’s fraud line immediately. For patients in memory care, build this into the family’s quarterly review checklist.
- File IRS Form 14039 (Identity Theft Affidavit) to obtain an IP PIN and block fraudulent tax filings using the exposed SSN.
- Be skeptical of unsolicited calls or texts that name a diagnosis, medication, or facility. With diagnosis and treatment data in the leak, scammers can sound convincing. Hang up and call back using a number you look up independently.
- Stop the ongoing flow of medical data. HealthConsent files HIPAA restriction requests so the diagnosis, treatment, and insurance data exposed in this breach is not continuously re-shared by downstream entities, brokers, and analytics vendors. This is particularly worth doing for senior-care patients whose records flow through multiple post-acute, pharmacy, and Medicare-plan partners.
Sources
- HHS Office for Civil Rights Breach Portal. Federal regulatory record (filed December 5, 2025; 4,859 affected; Hacking/IT Incident; Network Server).
- ClaimDepot: AgeRight Data Breach Impacts 4,897 Current and Former Patients. Independent summary of the access window (August 9 to September 10, 2025), discovery date (August 17, 2025), Oregon AG filing date (November 21, 2025), exposed-data categories, and an aggregate count of 4,897 (the slightly higher figure used by claim aggregators; OCR portal lists 4,859).
- ClaimDepot Investigations: AgeRight Data Breach Lawsuit Investigation. Names Shamis & Gentile P.A. as the investigating plaintiff firm and confirms AgeRight Clinical Services’ senior-care patient base and its position as a sister organization to AgeRight Care at Home within Marquis Companies.
- AgeRight Care Management Solutions corporate website. Describes AgeRight Clinical Services’ on-site clinical-support role within the AgeRight Care Management Solutions umbrella (alongside AgeRight Advantage, AgeRight PAC Network, and AgeRight Care at Home).
- Marquis Companies About page. Parent organization reference describing Marquis’s 28-facility senior-care footprint and the AgeRight family of services.
- Oregon Department of Justice Consumer Protection Data Security Breaches portal. State regulatory filing reference for the November 21, 2025 Oregon AG notification.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- ClaimDepot: AgeRight Data Breach Impacts 4,897 Current and Former Patients
- ClaimDepot Investigations: AgeRight Data Breach Lawsuit Investigation (Shamis & Gentile P.A.)
- AgeRight Care Management Solutions — corporate website (entity description, Marquis Companies relationship)
- Marquis Companies — About page (parent organization)
- Oregon Department of Justice — Consumer Protection Data Security Breaches portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.