Active breach tracker Fort Collins, Colorado Disclosed January 17, 2025

Alpine Ear, Nose & Throat Data Breach 2025: 65,648 Patients Exposed in BianLian Ransomware Attack on Fort Collins ENT · $330K Class-Action Settlement Pending

Alpine Ear, Nose & Throat, PLLC, a Fort Collins, Colorado ENT practice, was breached by the BianLian extortion group in November 2024. Names, Social Security numbers, dates of birth, medical records, health insurance details, financial account information, and credit-card data (including CVCs) for 65,648 patients were exposed. A class-action settlement in Pfirrman v. Alpine Ear, Nose, & Throat received preliminary approval, with a final fairness hearing on August 11, 2026.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Nov 19, 2024

Unauthorized access to Alpine ENT systems begins (incident date identified in subsequent investigation)

Nov 26, 2024

Alpine ENT identifies the security incident and begins forensic investigation

Dec 2, 2024

BianLian extortion group adds Alpine ENT to its data-leak site, claiming responsibility

Jan 17, 2025

Alpine ENT posts substitute breach notice on its website while review remains ongoing

Jan 17, 2025

HIPAA breach notification filed with HHS Office for Civil Rights (65,648 individuals; Network Server)

Oct 9, 2025

Forensic file review of exposed data completed; affected-individual list compiled

Jan 26, 2026

Final list of affected individuals finalized

Jan 30, 2026

Individual patient notification letters mailed (more than 14 months after discovery)

Mar 5, 2026

Settlement agreement signed by plaintiff Anthony Pfirrman and Alpine ENT (defendant represented by Wilson Elser LLP)

Mar 26, 2026

Larimer County District Court grants preliminary approval of the class-action settlement

Apr 24, 2026

Class-action settlement notice mailing begins (Pfirrman v. Alpine Ear, Nose, & Throat)

May 6, 2026

Class-action settlement finalized in Larimer County District Court

Jun 23, 2026

Deadline for class members to object to or exclude from the settlement

Jul 23, 2026

Settlement claim submission deadline

Aug 11, 2026

Final fairness hearing scheduled (8:30 a.m., Larimer County District Court)

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers

02

Health records

Don't expire and can't be reissued

Medical records and clinical information

03

Contact & insurance

Phishing + targeted scams

Names Demographic information Dates of birth Health insurance information Financial account information Credit card numbers with CVC and expiration dates

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Schubert Jonckheer & Kolbe LLP Federman & Sherwood Edelsberg Law Markovits, Stock & DeMarco, LLC Wolf Haldenstein Adler Freeman & Herz LLP (investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Alpine Ear, Nose & Throat, PLLC, a Fort Collins, Colorado ENT practice, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on January 17, 2025, reporting 65,648 affected individuals in an Unauthorized Access/Disclosure event at a Network Server. Subsequent reporting and the BianLian extortion group’s own leak-site posting establish that the intrusion is a ransomware-style data-theft event. Unauthorized access began on or about November 19, 2024, the incident was identified on November 26, 2024, and BianLian listed Alpine ENT on its data-leak site in early December 2024. Individual notification letters did not begin to mail until January 30, 2026, roughly 14 months after discovery.

The exposed data set is unusually broad and severe for a single-practice provider. Not only protected health information, but Social Security numbers, financial account numbers, and full credit-card details (including CVC and expiration dates). A class-action settlement in Larimer County District Court is now in the notice-and-claims phase, with a final fairness hearing set for August 11, 2026.

Timeline

  • November 19, 2024 — Unauthorized access to Alpine ENT’s network begins (incident date identified in the subsequent forensic investigation).
  • November 26, 2024 — Alpine ENT identifies the security incident and engages outside forensic and legal counsel.
  • December 2, 2024 — BianLian extortion group adds Alpine Ear, Nose & Throat to its data-leak site, publicly claiming responsibility and signaling exfiltration of patient data.
  • January 17, 2025 — Alpine ENT posts a substitute breach notice on its website; HIPAA breach notification filed the same day with HHS OCR for 65,648 individuals.
  • October 9, 2025 — Forensic file review of the exfiltrated data is completed.
  • January 26, 2026 — Final list of affected individuals is compiled.
  • January 30, 2026 — Alpine ENT mails individual patient notification letters.
  • March 5, 2026 — Settlement agreement signed by plaintiff Anthony Pfirrman and Alpine ENT.
  • March 26, 2026 — Court grants preliminary approval of the class-action settlement.
  • April 24, 2026 — Court-approved class-action settlement notice mailing begins.
  • May 6, 2026 — Settlement finalized (per initial court record; see settlement site for current status).
  • June 23, 2026 — Deadline for class members to object or opt out.
  • July 23, 2026 — Claim submission deadline.
  • August 11, 2026 — Final fairness hearing at 8:30 a.m., Larimer County District Court.

What was exposed

Per the individual notification letters and the official settlement notice, the data elements exposed include:

  • Name and demographic information
  • Date of birth
  • Medical records and clinical information
  • Health insurance information
  • Financial account information
  • Credit card numbers, CVC security codes, and expiration dates
  • Social Security number

The exposure of payment-card CVCs alongside Social Security numbers and clinical records is materially worse than a typical HIPAA breach of this size. It enables both card-not-present financial fraud and conventional identity theft from a single data set.

What Alpine ENT is offering

Alpine ENT’s notification letters offer affected individuals 12 months of complimentary credit monitoring and identity-theft protection services through IDX. The letters include an enrollment code and set an enrollment deadline of April 30, 2026 (that deadline has now passed; affected individuals who did not enroll should contact the settlement administrator at (833) 386-6505).

Under the class-action settlement, class members may instead elect (one option only):

  • Up to $5,000 in reimbursement for documented out-of-pocket losses traceable to the breach.
  • Up to $80 for lost time, calculated as up to 4 hours at $20/hour with self-attestation.
  • A flat $50 cash payment with no documentation required.
  • Two years of specialized medical identity-theft monitoring through the settlement administrator.

Defendant obligations under the settlement include up to $330,000 in plaintiffs’ attorneys’ fees and costs and a $2,500 service award for the class representative.

Class-action and regulatory posture

The class action is captioned Pfirrman v. Alpine Ear, Nose, & Throat, PLLC, Case No. 2025CV127, in the District Court of Larimer County, Colorado, administered by Simpluris, Inc. Class counsel are William B. Federman and Jessica A. Wilkes of Federman & Sherwood, appointed by the court. Alpine ENT is represented by David M. Ross and Brian H. Myers of Wilson Elser LLP. Additional investigating firms include Schubert Jonckheer & Kolbe LLP, Edelsberg Law, Markovits Stock & DeMarco LLC, and Wolf Haldenstein Adler Freeman & Herz LLP. Pleaded claims include negligence, negligence per se, invasion of privacy, breach of implied contract, breach of confidence, breach of fiduciary duty, unjust enrichment, and declaratory judgment.

The settlement agreement was signed March 5, 2026. The court granted preliminary approval on March 26, 2026. Alpine ENT denies all wrongdoing but agreed to settle to avoid the costs and risks of continued litigation. Settlement payouts can be issued via PayPal, Venmo, Zelle, virtual prepaid card, or physical check.

Alpine ENT filed breach notifications with the attorneys general of at least 15 states, including California, Indiana, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington. The Maine AG filing confirms that 10 Maine residents were affected, along with 8 New Hampshire residents and 7 Massachusetts residents.

The HHS OCR portal entry remains classified as Unauthorized Access/Disclosure at Network Server and is open pending closure of OCR’s review. The 14-month gap between discovery and individual notification is a likely focus of regulatory and judicial scrutiny.

What to do if you may be affected

  • Decide on your settlement option by July 23, 2026. If you received a notification letter from Alpine ENT, you are presumptively a class member. The flat $50 payment requires no documentation; the $5,000 reimbursement option requires receipts. Use only the official settlement site, aentdatasettlement.com. Do not pay any third party to file on your behalf.
  • Freeze your credit with Equifax, Experian, and TransUnion. With Social Security numbers exposed, a freeze is materially more protective than monitoring alone. It is free and reversible.
  • Cancel and replace any credit card that was on file with Alpine ENT, even if the card has not yet shown fraud. Because CVCs and expiration dates were exposed, the cards on file should be treated as fully compromised, not merely flagged.
  • Enroll in the offered monitoring. The 12-month IDX credit monitoring enrollment deadline in the notification letter was April 30, 2026. If that window has passed without enrollment, contact the settlement administrator at (833) 386-6505 or [email protected] to access the 2-year medical identity-theft monitoring option available through the class-action settlement.
  • Watch for medical identity theft. Review every Explanation of Benefits from your health insurer and request a copy of your medical record if you see services you did not receive. Diagnostic and treatment history was in the exposed data set.
  • Be alert to targeted phishing. Threat actors with name, date of birth, ENT-treatment context, and an active payment card on file can craft highly convincing follow-on scams, including fake “settlement administrator” outreach. Do not provide payment or account details over the phone.
  • Stop the ongoing flow of your ENT and medical data. HealthConsent files HIPAA restriction requests so the diagnostic, treatment, and insurance information exposed in this breach is not continuously re-shared across health information exchanges and third-party data networks.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.