Active breach tracker Mineola / Staten Island, NY Disclosed June 26, 2025

Amalgamated Meat Cutters Local 342 Health Care Fund Data Breach 2025: 56,615 Union Members and Dependents Exposed in Network Hack. Class-Action Investigations Open. What To Do.

Amalgamated Meat Cutters and Retail Food Store Employees Union Local 342 Health Care Fund (NY) filed a HIPAA breach notification with HHS OCR on June 26, 2025, after an unauthorized actor accessed its network between April 25 and April 28, 2025. A 56,615-person review concluded February 12, 2026; notification letters mailed March 9, 2026. Social Security numbers, driver's license numbers, medical records, health insurance information, financial accounts, passports, and taxpayer information were exposed. Multiple plaintiffs' firms have opened class-action investigations.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Apr 25, 2025

Unauthorized actor begins accessing files on the Local 342 network

Apr 28, 2025

Local 342 detects the intrusion; network secured, law enforcement notified, external cybersecurity experts engaged

Jun 26, 2025

HHS OCR breach report filed (56,615 affected; Network Server; Hacking/IT Incident)

Feb 12, 2026

Forensic data review of affected files completed

Mar 9, 2026

Individual notification letters mailed; filings submitted to Maine, Massachusetts, New Hampshire, and Vermont attorneys general

Mar 11, 2026

Plaintiffs' firms publicly open class-action investigations

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number or state ID number Passport number

02

Health records

Don't expire and can't be reissued

Medical records

03

Contact & insurance

Phishing + targeted scams

Full name Financial account information Taxpayer information Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Edelson Lechtzin LLP (investigation announced March 11, 2026) Lynch Carpenter LLP (investigation announced March 12, 2026) Strauss Borrelli PLLC (investigation announced March 11, 2026) Federman & Sherwood (investigation open) Finkelstein, Blankinship, Frei-Pearson & Garber LLP (investigation open) Shamis & Gentile P.A. (investigation open)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Amalgamated Meat Cutters and Retail Food Store Employees Union Local 342 Health Care Fund, headquartered at 100 St. Mary’s Ave., Staten Island, NY 10305, is the multi-employer Taft-Hartley fund that delivers health benefits to UFCW Local 342 members across Long Island, New York City, the lower Hudson Valley, and New Jersey. The Fund filed a HIPAA breach notification with HHS OCR on June 26, 2025, reporting 56,615 affected individuals in a Hacking/IT Incident at a Network Server. The Fund did not begin notifying affected individuals until March 9, 2026, roughly 10 months after the intrusion was detected.

Timeline

  • April 25, 2025. An unauthorized external actor begins accessing files on the Local 342 network.
  • April 28, 2025. Local 342 detects the intrusion, secures the network, notifies law enforcement, and engages external cybersecurity experts.
  • June 26, 2025. HHS OCR breach report filed: 56,615 affected, Network Server, Hacking/IT Incident.
  • February 12, 2026. Forensic review of the affected files concludes. Identity-verification and address-lookup work begins for individual notice.
  • March 9, 2026. Notification letters mailed to affected individuals. Concurrent filings made with the Maine, Massachusetts, New Hampshire, and Vermont attorneys general.
  • March 11 to 12, 2026. Multiple plaintiffs’ firms publicly open class-action investigations.

What was exposed

The Maine Attorney General notice and the Fund’s substitute notice (summarized by ClassAction.org, ClaimDepot, and the firms investigating litigation) list the following data elements:

  • Full name
  • Date of birth
  • Social Security number
  • Driver’s license number or state ID number
  • Passport number
  • Financial account information
  • Taxpayer information
  • Health insurance information
  • Medical records

This is a near-complete identity-theft kit paired with HIPAA-regulated health data. Your individual notification letter will identify the exact subset of elements that applied to your record.

Who is notifying you, and why

Local 342 Health Care Fund is the HIPAA covered entity in this breach, not the union local itself. The Fund is a multi-employer health and welfare plan governed by a Board of Trustees. It administers medical, prescription, dental, and related benefits for UFCW Local 342 members and their eligible dependents.

If you are a current or former Local 342 member, or a covered spouse, child, or other dependent enrolled in the Fund’s plan during the affected period, you are the population the Fund is writing to. Notices were sent by U.S. Mail to the address the Fund has on file. A toll-free response line was established at 833-518-0169, and the Fund posted its breach notice on its own website at local342update.com.

The Fund is offering complimentary credit monitoring and identity-theft protection, with a 90-day enrollment window using the unique code printed in each notification letter. The entity’s own notice specifies that credit monitoring is provided to individuals whose Social Security number was among the exposed elements. If your notification letter does not list an SSN, contact the response line to confirm eligibility. Attorney general filings confirm 105 Massachusetts residents, 30 Maine residents, and 15 New Hampshire residents are among those notified.

Because the Fund is a Taft-Hartley plan, both active members and retirees who carried benefits through Local 342 should expect to be in scope. Dependents covered under a member’s plan are independently in scope and may receive their own letter if the Fund has separate address data on file.

Class-action posture

As of early June 2026, no consolidated complaint has been publicly docketed, but at least six plaintiffs’ firms have opened investigations and are signing up affected individuals: Edelson Lechtzin LLP, Lynch Carpenter LLP, Strauss Borrelli PLLC, Federman & Sherwood, Finkelstein, Blankinship, Frei-Pearson & Garber LLP, and Shamis & Gentile P.A.. The roughly 10-month gap between detection and individual notice, combined with the breadth of exposed data (SSN plus passport plus medical records), is the kind of fact pattern that typically drives negligence and breach-of-fiduciary-duty claims against multi-employer health funds. This page will be updated when a complaint is filed.

What to do

  1. Read your notification letter carefully. It will list the exact data elements that applied to your record and include the credit-monitoring enrollment code. Enroll within the 90-day window so coverage starts.
  2. Place free credit freezes at Equifax, Experian, and TransUnion. SSN exposure is confirmed, so a freeze is the highest-leverage step you can take.
  3. File IRS Form 14039 if you have any reason to suspect tax-related identity theft. Taxpayer information is among the confirmed exposed categories.
  4. If your passport number was listed, consider requesting a new passport book number through the U.S. State Department. Driver’s license numbers can be flagged with your state DMV.
  5. Watch your health-plan EOBs for claims you did not receive. Medical-records exposure raises the risk of medical identity theft and false-claim activity against your benefits.
  6. If you want to stop the ongoing flow of your data to plan administrators, vendors, and downstream business associates, HealthConsent files HIPAA restriction requests against the covered entity and its known business associates.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.