AmeriHealth Caritas Louisiana Data Breach 2025: 1,552 Medicaid Members Affected · Unauthorized Access · HHS OCR Filing Open
AmeriHealth Caritas Louisiana, the Healthy Louisiana Medicaid managed-care organization, filed a HIPAA breach notification with HHS OCR on March 21, 2025 reporting 1,552 individuals affected in an Unauthorized Access/Disclosure incident on a Network Server. Srourian Law Firm has announced a class-action investigation.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Mar 21, 2025
AmeriHealth Caritas Louisiana files HIPAA breach notification with HHS Office for Civil Rights (1,552 individuals, Unauthorized Access/Disclosure, Network Server / Other)
Mar 21, 2025
Breach posted to the HHS OCR public breach portal; investigation listed as currently under review
Apr 1, 2025
Srourian Law Firm publicly announces an investigation into ACLA on behalf of affected members; no consolidated federal docket has been reported
Mar 21, 2025
AmeriHealth Caritas Louisiana files HIPAA breach notification with HHS Office for Civil Rights (1,552 individuals, Unauthorized Access/Disclosure, Network Server / Other)
Mar 21, 2025
Breach posted to the HHS OCR public breach portal; investigation listed as currently under review
Apr 1, 2025
Srourian Law Firm publicly announces an investigation into ACLA on behalf of affected members; no consolidated federal docket has been reported
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
AmeriHealth Caritas Louisiana (ACLA), one of the managed-care organizations contracted by the Louisiana Department of Health to administer Medicaid benefits under the Healthy Louisiana program, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on March 21, 2025. The filing reports 1,552 affected individuals in an Unauthorized Access / Disclosure incident with the location of breached PHI listed as Network Server, Other.
The incident falls below the 500-individual press-notice threshold rules and below the 10,000-individual threshold that typically draws major trade-press coverage. HIPAA Journal’s March 2025 healthcare data breach roundup confirms the filing volume bracket but does not single out ACLA for narrative coverage. The OCR portal entry remains the primary public record.
Timeline of what we know
- March 21, 2025 — ACLA files the HIPAA breach notification with HHS OCR. The portal entry lists 1,552 individuals affected, the incident type as Unauthorized Access/Disclosure, and the location of breached PHI as Network Server, Other.
- March 21, 2025 — The breach is posted to the public OCR portal and shows in the “Cases Currently Under Investigation” view.
- Spring 2025 — Srourian Law Firm publishes an investigation page soliciting affected members for a potential class action. No consolidated federal docket against ACLA has been reported as of this update.
What was exposed
The HHS OCR portal entry discloses only that the breached information was located on a Network Server with an additional “Other” category, which is the standard portal taxonomy and does not enumerate the underlying data elements. As of this page’s last update, the following are not publicly disclosed:
- The specific PHI data elements involved (e.g., name, address, date of birth, Social Security number, Medicaid ID, claims data, clinical information)
- Whether financial account numbers, driver’s license numbers, or government identifiers were included
- The root-cause vector (insider, third-party vendor, misconfigured access, credential compromise)
- Attacker attribution, if any
We will not speculate. This section will be updated if ACLA publishes a substitute notice, if the Louisiana Attorney General receives a separate filing that becomes public, or if the OCR investigation closes with a public resolution agreement.
Why this matters: Medicaid managed-care population
ACLA serves a Medicaid managed-care population under the Healthy Louisiana program. Medicaid beneficiaries are a particularly sensitive cohort for data-breach harm because:
- Many enrollees rely on the same address and phone number for benefits, housing assistance, and SNAP — a single exposure can ripple across multiple safety-net programs.
- Identity-theft remediation steps that assume a working credit profile and access to a bank account are not universally available to low-income enrollees.
- Medicaid IDs, when exposed, can enable medical identity theft that surfaces only when a beneficiary is later denied care or billed for services they did not receive.
The fact that this incident affected fewer than 10,000 individuals does not reduce per-person severity for the Medicaid members in scope.
What ACLA is offering
ACLA has not publicly disclosed whether it is providing affected individuals with complimentary credit monitoring, identity-theft protection, or a dedicated call center. Notification letters from the entity, if they have been mailed, are the canonical source for what services are available. This page will be updated when that information is publicly published.
Class-action posture
Srourian Law Firm has published an investigation page soliciting affected ACLA members for a potential class action. As of this page’s last update, no consolidated federal docket against AmeriHealth Caritas Louisiana arising from this breach has been reported in court-records databases or trade press. The investigation page is a pre-litigation solicitation, not a filed complaint.
If you receive an individual notification letter from ACLA and you choose to participate in a class-action investigation, the law firm’s intake page is the appropriate starting point. You do not need to retain counsel to qualify for any credit-monitoring offering that may be made available in the notification letter itself.
What to do if you may be affected
Until ACLA publishes a substitute notice or your individual notification letter arrives, the protective steps are generic but high-leverage:
- Watch your mail at the address you have on file with ACLA. Notification letters typically follow an OCR filing by a few weeks to a few months. The letter will list the specific data elements involved and any credit-monitoring offered.
- Freeze your credit at Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau online, and blocks new-account fraud. This is the single highest-leverage step for any exposure that may include Social Security numbers.
- Review your Medicaid statements. Request a copy of recent claims activity from Healthy Louisiana / ACLA and verify that the services billed under your Medicaid ID were actually received by you or your dependents. If you see services you did not receive, report them to ACLA and to the Louisiana Department of Health.
- Be skeptical of phone, text, or email outreach claiming to be from ACLA, Healthy Louisiana, or “your Medicaid plan.” Threat actors frequently follow disclosed breaches with targeted phishing using the breach itself as a pretext.
- Bookmark this page. We update it as ACLA’s notification letter, state filings, or court filings become available.
Sources on this page
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach.
- Srourian Law Firm — AmeriHealth Caritas Louisiana data breach investigation — pre-litigation investigation page.
- AmeriHealth Caritas Louisiana — official entity site — entity context and member resources.
- Louisiana Department of Health — Healthy Louisiana managed-care program — program context for the Medicaid population served.
- HIPAA Journal — March 2025 healthcare data breach report — confirms the filing’s bracket below the 10,000-individual threshold.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Srourian Law Firm — AmeriHealth Caritas Louisiana data breach investigation
- AmeriHealth Caritas Louisiana — official entity site
- Louisiana Department of Health — Healthy Louisiana managed-care program
- HIPAA Journal — March 2025 healthcare data breach report
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.