Active breach tracker Morristown, New Jersey Disclosed May 2, 2025

Anesthesia Associates of Morristown Data Breach 2025: 34,675 Affected by Improper Disposal of Paper Records

Anesthesia Associates of Morristown, P.A. (Morristown, NJ) filed a HIPAA breach notification with HHS OCR on May 2, 2025 reporting 34,675 individuals affected by an Improper Disposal incident involving Paper/Films. A business associate was involved. No entity notice, NJ AG filing, or class action has surfaced as of mid-May 2026. Here is what is known and what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

May 2, 2025

HHS OCR breach report filed (Improper Disposal at Paper/Films; business associate present)

Data exposed

03

Contact & insurance

Phishing + targeted scams

Paper/Films (specific PHI categories not publicly itemized in the OCR entry) Plausible categories for an anesthesiology practice include patient names, dates of birth, addresses, dates of service, procedure / anesthesia records, and billing identifiers — not confirmed
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

This is a paper-record improper-disposal incident, not a cyber attack. The HHS OCR portal classifies the breach as Improper Disposal at Paper/Films, with a business associate involved. That means physical patient records (charts, forms, films) were discarded, lost, or otherwise mishandled outside a secure shredding or destruction chain. No hacker, ransomware group, or network intrusion is alleged.

Timeline

  • May 2, 2025 — Anesthesia Associates of Morristown, P.A. filed a HIPAA breach report with the HHS Office for Civil Rights, classified as Improper Disposal at location Paper/Films, business associate present: Yes. The initial public count was an interim placeholder; the figure now stands at 34,675 affected individuals.

The actual date the records were mishandled, and the date AAM discovered the disposal failure, have not been publicly disclosed beyond the May 2, 2025 OCR filing date.

What was exposed

The OCR portal entry itemizes only the location of the breached PHI (“Paper/Films”), not the data elements. AAM has not published a substitute notice or sample notification letter naming specific categories.

For an anesthesiology practice, the records most commonly held on paper or film include patient demographics, dates of service, anesthesia consent forms, anesthesia records (drugs, doses, vitals), pre-op evaluations, and billing identifiers. None of those categories are confirmed for this incident. Wait for your notification letter for the specific list.

What entity is offering

No public substitute notice or website incident page has been located on anesthesiaassociatesofmorristown.com. Affected patients should expect a mailed notification letter to the address on file. AAM’s published contact channels are:

  • Phone: (973) 631-8119 (use the extension prompts)
  • Mail: Anesthesia Associates of Morristown, P.O. Box 65, Convent Station, NJ 07961

Whether complimentary credit monitoring or identity-theft restoration is being offered is not public. The notification letter will state this.

Class-action posture

No class-action complaint has been located in the District of New Jersey or in state court as of mid-May 2026. No plaintiffs’ firm investigation announcement has surfaced from the firms that typically circle healthcare breaches of this size. Improper-disposal cases generate fewer class actions than hacking incidents because plaintiffs must show actual disclosure to a third party rather than presumed exposure to attackers. A 34,675-person count sits well above the threshold that usually draws plaintiffs’ interest, so this posture may change.

What to do

  1. Watch your mailbox for a notification letter from Anesthesia Associates of Morristown. Improper-disposal letters often arrive months after the OCR filing because the entity must reconstruct who was in the discarded records.
  2. Read the letter carefully. It will list the specific data elements involved in your records, the approximate dates of service covered, and any credit-monitoring or identity-protection offer.
  3. Place free credit freezes at Equifax, Experian, and TransUnion as a baseline precaution. This is the highest-leverage step against identity theft and it is free.
  4. Pull free credit reports at annualcreditreport.com and review for unfamiliar accounts.
  5. If you had anesthesia at a hospital served by AAM and never receive a letter, call (973) 631-8119 to confirm whether your records were in scope.
  6. Stop the ongoing flow of your records. HealthConsent files HIPAA restriction requests with healthcare providers, including limits on third-party records-destruction vendors, to reduce future disposal-chain risk.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.