Active breach tracker Rochester, NY Disclosed August 29, 2025

Anthony L. Jordan Health Corporation Data Breach 2025: 2,974 Patients · Rochester FQHC Phishing Incident

Anthony L. Jordan Health Corporation (Jordan Health), the Rochester, NY federally qualified health center, filed a HIPAA breach notification with HHS OCR on August 29, 2025 reporting 2,974 affected individuals. A phishing attack compromised the email, OneDrive, and SharePoint accounts of three employees with unauthorized access occurring at various points between April 30, 2025 and July 9, 2025. Exposed data includes names, dates of birth, medical record numbers, provider names, dates of service, and health insurance information.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Apr 30, 2025

Unauthorized access to employee Microsoft 365 accounts (email, OneDrive, SharePoint) begins after three employees respond to phishing emails

Jun 30, 2025

Jordan Health identifies suspicious activity in an employee email account; investigation begins

Jul 9, 2025

End of confirmed unauthorized-access window per forensic review

Aug 29, 2025

HHS OCR breach filing: 2,974 individuals, Hacking/IT Incident, Email

Data exposed

02

Health records

Don't expire and can't be reissued

Medical record numbers

03

Contact & insurance

Phishing + targeted scams

Names Dates of birth Provider names Dates of service Health insurance information
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Anthony L. Jordan Health Corporation, the Rochester, New York federally qualified health center known publicly as Jordan Health, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on August 29, 2025, reporting 2,974 affected individuals in a Hacking/IT Incident affecting employee email. Per HIPAA Journal’s coverage of the notice, the underlying event was a phishing attack that compromised the email, OneDrive, and SharePoint accounts of three Jordan Health employees after they responded to phishing messages. Unauthorized access occurred at various times between April 30, 2025 and July 9, 2025, and suspicious activity was first identified in an employee mailbox on June 30, 2025.

Timeline

  • April 30, 2025 — Unauthorized access to the Microsoft 365 accounts (email, OneDrive, SharePoint) of three Jordan Health employees begins after the employees respond to phishing emails.
  • April 30 – July 9, 2025 — Confirmed window of unauthorized access across the three compromised accounts.
  • June 30, 2025 — Jordan Health identifies suspicious activity in an employee’s email account and begins an investigation; the other two compromised accounts are surfaced during forensic review.
  • July 9, 2025 — End of the confirmed unauthorized-access window per forensic findings.
  • August 29, 2025 — Jordan Health files its HIPAA breach report with HHS OCR: 2,974 individuals, Hacking/IT Incident, Email.
  • Ongoing (2026) — OCR investigation remains open per the portal record; no class action has been publicly filed to date.

What was exposed

Per Jordan Health’s notification and HIPAA Journal’s coverage of it, the data elements implicated for at least some of the 2,974 individuals include:

  • Names
  • Dates of birth
  • Medical record numbers
  • Provider names
  • Dates of service
  • Health insurance information

Jordan Health has stated that the apparent goal of the attackers was to fraudulently obtain funds from Jordan Health (a classic business-email-compromise pattern), not to harvest patient data. However, because the compromised mailboxes and cloud-storage accounts contained patient information, the entity could not rule out unauthorized access to that data and has notified affected individuals as required.

The OCR portal does not list Social Security numbers among the exposed elements, and HIPAA Journal’s summary likewise does not reference SSNs. This is consistent with a mailbox-content breach rather than an EHR or claims-system intrusion.

Sensitive-population considerations (FQHC)

Jordan Health is a federally qualified health center. FQHCs are HRSA-supported safety-net clinics that, by statutory mandate, serve patients regardless of ability to pay. Jordan Health serves roughly 30,000 patients annually across its Rochester and Canandaigua sites and offers primary care, dental, behavioral health, and pharmacy services. Two consequences follow from that mission:

  • Mailbox-content breaches at an FQHC still carry meaningful harm. Even without Social Security numbers, the combination of name, date of birth, medical record number, provider, date of service, and insurance information is enough to support medical-identity fraud, targeted phishing of patients (“we noticed an unpaid balance from your June visit with Dr. [Real Name]”), and stigma-linked disclosure for sensitive treatment categories.
  • Categories of treatment carry stigma and discrimination risk. Jordan Health provides behavioral-health and substance-use services alongside general primary care. Disclosure of provider name plus date of service can reveal, by inference, that an individual was receiving care from a particular clinician on a particular day, which can affect housing, employment, custody, immigration, and benefits matters. Substance-use treatment records may carry additional 42 CFR Part 2 protections; OCR began enforcing Part 2 under a unified rule in February 2026.

What Jordan Health is offering

Trade-press coverage of Jordan Health’s notice does not document a complimentary credit-monitoring or identity-protection offering, which is consistent with a mailbox-content breach that did not implicate Social Security numbers or financial-account data. Per HIPAA Journal, Jordan Health has stated that it provided additional cybersecurity awareness training to its workforce in response to the incident.

If your individual notification letter from Jordan Health offers credit monitoring or identity-protection services, the enrollment instructions and activation code will be inside the letter. Do not provide your Social Security number or other identifiers to any party claiming to “enroll” you over the phone or by email; legitimate enrollment is initiated from the letter.

Class-action posture

As of this update, no class-action complaint against Anthony L. Jordan Health Corporation has been publicly filed in connection with the 2025 phishing incident, and no plaintiff-side firm has publicly announced an investigation tied to this breach. The OCR record remains in open / under-review status. This page will be updated if a complaint is filed or if a firm announces a public investigation.

What to do if you may be affected

  • Read the notification letter carefully. It lists the specific data elements involved for you and any services Jordan Health is offering. Letters from Jordan Health will come in the name of “Anthony L. Jordan Health Corporation” or “Jordan Health.” Mailings typically follow the OCR filing by a few weeks to a few months.
  • Place a credit freeze with Equifax, Experian, and TransUnion. A freeze is free, takes about ten minutes per bureau, and is the single highest-leverage control against new-account identity theft, even when Social Security numbers are not confirmed to have been exposed.
  • Watch for Jordan Health-themed phishing. Mailbox-content breaches give attackers the raw material (your name, your provider’s name, your visit date) to write convincing follow-up phishing emails and texts impersonating “Jordan Health billing” or “Jordan Health patient portal.” Jordan Health will not ask you for your Social Security number, full date of birth, or password by email or SMS.
  • Confirm any medical bills you receive. Medical-identity fraud often surfaces as unfamiliar charges, explanation-of-benefits statements for care you did not receive, or collections notices. Dispute promptly and in writing.
  • If you are a Jordan Health behavioral-health or substance-use treatment patient, the provider-plus-date-of-service disclosure carries discrimination risks beyond financial fraud. Document any adverse housing, employment, benefits, or custody decisions you suspect are linked to the disclosure; SUD records may also carry 42 CFR Part 2 protections.
  • Bookmark this page. We update it as the OCR record advances, as any notification letter content surfaces publicly, or if class-action activity is filed.

Sources

We confirm these details directly against the HHS OCR portal record and the cited trade-press reporting; this page will be updated as any individual-notification-letter content, state-attorney-general filing, or court filing becomes public.

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.