Active breach tracker Michigan Disclosed July 3, 2025

Arbor Associates Data Breach 2025: 17,040 Affected · Hacking/IT Incident · Michigan Business Associate. What To Do.

Arbor Associates, Inc. — a Michigan-based business associate that runs patient survey analytics for healthcare providers — reported a hacking incident affecting 17,040 individuals. Unauthorized network access occurred April 15–17, 2025; Arbor filed with HHS OCR and began mailing notifications on July 3, 2025. Srourian Law Firm has opened a class-action investigation.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Apr 15, 2025

Unauthorized access to Arbor Associates' network begins (per forensic investigation).

Apr 17, 2025

Arbor detects unusual network activity, secures systems, and engages independent cybersecurity experts.

May 31, 2025

File review concludes in May 2025; Arbor confirms patient data of healthcare-partner clients was involved and begins notifying those partners.

Jul 3, 2025

Arbor begins mailing individual notification letters on behalf of affected healthcare clients.

Jul 3, 2025

Breach reported to HHS OCR (17,040 affected, Hacking/IT Incident at Network Server, Business Associate) and to state attorneys general in CA, MA, MT, VT, WA, and TX.

Aug 8, 2025

Srourian Law Firm announces a class-action investigation on behalf of affected individuals.

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth

02

Health records

Don't expire and can't be reissued

CPT or diagnosis code Medical record number

03

Contact & insurance

Phishing + targeted scams

First and last name Contact information Age Biological sex Service date Name of insurance Doctor's name
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Arbor Associates, Inc. is a Michigan-based business associate that helps healthcare providers collect and analyze patient survey data. On April 17, 2025, Arbor detected unusual activity on its network and engaged independent cybersecurity experts. The investigation concluded that an unauthorized actor accessed Arbor’s systems between April 15 and April 17, 2025, and that certain files containing patient information may have been acquired. Arbor reported the incident to the HHS Office for Civil Rights on July 3, 2025 as a Hacking/IT Incident at a Network Server affecting 17,040 individuals, and began mailing notification letters the same day on behalf of its healthcare-provider clients.

Timeline

  • April 15–17, 2025 — Unauthorized access to Arbor Associates’ network (intrusion window confirmed by forensic investigation).
  • April 17, 2025 — Arbor detects unusual network activity, secures systems, and launches an investigation with outside cybersecurity specialists.
  • May 2025 — File review concludes. Arbor confirms the affected files included patient information from healthcare partners and begins notifying those partners.
  • July 3, 2025 — Arbor files with HHS OCR (17,040 affected, Business Associate, Hacking/IT Incident at Network Server). The same day, Arbor begins mailing individual notification letters and notifies state attorneys general in California, Massachusetts, Montana, Vermont, Washington, and Texas. Public state-level breakdowns include 8,995 Washington residents, 1,545 Texas residents, 551 in Massachusetts, and 1 in Montana.
  • August 2025 — Srourian Law Firm publicly announces a class-action investigation on behalf of affected individuals.

What was exposed

Arbor’s own substitute notice and the state AG filings describe the categories of patient data potentially involved. Not every individual had every element exposed; your personal notification letter is the authoritative list for you. The categories Arbor identified include:

  • First and last name.
  • Contact information (address, phone, email).
  • Age and biological sex.
  • Date of birth.
  • Service date.
  • CPT or diagnosis code.
  • Medical record number.
  • Name of insurance.
  • Doctor’s name.

Social Security numbers, financial account numbers, and government-issued IDs were not identified as part of the exposed data set. The exposure here is primarily clinical and demographic, which raises the risk of targeted medical-themed phishing and medical-identity misuse rather than new-account financial fraud.

What Arbor is offering

Arbor stood up a dedicated call center at 1-833-367-8607, available Monday through Friday from 8:00 a.m. to 8:00 p.m. Eastern time, to answer questions about the incident. Arbor’s published substitute notice directs affected individuals to monitor financial accounts, request free annual credit reports at annualcreditreport.com (1-877-322-8228), and consider fraud alerts or security freezes with Equifax, Experian, and TransUnion. Some recipients have reported being offered complimentary credit monitoring through the individual notification letter; if you receive a letter, the enrollment code and deadline will be inside.

Class-action posture

Srourian Law Firm (SLF) of Beverly Hills and Costa Mesa, California, has opened a class-action investigation against Arbor Associates, Inc. arising from this incident. As of this update, no consolidated complaint or settlement has been publicly announced. Affected individuals who want to be evaluated for potential class membership can contact SLF directly; submitting information to a law-firm intake form does not enroll you in a lawsuit and does not waive any rights you have under Arbor’s own offering.

What to do

  • Read your notification letter carefully. It identifies the specific data elements exposed for you and any complimentary monitoring Arbor is offering through your healthcare provider.
  • Watch for medical-identity misuse. Because diagnosis codes, service dates, and insurance information were involved, scrutinize your Explanation of Benefits statements and any provider bills for services you do not recognize. Request a one-time records audit from your providers if anything looks off.
  • Be skeptical of “Arbor Associates” or “your doctor’s office” outreach. Phishing that mimics survey requests, billing follow-ups, or breach-response calls is predictable here. Verify any link or phone number against the printed notification letter or Arbor’s own substitute notice, not against email or SMS links.
  • Place a fraud alert or freeze your credit if you want belt-and-suspenders protection. It is free, takes about ten minutes per bureau, and is the most effective single step against new-account fraud even though SSNs were not exposed in this incident.
  • Keep the call-center number handy. 1-833-367-8607, Monday–Friday 8am–8pm ET, is Arbor’s official channel for questions about your individual exposure.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.