Arbor Associates Data Breach 2025: 17,040 Affected · Hacking/IT Incident · Michigan Business Associate. What To Do.
Arbor Associates, Inc. — a Michigan-based business associate that runs patient survey analytics for healthcare providers — reported a hacking incident affecting 17,040 individuals. Unauthorized network access occurred April 15–17, 2025; Arbor filed with HHS OCR and began mailing notifications on July 3, 2025. Srourian Law Firm has opened a class-action investigation.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Apr 15, 2025
Unauthorized access to Arbor Associates' network begins (per forensic investigation).
Apr 17, 2025
Arbor detects unusual network activity, secures systems, and engages independent cybersecurity experts.
May 31, 2025
File review concludes in May 2025; Arbor confirms patient data of healthcare-partner clients was involved and begins notifying those partners.
Jul 3, 2025
Arbor begins mailing individual notification letters on behalf of affected healthcare clients.
Jul 3, 2025
Breach reported to HHS OCR (17,040 affected, Hacking/IT Incident at Network Server, Business Associate) and to state attorneys general in CA, MA, MT, VT, WA, and TX.
Aug 8, 2025
Srourian Law Firm announces a class-action investigation on behalf of affected individuals.
Apr 15, 2025
Unauthorized access to Arbor Associates' network begins (per forensic investigation).
Apr 17, 2025
Arbor detects unusual network activity, secures systems, and engages independent cybersecurity experts.
May 31, 2025
File review concludes in May 2025; Arbor confirms patient data of healthcare-partner clients was involved and begins notifying those partners.
Jul 3, 2025
Arbor begins mailing individual notification letters on behalf of affected healthcare clients.
Jul 3, 2025
Breach reported to HHS OCR (17,040 affected, Hacking/IT Incident at Network Server, Business Associate) and to state attorneys general in CA, MA, MT, VT, WA, and TX.
Aug 8, 2025
Srourian Law Firm announces a class-action investigation on behalf of affected individuals.
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Arbor Associates, Inc. is a Michigan-based business associate that helps healthcare providers collect and analyze patient survey data. On April 17, 2025, Arbor detected unusual activity on its network and engaged independent cybersecurity experts. The investigation concluded that an unauthorized actor accessed Arbor’s systems between April 15 and April 17, 2025, and that certain files containing patient information may have been acquired. Arbor reported the incident to the HHS Office for Civil Rights on July 3, 2025 as a Hacking/IT Incident at a Network Server affecting 17,040 individuals, and began mailing notification letters the same day on behalf of its healthcare-provider clients.
Timeline
- April 15–17, 2025 — Unauthorized access to Arbor Associates’ network (intrusion window confirmed by forensic investigation).
- April 17, 2025 — Arbor detects unusual network activity, secures systems, and launches an investigation with outside cybersecurity specialists.
- May 2025 — File review concludes. Arbor confirms the affected files included patient information from healthcare partners and begins notifying those partners.
- July 3, 2025 — Arbor files with HHS OCR (17,040 affected, Business Associate, Hacking/IT Incident at Network Server). The same day, Arbor begins mailing individual notification letters and notifies state attorneys general in California, Massachusetts, Montana, Vermont, Washington, and Texas. Public state-level breakdowns include 8,995 Washington residents, 1,545 Texas residents, 551 in Massachusetts, and 1 in Montana.
- August 2025 — Srourian Law Firm publicly announces a class-action investigation on behalf of affected individuals.
What was exposed
Arbor’s own substitute notice and the state AG filings describe the categories of patient data potentially involved. Not every individual had every element exposed; your personal notification letter is the authoritative list for you. The categories Arbor identified include:
- First and last name.
- Contact information (address, phone, email).
- Age and biological sex.
- Date of birth.
- Service date.
- CPT or diagnosis code.
- Medical record number.
- Name of insurance.
- Doctor’s name.
Social Security numbers, financial account numbers, and government-issued IDs were not identified as part of the exposed data set. The exposure here is primarily clinical and demographic, which raises the risk of targeted medical-themed phishing and medical-identity misuse rather than new-account financial fraud.
What Arbor is offering
Arbor stood up a dedicated call center at 1-833-367-8607, available Monday through Friday from 8:00 a.m. to 8:00 p.m. Eastern time, to answer questions about the incident. Arbor’s published substitute notice directs affected individuals to monitor financial accounts, request free annual credit reports at annualcreditreport.com (1-877-322-8228), and consider fraud alerts or security freezes with Equifax, Experian, and TransUnion. Some recipients have reported being offered complimentary credit monitoring through the individual notification letter; if you receive a letter, the enrollment code and deadline will be inside.
Class-action posture
Srourian Law Firm (SLF) of Beverly Hills and Costa Mesa, California, has opened a class-action investigation against Arbor Associates, Inc. arising from this incident. As of this update, no consolidated complaint or settlement has been publicly announced. Affected individuals who want to be evaluated for potential class membership can contact SLF directly; submitting information to a law-firm intake form does not enroll you in a lawsuit and does not waive any rights you have under Arbor’s own offering.
What to do
- Read your notification letter carefully. It identifies the specific data elements exposed for you and any complimentary monitoring Arbor is offering through your healthcare provider.
- Watch for medical-identity misuse. Because diagnosis codes, service dates, and insurance information were involved, scrutinize your Explanation of Benefits statements and any provider bills for services you do not recognize. Request a one-time records audit from your providers if anything looks off.
- Be skeptical of “Arbor Associates” or “your doctor’s office” outreach. Phishing that mimics survey requests, billing follow-ups, or breach-response calls is predictable here. Verify any link or phone number against the printed notification letter or Arbor’s own substitute notice, not against email or SMS links.
- Place a fraud alert or freeze your credit if you want belt-and-suspenders protection. It is free, takes about ten minutes per bureau, and is the most effective single step against new-account fraud even though SSNs were not exposed in this incident.
- Keep the call-center number handy. 1-833-367-8607, Monday–Friday 8am–8pm ET, is Arbor’s official channel for questions about your individual exposure.
Sources
- Arbor Associates — Data Security Incident Notice — entity’s own substitute notice with categories of data exposed, intrusion window, and call-center details.
- HHS Office for Civil Rights Breach Portal — federal regulatory record: 17,040 affected, Hacking/IT Incident at Network Server, Business Associate, filed July 3, 2025.
- California Attorney General — Arbor Associates Notice Letter — state AG filing of the individual notification letter.
- HIPAA Times — Arbor Associates Breach Could Expose Names, DOBs, and Medical Records — independent reporting confirming the Michigan HQ and the categories of exposed data.
- Cision / Yahoo Finance — Arbor Associates, Inc. Notifies Individuals of Data Security Incident — wire-distributed press release confirming notification timing and call-center information.
- ClaimDepot — Arbor Associates Data Breach Exposes Sensitive PHI & PII — aggregated reporting with state-level breakdowns of affected residents (WA 8,995 / TX 1,545 / MA 551 / MT 1).
- Srourian Law Firm — Investigation Into Data Breach at Arbor Associates, Inc. — firm announcement of a class-action investigation on behalf of affected individuals.
- HIPAA Journal — Healthcare Data Breach Reports — ongoing trade-press coverage of the incident within monthly HHS OCR reporting summaries.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Arbor Associates — Data Security Incident Notice
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Healthcare Data Breach Reports (Arbor Associates)
- California Attorney General — Arbor Associates Notice Letter
- HIPAA Times — Arbor Associates Breach Could Expose Names, DOBs, and Medical Records
- Cision / Yahoo Finance — Arbor Associates, Inc. Notifies Individuals of Data Security Incident
- Srourian Law Firm — Investigation Into Data Breach at Arbor Associates, Inc.
- ClaimDepot — Arbor Associates Data Breach Exposes Sensitive PHI & PII
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.