Active breach tracker North Logan, Utah Disclosed November 21, 2025

Cache Valley Ear, Nose & Throat Data Breach 2025: 26,469 Patients Exposed in Medusa Ransomware Attack on North Logan ENT · 210 GB Allegedly Exfiltrated

Cache Valley Ear, Nose & Throat, a North Logan, Utah ENT practice, identified unusual activity in its email environment on February 4, 2025. The Medusa ransomware group later listed the practice on its data-leak site, claiming 210.10 GB of exfiltrated data. The forensic review concluded November 4, 2025, and individual notification letters began on November 21, 2025, more than nine months after detection. HHS OCR filing reports 26,469 affected individuals.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Feb 4, 2025

Cache Valley ENT identifies unusual activity in its email environment and begins forensic investigation

Feb 4, 2025

Attacker gained access

Feb 13, 2025

Medusa ransomware group reportedly lists Cache Valley ENT on its data-leak site, claiming 210.10 GB of exfiltrated data

Apr 24, 2025

HIPAA breach notification filed with HHS Office for Civil Rights (26,469 individuals; Hacking/IT Incident; Network Server)

Nov 4, 2025

Forensic review of impacted data concludes; affected-individual list compiled

Nov 21, 2025

Cache Valley ENT mails individual notification letters and posts substitute notice; state attorneys general (NH, MA, RI and others) notified

Nov 21, 2025

Disclosed publicly

Data exposed

03

Contact & insurance

Phishing + targeted scams

Names Addresses Provider names Drug names Health insurance information
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Cache Valley Ear, Nose & Throat, a North Logan, Utah ENT practice, identified unusual activity in its email environment on February 4, 2025, and engaged outside legal counsel and third-party forensic specialists to investigate. The Medusa ransomware group subsequently listed the practice on its data-leak site in mid-February 2025, claiming roughly 210.10 GB of exfiltrated data. The HIPAA breach notification was filed with the U.S. Department of Health and Human Services Office for Civil Rights on April 24, 2025, reporting 26,469 affected individuals in a Hacking/IT Incident at a Network Server. The forensic data-review process did not conclude until November 4, 2025, and individual notification letters were not mailed until November 21, 2025, more than nine months after the intrusion was first detected.

State attorney-general filings in New Hampshire, Massachusetts, and Rhode Island confirm that Cache Valley ENT considers the exposed data set to include names, addresses, provider names, drug names, and health-insurance information. The substitute notice does not claim that Social Security numbers or financial-account data were involved, but Medusa is a double-extortion operator that exfiltrates large mailbox and file-share data sets before encryption, so individuals should treat the public characterization as a floor rather than a ceiling.

Timeline

  • February 4, 2025 — Cache Valley ENT identifies unusual activity in its email environment, engages outside legal counsel and forensic specialists, and begins investigation.
  • February 13, 2025 — Medusa ransomware group reportedly lists Cache Valley ENT on its data-leak site, claiming approximately 210.10 GB of exfiltrated data.
  • April 24, 2025 — HIPAA breach notification filed with HHS OCR for 26,469 individuals, classified as Hacking/IT Incident at Network Server.
  • November 4, 2025 — Forensic review of impacted data concludes; affected-individual list compiled.
  • November 21, 2025 — Cache Valley ENT mails individual notification letters, posts a substitute notice on its website, and notifies state attorneys general in New Hampshire, Massachusetts, and Rhode Island.

What was exposed

Per the substitute notice and state attorney-general filings, the data elements identified as exposed include:

  • Name
  • Address
  • Provider name
  • Drug name (medication information)
  • Health insurance information

The substitute notice does not list Social Security numbers, dates of birth, financial-account numbers, or full clinical records. Because Medusa exfiltrated approximately 210 GB and the full content of the staged leak is not publicly enumerated, individuals should assume that mailbox-resident attachments (referrals, claim correspondence, insurance card images, prescription histories) may be in the threat actor’s possession even where not formally listed.

What Cache Valley ENT is offering

Affected individuals are being offered complimentary credit monitoring and identity-theft protection services through Cyberscout (a TransUnion company), with the duration set at 12 or 24 months depending on state of residence. The notification letter contains a single-use enrollment code and a dedicated incident-response phone line. Cache Valley ENT also states it has reviewed its policies and procedures and implemented additional safeguards in its email environment.

Class-action and regulatory posture

As of the date this page was last updated, no class-action lawsuit against Cache Valley Ear, Nose & Throat has been publicly filed or docketed in the law-firm investigation trackers reviewed for this entry. The HHS OCR portal entry is open and under federal review. Given the affected count, the nine-month gap between detection and individual notification, and the Medusa data-leak posting, plaintiff-side investigations are likely; this page will be updated if a complaint is filed.

What to do if you may be affected

  • Enroll in the offered monitoring using the single-use code in your notification letter. Credit-monitoring enrollment is free and detects new-account openings on your file.
  • Freeze your credit with Equifax, Experian, and TransUnion. A freeze is materially stronger than monitoring alone and is free and reversible.
  • Treat targeted phishing as the primary near-term risk. A practice-specific email and document set in the hands of a sophisticated ransomware crew means scams that reference your provider, your medication, or your insurer are plausible. Do not provide payment or account details over the phone to anyone calling about this breach.
  • Review your Explanation of Benefits statements from your health insurer for services you did not receive. Medical identity theft can take months to surface and is the most common downstream harm where insurance information is exposed.
  • Verify all post-breach outreach. Legitimate notification letters reference Cyberscout/TransUnion enrollment and a specific Cache Valley ENT incident phone line. If you receive contact from a self-styled “settlement administrator” before any court filing, treat it as suspicious.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.