Cache Valley Ear, Nose & Throat Data Breach 2025: 26,469 Patients Exposed in Medusa Ransomware Attack on North Logan ENT · 210 GB Allegedly Exfiltrated
Cache Valley Ear, Nose & Throat, a North Logan, Utah ENT practice, identified unusual activity in its email environment on February 4, 2025. The Medusa ransomware group later listed the practice on its data-leak site, claiming 210.10 GB of exfiltrated data. The forensic review concluded November 4, 2025, and individual notification letters began on November 21, 2025, more than nine months after detection. HHS OCR filing reports 26,469 affected individuals.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Feb 4, 2025
Cache Valley ENT identifies unusual activity in its email environment and begins forensic investigation
Feb 4, 2025
Attacker gained access
Feb 13, 2025
Medusa ransomware group reportedly lists Cache Valley ENT on its data-leak site, claiming 210.10 GB of exfiltrated data
Apr 24, 2025
HIPAA breach notification filed with HHS Office for Civil Rights (26,469 individuals; Hacking/IT Incident; Network Server)
Nov 4, 2025
Forensic review of impacted data concludes; affected-individual list compiled
Nov 21, 2025
Cache Valley ENT mails individual notification letters and posts substitute notice; state attorneys general (NH, MA, RI and others) notified
Nov 21, 2025
Disclosed publicly
Feb 4, 2025
Cache Valley ENT identifies unusual activity in its email environment and begins forensic investigation
Feb 4, 2025
Attacker gained access
Feb 13, 2025
Medusa ransomware group reportedly lists Cache Valley ENT on its data-leak site, claiming 210.10 GB of exfiltrated data
Apr 24, 2025
HIPAA breach notification filed with HHS Office for Civil Rights (26,469 individuals; Hacking/IT Incident; Network Server)
Nov 4, 2025
Forensic review of impacted data concludes; affected-individual list compiled
Nov 21, 2025
Cache Valley ENT mails individual notification letters and posts substitute notice; state attorneys general (NH, MA, RI and others) notified
Nov 21, 2025
Disclosed publicly
Data exposed
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Cache Valley Ear, Nose & Throat, a North Logan, Utah ENT practice, identified unusual activity in its email environment on February 4, 2025, and engaged outside legal counsel and third-party forensic specialists to investigate. The Medusa ransomware group subsequently listed the practice on its data-leak site in mid-February 2025, claiming roughly 210.10 GB of exfiltrated data. The HIPAA breach notification was filed with the U.S. Department of Health and Human Services Office for Civil Rights on April 24, 2025, reporting 26,469 affected individuals in a Hacking/IT Incident at a Network Server. The forensic data-review process did not conclude until November 4, 2025, and individual notification letters were not mailed until November 21, 2025, more than nine months after the intrusion was first detected.
State attorney-general filings in New Hampshire, Massachusetts, and Rhode Island confirm that Cache Valley ENT considers the exposed data set to include names, addresses, provider names, drug names, and health-insurance information. The substitute notice does not claim that Social Security numbers or financial-account data were involved, but Medusa is a double-extortion operator that exfiltrates large mailbox and file-share data sets before encryption, so individuals should treat the public characterization as a floor rather than a ceiling.
Timeline
- February 4, 2025 — Cache Valley ENT identifies unusual activity in its email environment, engages outside legal counsel and forensic specialists, and begins investigation.
- February 13, 2025 — Medusa ransomware group reportedly lists Cache Valley ENT on its data-leak site, claiming approximately 210.10 GB of exfiltrated data.
- April 24, 2025 — HIPAA breach notification filed with HHS OCR for 26,469 individuals, classified as Hacking/IT Incident at Network Server.
- November 4, 2025 — Forensic review of impacted data concludes; affected-individual list compiled.
- November 21, 2025 — Cache Valley ENT mails individual notification letters, posts a substitute notice on its website, and notifies state attorneys general in New Hampshire, Massachusetts, and Rhode Island.
What was exposed
Per the substitute notice and state attorney-general filings, the data elements identified as exposed include:
- Name
- Address
- Provider name
- Drug name (medication information)
- Health insurance information
The substitute notice does not list Social Security numbers, dates of birth, financial-account numbers, or full clinical records. Because Medusa exfiltrated approximately 210 GB and the full content of the staged leak is not publicly enumerated, individuals should assume that mailbox-resident attachments (referrals, claim correspondence, insurance card images, prescription histories) may be in the threat actor’s possession even where not formally listed.
What Cache Valley ENT is offering
Affected individuals are being offered complimentary credit monitoring and identity-theft protection services through Cyberscout (a TransUnion company), with the duration set at 12 or 24 months depending on state of residence. The notification letter contains a single-use enrollment code and a dedicated incident-response phone line. Cache Valley ENT also states it has reviewed its policies and procedures and implemented additional safeguards in its email environment.
Class-action and regulatory posture
As of the date this page was last updated, no class-action lawsuit against Cache Valley Ear, Nose & Throat has been publicly filed or docketed in the law-firm investigation trackers reviewed for this entry. The HHS OCR portal entry is open and under federal review. Given the affected count, the nine-month gap between detection and individual notification, and the Medusa data-leak posting, plaintiff-side investigations are likely; this page will be updated if a complaint is filed.
What to do if you may be affected
- Enroll in the offered monitoring using the single-use code in your notification letter. Credit-monitoring enrollment is free and detects new-account openings on your file.
- Freeze your credit with Equifax, Experian, and TransUnion. A freeze is materially stronger than monitoring alone and is free and reversible.
- Treat targeted phishing as the primary near-term risk. A practice-specific email and document set in the hands of a sophisticated ransomware crew means scams that reference your provider, your medication, or your insurer are plausible. Do not provide payment or account details over the phone to anyone calling about this breach.
- Review your Explanation of Benefits statements from your health insurer for services you did not receive. Medical identity theft can take months to surface and is the most common downstream harm where insurance information is exposed.
- Verify all post-breach outreach. Legitimate notification letters reference Cyberscout/TransUnion enrollment and a specific Cache Valley ENT incident phone line. If you receive contact from a self-styled “settlement administrator” before any court filing, treat it as suspicious.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record (filing dated 2025-04-24, 26,469 individuals, Hacking/IT Incident, Network Server).
- Cache Valley ENT — Official Notice of Data Privacy Event — entity’s substitute notice posted November 2025.
- New Hampshire Attorney General — Cache Valley ENT Breach Notification Filing — state AG filing dated November 21, 2025.
- HIPAA Journal — Health Plan Members’ PHI Exposed in Cyberattack on Fieldtex Products (Cache Valley ENT section) — discovery date, exposed-data list, credit-monitoring details.
- ClaimDepot — Cache Valley ENT Discloses Data Breach to Multiple State Attorneys General Offices — multi-state AG filing summary and remediation offering.
- BreachSense — Cache Valley ENT Data Breach in 2025 — threat-actor attribution and leak-size data point.
- RedPacket Security — Medusa Ransomware Victim: Cache Valley ENT — Medusa leak-site posting and 210.10 GB exfiltration claim.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Cache Valley ENT — Official Notice of Data Privacy Event (substitute notice PDF)
- New Hampshire Attorney General — Cache Valley ENT Breach Notification Filing (2025-11-21)
- HIPAA Journal — Health Plan Members' PHI Exposed in Cyberattack on Fieldtex Products (Cache Valley ENT section)
- ClaimDepot — Cache Valley ENT Discloses Data Breach to Multiple State Attorneys General Offices
- BreachSense — Cache Valley ENT Data Breach in 2025
- RedPacket Security — [MEDUSA] Ransomware Victim: Cache Valley ENT
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.