Active breach tracker Oklahoma City, OK Disclosed May 3, 2025

CardioVascular Health Clinic Data Breach 2025: Cloud-Provider Incident Exposes Patient PHI in Oklahoma

CardioVascular Health Clinic (Oklahoma City) reported a data breach to HHS OCR on May 3, 2025 after an unauthorized actor accessed patient data between Feb 18 and Mar 4, 2025 through a cloud services provider. Notification letters mailed May 15, 2025. Class-action investigations underway.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Feb 18, 2025

Unauthorized access to data via cloud services provider begins

Mar 4, 2025

Network disruption detected; unauthorized access ends

May 3, 2025

Breach reported to HHS Office for Civil Rights (501 interim)

May 15, 2025

Individual notification letters mailed to affected patients

May 20, 2025

Class-action investigations opened by plaintiffs' firms

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license / state ID number

02

Health records

Don't expire and can't be reissued

Treatment / diagnosis information Prescription information Medical record / case number Treatment cost

03

Contact & insurance

Phishing + targeted scams

Name Address, phone number, email address Financial account information Provider name Medicare / Medicaid ID number Health insurance information
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

CardioVascular Health Clinic (CHC), an Oklahoma City-based cardiology and vascular care network that operates clinic locations across Oklahoma, reported a data breach to the U.S. Department of Health and Human Services Office for Civil Rights on May 3, 2025, after an unauthorized actor accessed patient information between February 18 and March 4, 2025 through a security incident affecting CHC’s cloud services provider. CHC detected the intrusion on March 4, 2025 after a network disruption, and mailed individual notification letters to affected patients on May 15, 2025. The clinic submitted a placeholder figure of 501 individuals to OCR while file review continues, so the final count is expected to be revised upward.

This is classified as a vendor / third-party cloud incident rather than a direct compromise of CHC’s own network. The clinic has not publicly identified the cloud provider or the threat actor, and no ransomware group has claimed responsibility on a public leak site as of this writing.

Timeline

  • Feb 18, 2025 — Unauthorized actor begins accessing information stored on CHC’s cloud-hosted network.
  • Mar 4, 2025 — Network disruption detected. CHC engages cybersecurity experts and begins forensic review. Unauthorized access ends.
  • May 3, 2025 — CHC files a HIPAA Breach Notification Rule report with HHS OCR, using an interim count of 501 affected individuals.
  • May 15, 2025 — Individual notification letters mailed to patients with addresses on file. Substitute notice posted at cvhealthclinic.com.
  • Late May 2025 — Plaintiffs’ firms (Ahdoot & Wolfson, The Lyon Firm, and others) publicly open class-action investigations.

What was exposed

CHC’s notice states the categories of information varied by individual but may include:

  • Name, address, phone number, email address
  • Date of birth
  • Social Security number
  • Driver’s license or state ID number
  • Financial account information
  • Treatment and diagnosis information
  • Prescription information
  • Provider name
  • Medical record or case number
  • Medicare / Medicaid ID number
  • Health insurance information
  • Treatment cost

This is a near-complete personal and clinical profile. The combination of Social Security number, financial account information, and Medicare/Medicaid ID makes this dataset usable for both financial-identity theft and medical-identity theft (filing fraudulent claims under a victim’s coverage).

What CardioVascular Health Clinic is offering

Affected individuals who receive a notification letter are eligible for complimentary credit monitoring and identity protection services. CHC has stood up a dedicated enrollment line:

  • 877-648-0819, Monday through Friday, 8 a.m. to 8 p.m. Central Time, excluding holidays.
  • Written inquiries: CardioVascular Health Clinic, 3200 Quail Springs Parkway, Suite 200, Oklahoma City, OK 73134.

CHC has also stated it notified law enforcement and is reviewing its data-security policies and procedures.

Class-action status

As of mid-2026, no consolidated class-action complaint has been publicly docketed against CardioVascular Health Clinic, but multiple plaintiffs’ firms have opened investigations and are soliciting affected patients. These typically convert into filed complaints in federal court (Western District of Oklahoma is the likely venue) within 60 to 120 days of the notification mailing. If you receive a letter, preserve the envelope and a photo of the letter itself — both are evidentiary for class membership.

What to do if you may be affected

  • Watch for your letter. Notifications were mailed May 15, 2025. If you were a CHC patient and have not received one but believe you should have, call the dedicated line above to confirm whether your record was included.
  • Enroll in the offered credit monitoring. It is free, and accepting it does not waive your right to participate in a class action.
  • Freeze your credit with Experian, Equifax, and TransUnion. A freeze is free, takes about ten minutes per bureau, and is the single highest-leverage step against new-account identity theft.
  • Watch for medical-identity-theft signals. Review explanation-of-benefits statements from your health insurer for services you did not receive. Request a copy of your medical file from CHC and any other providers to check for fraudulent entries.
  • Bookmark this page. We update it as OCR revises the affected count, as a class action is filed, and as any settlement is announced.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.