CardioVascular Health Clinic Data Breach 2025: Cloud-Provider Incident Exposes Patient PHI in Oklahoma
CardioVascular Health Clinic (Oklahoma City) reported a data breach to HHS OCR on May 3, 2025 after an unauthorized actor accessed patient data between Feb 18 and Mar 4, 2025 through a cloud services provider. Notification letters mailed May 15, 2025. Class-action investigations underway.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Feb 18, 2025
Unauthorized access to data via cloud services provider begins
Mar 4, 2025
Network disruption detected; unauthorized access ends
May 3, 2025
Breach reported to HHS Office for Civil Rights (501 interim)
May 15, 2025
Individual notification letters mailed to affected patients
May 20, 2025
Class-action investigations opened by plaintiffs' firms
Feb 18, 2025
Unauthorized access to data via cloud services provider begins
Mar 4, 2025
Network disruption detected; unauthorized access ends
May 3, 2025
Breach reported to HHS Office for Civil Rights (501 interim)
May 15, 2025
Individual notification letters mailed to affected patients
May 20, 2025
Class-action investigations opened by plaintiffs' firms
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
CardioVascular Health Clinic (CHC), an Oklahoma City-based cardiology and vascular care network that operates clinic locations across Oklahoma, reported a data breach to the U.S. Department of Health and Human Services Office for Civil Rights on May 3, 2025, after an unauthorized actor accessed patient information between February 18 and March 4, 2025 through a security incident affecting CHC’s cloud services provider. CHC detected the intrusion on March 4, 2025 after a network disruption, and mailed individual notification letters to affected patients on May 15, 2025. The clinic submitted a placeholder figure of 501 individuals to OCR while file review continues, so the final count is expected to be revised upward.
This is classified as a vendor / third-party cloud incident rather than a direct compromise of CHC’s own network. The clinic has not publicly identified the cloud provider or the threat actor, and no ransomware group has claimed responsibility on a public leak site as of this writing.
Timeline
- Feb 18, 2025 — Unauthorized actor begins accessing information stored on CHC’s cloud-hosted network.
- Mar 4, 2025 — Network disruption detected. CHC engages cybersecurity experts and begins forensic review. Unauthorized access ends.
- May 3, 2025 — CHC files a HIPAA Breach Notification Rule report with HHS OCR, using an interim count of 501 affected individuals.
- May 15, 2025 — Individual notification letters mailed to patients with addresses on file. Substitute notice posted at cvhealthclinic.com.
- Late May 2025 — Plaintiffs’ firms (Ahdoot & Wolfson, The Lyon Firm, and others) publicly open class-action investigations.
What was exposed
CHC’s notice states the categories of information varied by individual but may include:
- Name, address, phone number, email address
- Date of birth
- Social Security number
- Driver’s license or state ID number
- Financial account information
- Treatment and diagnosis information
- Prescription information
- Provider name
- Medical record or case number
- Medicare / Medicaid ID number
- Health insurance information
- Treatment cost
This is a near-complete personal and clinical profile. The combination of Social Security number, financial account information, and Medicare/Medicaid ID makes this dataset usable for both financial-identity theft and medical-identity theft (filing fraudulent claims under a victim’s coverage).
What CardioVascular Health Clinic is offering
Affected individuals who receive a notification letter are eligible for complimentary credit monitoring and identity protection services. CHC has stood up a dedicated enrollment line:
- 877-648-0819, Monday through Friday, 8 a.m. to 8 p.m. Central Time, excluding holidays.
- Written inquiries: CardioVascular Health Clinic, 3200 Quail Springs Parkway, Suite 200, Oklahoma City, OK 73134.
CHC has also stated it notified law enforcement and is reviewing its data-security policies and procedures.
Class-action status
As of mid-2026, no consolidated class-action complaint has been publicly docketed against CardioVascular Health Clinic, but multiple plaintiffs’ firms have opened investigations and are soliciting affected patients. These typically convert into filed complaints in federal court (Western District of Oklahoma is the likely venue) within 60 to 120 days of the notification mailing. If you receive a letter, preserve the envelope and a photo of the letter itself — both are evidentiary for class membership.
What to do if you may be affected
- Watch for your letter. Notifications were mailed May 15, 2025. If you were a CHC patient and have not received one but believe you should have, call the dedicated line above to confirm whether your record was included.
- Enroll in the offered credit monitoring. It is free, and accepting it does not waive your right to participate in a class action.
- Freeze your credit with Experian, Equifax, and TransUnion. A freeze is free, takes about ten minutes per bureau, and is the single highest-leverage step against new-account identity theft.
- Watch for medical-identity-theft signals. Review explanation-of-benefits statements from your health insurer for services you did not receive. Request a copy of your medical file from CHC and any other providers to check for fraudulent entries.
- Bookmark this page. We update it as OCR revises the affected count, as a class action is filed, and as any settlement is announced.
Sources on this page
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach.
- CardioVascular Health Clinic Notice of Data Incident — the entity’s own substitute notice.
- HIPAA Journal coverage of the CardioVascular Health Clinic and Hunter Health Clinic breaches — established trade press summary.
- ClassAction.org investigation page for the CardioVascular Health Clinic data breach — class-action tracker.
- Ahdoot and Wolfson class-action investigation for the CardioVascular Health Clinic breach — plaintiffs’ firm investigation notice.
- The Lyon Firm investigation of the CardioVascular Health Clinic data breach — plaintiffs’ firm investigation notice.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- CardioVascular Health Clinic — Notice of Data Incident
- HIPAA Journal — CardioVascular Health Clinic & Hunter Health Clinic Announce Data Breaches
- ClassAction.org — CardioVascular Health Clinic Data Breach Lawsuit Investigation
- Ahdoot & Wolfson — CardioVascular Health Clinic Class Action Investigation
- The Lyon Firm — CardioVascular Health Clinic Data Breach Investigation
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.