Active breach tracker Red Wing, MN Disclosed April 10, 2026

C.A.R.E. Clinic Red Wing Data Breach 2026: 500 Minnesota Free Clinic Patients Exposed via Email Compromise. What To Do

C.A.R.E. Clinic in Red Wing, Minnesota, a volunteer-physician free clinic serving uninsured adults in Goodhue County, filed an HHS OCR breach in April 2026 affecting 500 individuals via email compromise. Likely near-total active patient panel exposure at this small Tuesday-evening volunteer clinic. Limited public disclosure. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Apr 10, 2026

HHS OCR filing (incident timeline and discovery date not publicly disclosed)

Apr 10, 2026

Attacker gained access

Apr 10, 2026

Breach detected

Data exposed

03

Contact & insurance

Phishing + targeted scams

Full name (specific PHI categories not publicly disclosed) Likely entire active patient roster — 500 matches HHS reporting floor and approximates the clinic's volunteer-driven panel

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Shamis & Gentile P.A. (publicly investigating per ClaimDepot — though ClaimDepot mis-identifies entity as Fayetteville NC CARE Clinic)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

C.A.R.E. Clinic is a volunteer-physician free clinic at 906 College Avenue in Red Wing, Minnesota (Mayo Clinic Seminary Professional Building). The clinic serves uninsured adults in Goodhue County and Lake City, founded in 2010. Operations are minimal — a Tuesday-evening clinic (4 to 8 p.m.) with 2 to 4 volunteer providers, eligibility-gated at ~275% Federal Poverty Level.

C.A.R.E. Clinic filed with HHS OCR on April 10, 2026 — Hacking/IT Incident at Email — confirming 500 affected individuals. The 500 count is exactly the HHS reporting floor and is consistent with near-total active patient panel exposure at this tiny volunteer-driven clinic.

A single compromised staff email at a one-evening-per-week clinic plausibly exposes the entire active panel.

Important entity disambiguation

There are two real “CARE Clinic” nonprofits in the US, both free clinics for uninsured adults:

  1. C.A.R.E. Clinic in Red Wing, Minnesota (Goodhue County) — this filing
  2. The CARE Clinic in Fayetteville, North Carolina (Cumberland County, serving Fort Liberty area, founded 1993)

Third-party legal-lead-gen sites (e.g., ClaimDepot) appear to have misidentified this OCR filing as the Fayetteville NC entity by name-matching alone, ignoring the HHS state field. The canonical state is Minnesota per the HHS OCR portal entry.

Why this page is sparse

As of mid-May 2026, no entity notice has been posted on careclinicrw.com. No HIPAA Journal, Star Tribune, or MinnPost coverage has surfaced. No Minnesota AG filing has been located. The only “coverage” is the misidentified ClaimDepot investigation page.

This is normal for a sub-1,000-individual rural free-clinic email incident — these don’t trigger major-media thresholds.

What was likely exposed

C.A.R.E. Clinic has not publicly enumerated specific PHI categories. For a free clinic providing primary care, the typical email account would contain a subset of:

  • Full name, contact information, date of birth
  • Health condition / diagnosis information
  • Medication and prescription records
  • Possibly insurance / Medicaid eligibility data

C.A.R.E. Clinic’s patient population is by definition uninsured low-income adults, so credit card and detailed financial account information is less likely to be in scope. SSN exposure is plausible but unconfirmed.

If you receive a notification letter, it will list the specific data elements involved in your case.

What to do

  1. Call C.A.R.E. Clinic for guidance on whether you have been notified and what monitoring (if any) is offered.
  2. Place free credit freezes at Equifax, Experian, TransUnion as a baseline precaution.
  3. Watch for unfamiliar Medicaid or insurance enrollment activity in your name — uninsured-patient data is sometimes used to fraudulently enroll victims in coverage and bill claims.
  4. If you are connected to volunteer or sliding-scale care networks, recognize that the breach is unlikely to be picked up by mainstream press given the clinic’s size, but the personal exposure can still be material.
  5. Stop the ongoing flow of your free-clinic records. HealthConsent files HIPAA restriction requests covering safety-net and free-clinic data pathways.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.