Active breach tracker WA Disclosed May 15, 2025

CareNexa, LLC, doing business as Molecular Testing Labs Data Breach 2025: 7,711 Affected · Vendor Ransomware Incident · WA. Filed With HHS OCR. What To Do.

CareNexa, LLC, doing business as Molecular Testing Labs (Vancouver, WA) filed a HIPAA breach notification with the HHS Office for Civil Rights on May 15, 2025, reporting 7,711 affected individuals after a ransomware attack on a third-party data hosting and security vendor exposed names, addresses, and information related to medical tests for the lab's STI, infectious-disease, and molecular diagnostics patients.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Mar 7, 2025

Related event

Mar 11, 2025

Related event

Mar 11, 2025

Breach detected

Apr 23, 2025

Related event

May 15, 2025

Related event

May 15, 2025

Disclosed publicly

Dec 10, 2025

Related event

Dec 12, 2025

Related event

Data exposed

03

Contact & insurance

Phishing + targeted scams

Names Addresses Information related to medical tests
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

CareNexa, LLC, doing business as Molecular Testing Labs (MTL), a Vancouver, Washington high-complexity clinical lab specializing in infectious disease, sexually transmitted infection (STI), molecular diagnostics, pharmacogenomics, and toxicology testing, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on May 15, 2025, reporting 7,711 affected individuals. The incident was not a direct compromise of MTL’s systems. According to MTL’s substitute notice, a third-party data hosting and security vendor retained by the lab suffered a ransomware attack between March 7 and March 11, 2025, exposing patient data that the vendor held on MTL’s behalf.

Subsequent state attorney general filings in December 2025 reported a substantially larger Texas-only count (27,618 residents), suggesting the federal 7,711 figure may understate the total population affected. The HHS OCR portal entry remains the primary federal regulatory record.

Timeline

  • March 7, 2025 — Unauthorized access to the vendor environment begins (per MTL’s forensic review).
  • March 11, 2025 — MTL learns the vendor has been hit by ransomware and that MTL data is affected.
  • April 23, 2025 — MTL mails individual notification letters to affected persons.
  • May 15, 2025 — MTL reports the breach to HHS OCR as a Hacking/IT Incident at Network Server, 7,711 individuals, with a business associate involved.
  • December 10, 2025 — Notice filed with the California Attorney General.
  • December 12, 2025 — Notice filed with the Texas Attorney General; 27,618 Texas residents reported.

What was exposed

Per MTL’s notification, the data elements that may have been exposed include:

  • Names
  • Addresses
  • Information related to medical tests

Some legal-investigation notices and class-action solicitations describe a broader element set (dates of birth, Social Security numbers, medical information, health insurance details). MTL’s own published notice and PR Newswire release list only names, addresses, and test-related information. Affected individuals should rely on their personal notification letter, which itemizes the specific elements exposed for their record.

Why this lab’s data is unusually sensitive

Molecular Testing Labs is not a general-purpose clinical lab. Its public service catalog centers on:

  • Sexually transmitted infection (STI) testing, including the first FDA-cleared at-home self-collected 4-plex STI panel (chlamydia, gonorrhea, trichomonas, mycoplasma genitalium), plus hepatitis B/C, HSV-2, syphilis, and HPV.
  • Molecular diagnostics and targeted sequencing, SNP genotyping, and high-resolution immune profiling.
  • Pharmacogenomics and toxicology panels.

Test-related information in this context can reveal STI status, genetic markers, or substance-use testing results — categories of health data that carry heightened stigma and discrimination risk well beyond a generic “medical information” label. Patients should treat any exposure of their MTL test data accordingly.

What MTL is offering

MTL is providing complimentary credit monitoring and fraud assistance services through Cyberscout, a TransUnion company, to affected individuals. The standard support line published in MTL’s notice is (888) 686-4602, Monday–Friday 9:00 a.m. to 7:00 p.m. Eastern (excluding holidays). Enrollment instructions are included in the individual notification letter.

Class action status

Multiple plaintiffs’ firms have publicly announced investigations into potential class-action litigation against CareNexa / MTL, including Federman & Sherwood, Srourian Law Firm, Migliaccio & Rathod LLP, and Emery Reddy. As of this writing, no consolidated class action filing or settlement has been publicly reported.

What to do if you may be affected

  • Read your notification letter carefully. It will list the specific data elements exposed for your record and include the activation code for the Cyberscout credit-monitoring offer. Enroll before the deadline stated in the letter.
  • Freeze your credit with the three nationwide consumer reporting agencies. It is free, takes about ten minutes per bureau, and is the single highest-leverage step against identity theft.
  • Consider the sensitivity of test data. If you used MTL for STI screening, genetic testing, or toxicology, factor that into how you respond — for example, be alert to targeted phishing or extortion attempts that reference health details.
  • Watch your health-insurance Explanation of Benefits statements for charges you do not recognize, which can indicate medical identity theft.
  • Bookmark this page. We update it as state AG filings, court dockets, or further substitute notices add detail.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.