CareNexa, LLC, doing business as Molecular Testing Labs Data Breach 2025: 7,711 Affected · Vendor Ransomware Incident · WA. Filed With HHS OCR. What To Do.
CareNexa, LLC, doing business as Molecular Testing Labs (Vancouver, WA) filed a HIPAA breach notification with the HHS Office for Civil Rights on May 15, 2025, reporting 7,711 affected individuals after a ransomware attack on a third-party data hosting and security vendor exposed names, addresses, and information related to medical tests for the lab's STI, infectious-disease, and molecular diagnostics patients.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Mar 7, 2025
Related event
Mar 11, 2025
Related event
Mar 11, 2025
Breach detected
Apr 23, 2025
Related event
May 15, 2025
Related event
May 15, 2025
Disclosed publicly
Dec 10, 2025
Related event
Dec 12, 2025
Related event
Mar 7, 2025
Related event
Mar 11, 2025
Related event
Mar 11, 2025
Breach detected
Apr 23, 2025
Related event
May 15, 2025
Related event
May 15, 2025
Disclosed publicly
Dec 10, 2025
Related event
Dec 12, 2025
Related event
Data exposed
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
CareNexa, LLC, doing business as Molecular Testing Labs (MTL), a Vancouver, Washington high-complexity clinical lab specializing in infectious disease, sexually transmitted infection (STI), molecular diagnostics, pharmacogenomics, and toxicology testing, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on May 15, 2025, reporting 7,711 affected individuals. The incident was not a direct compromise of MTL’s systems. According to MTL’s substitute notice, a third-party data hosting and security vendor retained by the lab suffered a ransomware attack between March 7 and March 11, 2025, exposing patient data that the vendor held on MTL’s behalf.
Subsequent state attorney general filings in December 2025 reported a substantially larger Texas-only count (27,618 residents), suggesting the federal 7,711 figure may understate the total population affected. The HHS OCR portal entry remains the primary federal regulatory record.
Timeline
- March 7, 2025 — Unauthorized access to the vendor environment begins (per MTL’s forensic review).
- March 11, 2025 — MTL learns the vendor has been hit by ransomware and that MTL data is affected.
- April 23, 2025 — MTL mails individual notification letters to affected persons.
- May 15, 2025 — MTL reports the breach to HHS OCR as a Hacking/IT Incident at Network Server, 7,711 individuals, with a business associate involved.
- December 10, 2025 — Notice filed with the California Attorney General.
- December 12, 2025 — Notice filed with the Texas Attorney General; 27,618 Texas residents reported.
What was exposed
Per MTL’s notification, the data elements that may have been exposed include:
- Names
- Addresses
- Information related to medical tests
Some legal-investigation notices and class-action solicitations describe a broader element set (dates of birth, Social Security numbers, medical information, health insurance details). MTL’s own published notice and PR Newswire release list only names, addresses, and test-related information. Affected individuals should rely on their personal notification letter, which itemizes the specific elements exposed for their record.
Why this lab’s data is unusually sensitive
Molecular Testing Labs is not a general-purpose clinical lab. Its public service catalog centers on:
- Sexually transmitted infection (STI) testing, including the first FDA-cleared at-home self-collected 4-plex STI panel (chlamydia, gonorrhea, trichomonas, mycoplasma genitalium), plus hepatitis B/C, HSV-2, syphilis, and HPV.
- Molecular diagnostics and targeted sequencing, SNP genotyping, and high-resolution immune profiling.
- Pharmacogenomics and toxicology panels.
Test-related information in this context can reveal STI status, genetic markers, or substance-use testing results — categories of health data that carry heightened stigma and discrimination risk well beyond a generic “medical information” label. Patients should treat any exposure of their MTL test data accordingly.
What MTL is offering
MTL is providing complimentary credit monitoring and fraud assistance services through Cyberscout, a TransUnion company, to affected individuals. The standard support line published in MTL’s notice is (888) 686-4602, Monday–Friday 9:00 a.m. to 7:00 p.m. Eastern (excluding holidays). Enrollment instructions are included in the individual notification letter.
Class action status
Multiple plaintiffs’ firms have publicly announced investigations into potential class-action litigation against CareNexa / MTL, including Federman & Sherwood, Srourian Law Firm, Migliaccio & Rathod LLP, and Emery Reddy. As of this writing, no consolidated class action filing or settlement has been publicly reported.
What to do if you may be affected
- Read your notification letter carefully. It will list the specific data elements exposed for your record and include the activation code for the Cyberscout credit-monitoring offer. Enroll before the deadline stated in the letter.
- Freeze your credit with the three nationwide consumer reporting agencies. It is free, takes about ten minutes per bureau, and is the single highest-leverage step against identity theft.
- Consider the sensitivity of test data. If you used MTL for STI screening, genetic testing, or toxicology, factor that into how you respond — for example, be alert to targeted phishing or extortion attempts that reference health details.
- Watch your health-insurance Explanation of Benefits statements for charges you do not recognize, which can indicate medical identity theft.
- Bookmark this page. We update it as state AG filings, court dockets, or further substitute notices add detail.
Sources on this page
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach.
- Molecular Testing Labs — Notice of Data Security Incident (PR Newswire) — MTL’s official public notice.
- California Attorney General — MTL Notice Letter (PDF) — copy of the individual notification letter filed with the California AG.
- HIPAA Journal — Ransomware Gangs Attack Clinical and Pathology Laboratories — trade-press coverage placing the MTL incident in context.
- Federman & Sherwood — CareNexa / MTL Investigation Notice — class-action investigation notice.
- Migliaccio & Rathod LLP — Molecular Testing Labs Data Breach Investigation — class-action investigation notice.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Molecular Testing Labs — Notice of Data Security Incident (PR Newswire)
- California Attorney General — MTL Notice Letter (PDF)
- HIPAA Journal — Ransomware Gangs Attack Clinical and Pathology Laboratories
- Federman & Sherwood — CareNexa / MTL Investigation Notice
- Migliaccio & Rathod LLP — Molecular Testing Labs Data Breach Investigation
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.