CareTracker, Inc. (Amazing Charts) Data Breach 2025: 501+ Affected · Vendor Breach · NY/RI. What To Do.
CareTracker, Inc. (d/b/a Amazing Charts) disclosed a 2025 vendor-network breach affecting at least 501 patients. Unauthorized access occurred June 15-19, 2025, was filed with HHS OCR on August 18, 2025, and notification letters went out November 12, 2025. Multiple class-action investigations underway.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jun 15, 2025
Related event
Jun 19, 2025
Related event
Jun 19, 2025
Breach detected
Aug 18, 2025
Related event
Aug 18, 2025
Disclosed publicly
Oct 29, 2025
Related event
Nov 12, 2025
Related event
Nov 13, 2025
Related event
Jun 15, 2025
Related event
Jun 19, 2025
Related event
Jun 19, 2025
Breach detected
Aug 18, 2025
Related event
Aug 18, 2025
Disclosed publicly
Oct 29, 2025
Related event
Nov 12, 2025
Related event
Nov 13, 2025
Related event
Data exposed
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
CareTracker, Inc., which operates as Amazing Charts, is an electronic health record and practice-management software vendor that serves independent medical practices across the United States. In the summer of 2025, the company detected unauthorized access to a network operated by one of its third-party service providers. The incident exposed protected health information for at least 501 patients of a single physician practice, and the company has indicated that additional practices and patients may also be affected as the review continues. The breach was filed with the HHS Office for Civil Rights on August 18, 2025, and individual notification letters began going out on November 12, 2025.
Timeline
- June 15, 2025 — Unauthorized access to the third-party service provider’s network begins.
- June 19, 2025 — Amazing Charts identifies unusual activity on the vendor-managed system; the intrusion window closes the same day.
- August 18, 2025 — Breach reported to the HHS Office for Civil Rights as a Hacking/IT Incident at Network Server, affecting 501 individuals (interim figure tied to a single physician practice).
- October 29, 2025 — Forensic data review concludes, identifying the categories of information involved.
- November 12, 2025 — Notification letters begin mailing to impacted individuals; the company files notice with the California Attorney General.
- November 13–14, 2025 — Multiple plaintiff firms publicly announce class-action investigations.
What was exposed
According to the substitute notice and the California Attorney General filing, the data potentially accessed includes:
- Names
- Diagnoses
- Treatment information
- Physician names
- Medical record numbers
- Health insurance information
Amazing Charts has stated that, as of the date of notification, it had not identified any misuse of the affected information.
What CareTracker is offering
Affected individuals are being offered 12 months of complimentary Experian IdentityWorks credit-monitoring and identity-restoration services. The notice includes instructions for enrollment and a dedicated support line for questions about the incident.
Class-action investigations
Within days of the November notification, at least four plaintiff firms publicly announced investigations into potential class-action litigation against CareTracker, Inc. d/b/a Amazing Charts: Cole & Van Note, Strauss Borrelli PLLC, Federman & Sherwood, and Srourian Law Firm. These are investigations, not filed complaints, as of the most recent public reporting. Likely theories include negligence, breach of implied contract, and violations of state consumer-protection and health-information statutes. We will update this page if and when a complaint is filed and docketed.
What to do if you may be affected
- Read your notification letter carefully. It lists the specific data elements implicated for your account and the enrollment code for the offered credit monitoring.
- Enroll in the offered Experian IdentityWorks coverage before the deadline printed on the letter. It is paid for and adds a layer of fraud-alert monitoring.
- Freeze your credit with Equifax, Experian, and TransUnion. A freeze is free, takes about ten minutes per bureau, and is more protective than monitoring alone.
- Review your Explanation of Benefits statements from your health insurer for services you did not receive. Medical-identity theft typically surfaces there first.
- Be alert to phishing. Threat actors often target individuals named in published breach notices with follow-on scams that impersonate the breached entity or its credit-monitoring vendor.
Sources on this page
- HHS Office for Civil Rights Breach Portal — federal regulatory record of this breach.
- HIPAA Journal — EHR Vendor Identifies Business Associate Data Breach — established trade-press coverage of the incident.
- California Attorney General — Data Security Breach List — state regulator’s public breach registry.
- Cole & Van Note — CareTracker / Amazing Charts Data Breach Investigation — plaintiff-firm investigation announcement.
- Strauss Borrelli PLLC — Amazing Charts Data Breach Investigation — plaintiff-firm investigation announcement.
- Federman & Sherwood — CareTracker / Amazing Charts Data Breach — plaintiff-firm investigation announcement.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — EHR Vendor Identifies Business Associate Data Breach
- California Attorney General — Data Security Breach List
- Cole & Van Note — CareTracker / Amazing Charts Data Breach Investigation
- Strauss Borrelli PLLC — Amazing Charts Data Breach Investigation
- Federman & Sherwood — CareTracker / Amazing Charts Data Breach
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.