Active breach tracker NY Disclosed August 18, 2025

CareTracker, Inc. (Amazing Charts) Data Breach 2025: 501+ Affected · Vendor Breach · NY/RI. What To Do.

CareTracker, Inc. (d/b/a Amazing Charts) disclosed a 2025 vendor-network breach affecting at least 501 patients. Unauthorized access occurred June 15-19, 2025, was filed with HHS OCR on August 18, 2025, and notification letters went out November 12, 2025. Multiple class-action investigations underway.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jun 15, 2025

Related event

Jun 19, 2025

Related event

Jun 19, 2025

Breach detected

Aug 18, 2025

Related event

Aug 18, 2025

Disclosed publicly

Oct 29, 2025

Related event

Nov 12, 2025

Related event

Nov 13, 2025

Related event

Data exposed

02

Health records

Don't expire and can't be reissued

Diagnoses Treatment information Medical record numbers

03

Contact & insurance

Phishing + targeted scams

Names Physician names Health insurance information
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

CareTracker, Inc., which operates as Amazing Charts, is an electronic health record and practice-management software vendor that serves independent medical practices across the United States. In the summer of 2025, the company detected unauthorized access to a network operated by one of its third-party service providers. The incident exposed protected health information for at least 501 patients of a single physician practice, and the company has indicated that additional practices and patients may also be affected as the review continues. The breach was filed with the HHS Office for Civil Rights on August 18, 2025, and individual notification letters began going out on November 12, 2025.

Timeline

  • June 15, 2025 — Unauthorized access to the third-party service provider’s network begins.
  • June 19, 2025 — Amazing Charts identifies unusual activity on the vendor-managed system; the intrusion window closes the same day.
  • August 18, 2025 — Breach reported to the HHS Office for Civil Rights as a Hacking/IT Incident at Network Server, affecting 501 individuals (interim figure tied to a single physician practice).
  • October 29, 2025 — Forensic data review concludes, identifying the categories of information involved.
  • November 12, 2025 — Notification letters begin mailing to impacted individuals; the company files notice with the California Attorney General.
  • November 13–14, 2025 — Multiple plaintiff firms publicly announce class-action investigations.

What was exposed

According to the substitute notice and the California Attorney General filing, the data potentially accessed includes:

  • Names
  • Diagnoses
  • Treatment information
  • Physician names
  • Medical record numbers
  • Health insurance information

Amazing Charts has stated that, as of the date of notification, it had not identified any misuse of the affected information.

What CareTracker is offering

Affected individuals are being offered 12 months of complimentary Experian IdentityWorks credit-monitoring and identity-restoration services. The notice includes instructions for enrollment and a dedicated support line for questions about the incident.

Class-action investigations

Within days of the November notification, at least four plaintiff firms publicly announced investigations into potential class-action litigation against CareTracker, Inc. d/b/a Amazing Charts: Cole & Van Note, Strauss Borrelli PLLC, Federman & Sherwood, and Srourian Law Firm. These are investigations, not filed complaints, as of the most recent public reporting. Likely theories include negligence, breach of implied contract, and violations of state consumer-protection and health-information statutes. We will update this page if and when a complaint is filed and docketed.

What to do if you may be affected

  • Read your notification letter carefully. It lists the specific data elements implicated for your account and the enrollment code for the offered credit monitoring.
  • Enroll in the offered Experian IdentityWorks coverage before the deadline printed on the letter. It is paid for and adds a layer of fraud-alert monitoring.
  • Freeze your credit with Equifax, Experian, and TransUnion. A freeze is free, takes about ten minutes per bureau, and is more protective than monitoring alone.
  • Review your Explanation of Benefits statements from your health insurer for services you did not receive. Medical-identity theft typically surfaces there first.
  • Be alert to phishing. Threat actors often target individuals named in published breach notices with follow-on scams that impersonate the breached entity or its credit-monitoring vendor.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.