Active breach tracker Chadds Ford, PA Disclosed January 28, 2026

CashFlow Solutions / Lympha Press Data Breach 2026: 1,007 Lymphedema Therapy Patients Exposed. What To Do

Cashflow Solutions, LLC (d/b/a Lympha Press), a Chadds Ford, Pennsylvania durable medical equipment supplier providing pneumatic compression therapy systems for lymphedema, lipedema, and venous insufficiency patients, filed an HHS OCR breach on January 28, 2026 affecting 1,007 individuals via unauthorized access at email. No entity notice or AG filing has surfaced. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jan 28, 2026

HHS OCR filing (incident date, discovery date, and notification dates not publicly disclosed)

Jan 28, 2026

Attacker gained access

Jan 28, 2026

Breach detected

Data exposed

02

Health records

Don't expire and can't be reissued

Likely a subset of: patient name, address, phone, DOB, treating provider, diagnosis (lymphedema / lipedema / chronic venous insufficiency), prescription / Letter of Medical Necessity data, garment sizing / fit measurements, insurance carrier and member ID, possibly partial financial info

03

Contact & insurance

Phishing + targeted scams

Full name (specific PHI categories not publicly disclosed)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Cashflow Solutions, LLC operates publicly as Lympha Press (also Lympha Press USA / Medical Solutions Supplier), a durable medical equipment (DME) supplier at 2 Christy Drive, Suite 315, Chadds Ford, Pennsylvania. The company distributes pneumatic compression therapy systems for lymphedema, lipedema, and chronic venous insufficiency patients.

As a direct-to-patient DME supplier that bills Medicare and commercial insurers and supports patients through clinical / therapist channels, Cashflow Solutions / Lympha Press is a HIPAA covered entity in its own right — not a downstream business associate.

The company filed with HHS OCR on January 28, 2026Unauthorized Access/Disclosure at Email — confirming 1,007 affected individuals.

Why this page is sparse

As of mid-May 2026 — more than 100 days after the OCR filing — no public disclosure beyond the OCR portal entry has surfaced:

  • No entity notice on lymphapress.com or any Cashflow Solutions domain.
  • Pennsylvania AG Notice of Data Incident page: no Cashflow Solutions or Lympha Press filing surfaced (PA does not maintain a fully searchable public AG breach archive comparable to Maine or Massachusetts; filings go to the AG but are not routinely posted).
  • HIPAA Journal January 2026 monthly report: no Cashflow Solutions / Lympha Press mention. The only PA entry that month was 360 Dental PC (ransomware, 11,273 individuals).
  • No CA AG, ME AG, MA AG filing surfaced.
  • No class-action filing or plaintiffs’ firm investigation announcement.
  • No Philadelphia Business Journal or DataBreaches.net coverage.

The HHS OCR row is the only public artifact.

Likely root cause

The “Unauthorized Access/Disclosure at Email” classification at a 1,007-individual scale typically maps to one of three patterns:

  1. Single mailbox compromise via phishing where ~1,007 patient records were stored in email attachments or threads
  2. Misdirected email containing PHI to wrong recipients
  3. Insider or former-employee mailbox access

For a DME supplier of Lympha Press’s profile, a single billing-staff mailbox is the most plausible vector — these accounts typically contain Letter of Medical Necessity correspondence, insurance verification records, garment-fit assessments, and shipping confirmations.

What was potentially exposed

Specific data categories have not been publicly disclosed. For a DME supplier providing therapy systems for lymphedema and lipedema, the typical email-resident PHI includes:

  • Patient name, address, phone
  • Date of birth
  • Treating provider name
  • Diagnosis (lymphedema, lipedema, chronic venous insufficiency — these are stigmatized conditions; exposure has employment and insurance underwriting implications)
  • Prescription / Letter of Medical Necessity data
  • Garment sizing and fit measurements
  • Insurance carrier and member ID
  • Possibly partial financial information (DME enrollment forms sometimes include SSN)

This is inference, not fact. Read your specific notification letter for the confirmed data elements.

What to do

  1. Read your specific notification letter if you received one. The mailed letter is currently the only authoritative source about your case.
  2. Call Lympha Press at 1-855-LYMPHEDEMA (1-855-596-7433) and ask whether your records were in the affected set.
  3. Place free credit freezes at Equifax, Experian, TransUnion as a baseline precaution.
  4. Watch your Medicare Summary Notice for unfamiliar DME claims (pneumatic compression devices are high-dollar Medicare items often targeted by fraud).
  5. If your lymphedema or lipedema diagnosis was in scope, consider whether you need to make proactive disclosures to employers or insurers before the information surfaces unprompted.
  6. Stop the ongoing flow of your DME and therapy data. HealthConsent files HIPAA restriction requests covering DME supplier and specialty-care pathways.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.