Clinical Practices of the University of Pennsylvania (CPUP) 2025 Data Breach: 1,432 Patients · Paper/Films Unauthorized Disclosure · PA
Clinical Practices of the University of Pennsylvania, the Penn Medicine faculty practice group, filed a HIPAA breach with HHS OCR on June 30, 2025 covering 1,432 individuals. The OCR portal classifies the incident as Unauthorized Access/Disclosure involving Paper/Films. This is a paper-records incident and is unrelated to UPenn's October/November 2025 cybersecurity events.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jun 30, 2025
filed
Jun 30, 2025
Disclosed publicly
Jun 30, 2025
filed
Jun 30, 2025
Disclosed publicly
Data exposed
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Clinical Practices of the University of Pennsylvania (CPUP), the faculty physician practice group inside the Penn Medicine system, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on June 30, 2025, reporting 1,432 affected individuals. The OCR portal classifies the incident as Unauthorized Access/Disclosure with the location of breached information listed as Paper/Films. CPUP is a healthcare provider organized under the University of Pennsylvania Health System and based in Pennsylvania.
This page covers only that paper-records OCR filing. It does not describe the separate October 2025 UPenn social-engineering breach of alumni and donor systems, or the November 2025 UPenn Oracle E-Business Suite incident. Penn Medicine’s electronic medical records were not implicated in those university-side events, and the CPUP filing here is a distinct, smaller, paper-or-film-based regulatory disclosure.
Timeline
- June 30, 2025 — CPUP files a HIPAA breach report with HHS OCR covering 1,432 individuals; type recorded as Unauthorized Access/Disclosure; location of breached information recorded as Paper/Films.
The OCR portal entry remains the only authoritative public record of this incident at this time. We have not located a CPUP or Penn Medicine substitute-notice press release, a Pennsylvania Attorney General filing, an established trade-press writeup, or a class-action complaint specifically tied to this filing.
What was exposed
The OCR portal does not itemize individual data elements for small paper-or-film breaches. The only classification publicly disclosed is Paper/Films — Unauthorized Access/Disclosure. In practice, this category typically reflects mailings sent to the wrong recipient, paper charts viewed or removed without authorization, lost or misfiled films or printouts, or similar non-electronic exposures. Specific PHI elements (names, addresses, dates of service, diagnoses, insurance details, or any identifiers) have not been publicly itemized for this filing.
We will not speculate beyond what OCR has published. If a CPUP or Penn Medicine substitute notice is later posted, or individual notification letters surface, this page will be updated to list the actual data elements named.
What CPUP is offering affected individuals
No public statement from CPUP or Penn Medicine has been located describing complimentary credit monitoring, identity-restoration services, or call-center support tied to this specific filing. Penn Medicine’s general HIPAA Notice of Privacy Practices and Office of Audit, Compliance and Privacy contact information remain the standing channels for patient privacy questions.
Class-action status
No class-action complaint has been identified that specifically names this CPUP June 30, 2025 OCR filing. (Pending class-action litigation against the University of Pennsylvania reported in early 2026 relates to the unrelated October 2025 alumni/donor cyber incident, not to this Penn Medicine paper-records filing.)
What to do if you may be affected
Until CPUP publishes a substitute notice or you receive an individual notification letter, the protective steps are generic but worthwhile:
- Freeze your credit at the three nationwide consumer reporting agencies. It is free, takes about ten minutes per bureau, and is the single highest-leverage step against identity theft.
- Watch for a notification letter at the address on file with Penn Medicine or CPUP. Letters typically follow an OCR filing by a few weeks and will list the specific data elements involved.
- Contact Penn Medicine’s privacy office with questions about your own records. Penn’s Office of Audit, Compliance and Privacy publishes Privacy Officer contact information for the health system.
- Bookmark this page. We update it as substitute notices, AG filings, or court filings become available.
Sources
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach (search “Clinical Practices of the University of Pennsylvania”).
- Penn Medicine — HIPAA Notice of Privacy Practices — patient-facing privacy notice for the Penn Medicine system, of which CPUP is a part.
- Penn — Office of Audit, Compliance and Privacy: Privacy Officers — official privacy-officer contacts for the University of Pennsylvania Health System.
- Penn Medicine — Clinical Practices of the University of Pennsylvania (entity description) — describes CPUP as the faculty practice group within Penn Medicine.
- Privacy Rights Clearinghouse — Penn Medicine breach history — independent tracker of Penn Medicine-related breach filings.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Penn Medicine — HIPAA Notice of Privacy Practices
- Penn — Office of Audit, Compliance and Privacy: Privacy Officers
- Penn Medicine — Nursing at the Clinical Practices of the University of Pennsylvania (entity description)
- Privacy Rights Clearinghouse — Penn Medicine breach history
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.