Active breach tracker Albany, NY Disclosed August 25, 2025

College Parkside Pharmacy Data Breach 2025: 5,736 Affected · Hacking/IT Incident · NY. Filed With HHS OCR. What To Do.

College Parkside Pharmacy in Albany, New York filed a HIPAA breach notification with the HHS Office for Civil Rights on August 25, 2025 reporting 5,736 affected individuals after attackers accessed its network server between August 31 and September 14, 2024. Exfiltrated data included names, Social Security numbers, driver's license numbers, health insurance and prescription records, and payment information.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Aug 31, 2024

Unauthorized network access begins

Sep 14, 2024

Unusual activity detected on the pharmacy's network; external cybersecurity specialists engaged

May 30, 2025

Forensic review of affected files completed

Jun 16, 2025

Individual notification letters begin mailing

Aug 25, 2025

HIPAA breach notification filed with HHS Office for Civil Rights (5,736 affected)

Sep 4, 2025

Plaintiffs' firms (Strauss Borrelli, Barnow and Associates, Federman & Sherwood) announce class-action investigations

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers Driver's license numbers and other government IDs

02

Health records

Don't expire and can't be reissued

Medical record numbers, diagnoses, and treatment information Prescription information

03

Contact & insurance

Phishing + targeted scams

Names and contact information Dates of birth Financial account and routing numbers Payment card numbers and expiration dates Health insurance information Provider names
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

College Parkside Pharmacy, a community pharmacy in Albany, New York affiliated with the Albany College of Pharmacy and Health Sciences, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on August 25, 2025, reporting 5,736 affected individuals. According to the pharmacy’s notice and reporting in HIPAA Journal, attackers accessed the pharmacy’s network server between August 31 and September 14, 2024, and exfiltrated a limited set of files before the intrusion was detected. The OCR portal classifies the event as a Hacking/IT Incident at a Network Server.

Timeline

  • August 31, 2024 — Unauthorized access to the pharmacy’s network begins, according to the forensic timeline the pharmacy later disclosed.
  • September 14, 2024 — Pharmacy IT staff detect unusual activity and engage external cybersecurity specialists, who confirm unauthorized access and limited data exfiltration during the two-week window.
  • May 30, 2025 — Review of the affected files completes, identifying which individuals and which data elements were involved.
  • June 16, 2025 — College Parkside Pharmacy begins mailing individual notification letters to affected patients.
  • August 25, 2025 — The pharmacy files its HIPAA breach notification with the HHS Office for Civil Rights, naming 5,736 affected individuals.
  • September 4–5, 2025 — Multiple plaintiffs’ firms, including Strauss Borrelli PLLC, Barnow and Associates, and Federman & Sherwood, announce investigations into potential class-action claims.

Exposed data

The pharmacy’s notification letter and state attorney general filings describe a broad set of exposed data elements. For any given individual, the specific combination varies and is identified in that person’s letter. The categories reported across the population include:

  • Names and contact information
  • Dates of birth
  • Social Security numbers
  • Driver’s license numbers and other government identification numbers
  • Financial account and routing numbers
  • Payment card numbers and expiration dates
  • Health insurance information
  • Medical record numbers, diagnoses, and treatment information
  • Prescription information and provider names

This combination, particularly Social Security numbers paired with health insurance and prescription details, is considered high-risk for identity theft, medical identity theft, and insurance fraud.

What College Parkside Pharmacy is offering

Publicly available reporting does not confirm whether complimentary credit monitoring or identity-theft protection was offered, or for what duration. The individual notification letter sent to each affected person is the authoritative source for the offering and the enrollment code; recipients should consult that letter for instructions and any deadline to enroll.

Class-action activity

As of this writing, no class-action complaint has been publicly filed, but at least three plaintiffs’ firms have announced investigations into potential litigation related to the breach. Affected patients have not yet been certified into a class and there is no settlement to claim against at this stage.

What to do if you may be affected

  • Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the single highest-leverage step against identity theft when Social Security numbers are involved.
  • Read your notification letter carefully. It lists the specific data elements exposed for your record and any complimentary credit-monitoring or identity-theft protection offered, along with the enrollment code and any deadline.
  • Watch your insurance Explanation of Benefits statements for prescriptions, claims, or providers you do not recognize. Medical identity theft often shows up there before it appears on a credit report.
  • Bookmark this page. We update it as new state attorney general filings, court complaints, or settlement notices become public.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.