College Parkside Pharmacy Data Breach 2025: 5,736 Affected · Hacking/IT Incident · NY. Filed With HHS OCR. What To Do.
College Parkside Pharmacy in Albany, New York filed a HIPAA breach notification with the HHS Office for Civil Rights on August 25, 2025 reporting 5,736 affected individuals after attackers accessed its network server between August 31 and September 14, 2024. Exfiltrated data included names, Social Security numbers, driver's license numbers, health insurance and prescription records, and payment information.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Aug 31, 2024
Unauthorized network access begins
Sep 14, 2024
Unusual activity detected on the pharmacy's network; external cybersecurity specialists engaged
May 30, 2025
Forensic review of affected files completed
Jun 16, 2025
Individual notification letters begin mailing
Aug 25, 2025
HIPAA breach notification filed with HHS Office for Civil Rights (5,736 affected)
Sep 4, 2025
Plaintiffs' firms (Strauss Borrelli, Barnow and Associates, Federman & Sherwood) announce class-action investigations
Aug 31, 2024
Unauthorized network access begins
Sep 14, 2024
Unusual activity detected on the pharmacy's network; external cybersecurity specialists engaged
May 30, 2025
Forensic review of affected files completed
Jun 16, 2025
Individual notification letters begin mailing
Aug 25, 2025
HIPAA breach notification filed with HHS Office for Civil Rights (5,736 affected)
Sep 4, 2025
Plaintiffs' firms (Strauss Borrelli, Barnow and Associates, Federman & Sherwood) announce class-action investigations
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
College Parkside Pharmacy, a community pharmacy in Albany, New York affiliated with the Albany College of Pharmacy and Health Sciences, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on August 25, 2025, reporting 5,736 affected individuals. According to the pharmacy’s notice and reporting in HIPAA Journal, attackers accessed the pharmacy’s network server between August 31 and September 14, 2024, and exfiltrated a limited set of files before the intrusion was detected. The OCR portal classifies the event as a Hacking/IT Incident at a Network Server.
Timeline
- August 31, 2024 — Unauthorized access to the pharmacy’s network begins, according to the forensic timeline the pharmacy later disclosed.
- September 14, 2024 — Pharmacy IT staff detect unusual activity and engage external cybersecurity specialists, who confirm unauthorized access and limited data exfiltration during the two-week window.
- May 30, 2025 — Review of the affected files completes, identifying which individuals and which data elements were involved.
- June 16, 2025 — College Parkside Pharmacy begins mailing individual notification letters to affected patients.
- August 25, 2025 — The pharmacy files its HIPAA breach notification with the HHS Office for Civil Rights, naming 5,736 affected individuals.
- September 4–5, 2025 — Multiple plaintiffs’ firms, including Strauss Borrelli PLLC, Barnow and Associates, and Federman & Sherwood, announce investigations into potential class-action claims.
Exposed data
The pharmacy’s notification letter and state attorney general filings describe a broad set of exposed data elements. For any given individual, the specific combination varies and is identified in that person’s letter. The categories reported across the population include:
- Names and contact information
- Dates of birth
- Social Security numbers
- Driver’s license numbers and other government identification numbers
- Financial account and routing numbers
- Payment card numbers and expiration dates
- Health insurance information
- Medical record numbers, diagnoses, and treatment information
- Prescription information and provider names
This combination, particularly Social Security numbers paired with health insurance and prescription details, is considered high-risk for identity theft, medical identity theft, and insurance fraud.
What College Parkside Pharmacy is offering
Publicly available reporting does not confirm whether complimentary credit monitoring or identity-theft protection was offered, or for what duration. The individual notification letter sent to each affected person is the authoritative source for the offering and the enrollment code; recipients should consult that letter for instructions and any deadline to enroll.
Class-action activity
As of this writing, no class-action complaint has been publicly filed, but at least three plaintiffs’ firms have announced investigations into potential litigation related to the breach. Affected patients have not yet been certified into a class and there is no settlement to claim against at this stage.
What to do if you may be affected
- Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the single highest-leverage step against identity theft when Social Security numbers are involved.
- Read your notification letter carefully. It lists the specific data elements exposed for your record and any complimentary credit-monitoring or identity-theft protection offered, along with the enrollment code and any deadline.
- Watch your insurance Explanation of Benefits statements for prescriptions, claims, or providers you do not recognize. Medical identity theft often shows up there before it appears on a credit report.
- Bookmark this page. We update it as new state attorney general filings, court complaints, or settlement notices become public.
Sources on this page
- HHS Office for Civil Rights Breach Portal — federal regulatory record of this breach.
- HIPAA Journal — Cybercriminals Hit Washington Laboratory and New York Pharmacies — trade-press reporting on the access window, detection, and notification timeline.
- Strauss Borrelli PLLC — College Parkside Pharmacy Data Breach Investigation — plaintiffs’ firm investigation notice with data-element list.
- Barnow and Associates, P.C. — College Parkside Pharmacy Data Breach Investigation — plaintiffs’ firm investigation notice and state attorney general filing list.
- Federman & Sherwood — College Parkside Pharmacy Data Breach — plaintiffs’ firm investigation notice.
- ClaimDepot — College Parkside Pharmacy Data Breach Affects 5,736 — aggregator summary corroborating the affected count and parent-organization affiliation.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Cybercriminals Hit Washington Laboratory and New York Pharmacies
- Strauss Borrelli PLLC — College Parkside Pharmacy Data Breach Investigation
- Barnow and Associates, P.C. — College Parkside Pharmacy Data Breach Investigation
- Federman & Sherwood — College Parkside Pharmacy Data Breach
- ClaimDepot — College Parkside Pharmacy Data Breach Affects 5,736
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.