Active breach tracker Eastpointe, MI Disclosed July 2, 2025

Complete Care Rehab LLC Data Breach 2025: 4,764 Affected · Hacking/IT Incident · MI. Filed With HHS OCR. What To Do.

Complete Care Rehab LLC, a physical therapy practice in Eastpointe, Michigan, identified suspicious activity in its network on or around May 11, 2025. The forensic investigation confirmed patient data was exposed and potentially stolen, including names, contact details, dates of birth, diagnoses, treatment information, health insurance information, and Social Security numbers for a limited number of patients. The incident was disclosed publicly on July 2, 2025 and reported to HHS OCR on July 8, 2025, affecting 4,764 individuals.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

May 11, 2025

detected

May 11, 2025

Breach detected

Jul 2, 2025

notified

Jul 2, 2025

Disclosed publicly

Jul 8, 2025

filed

Jul 15, 2025

class-action

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers (limited number of patients)

02

Health records

Don't expire and can't be reissued

Diagnoses Treatment information

03

Contact & insurance

Phishing + targeted scams

Names Phone numbers Addresses Email addresses Dates of birth Dates of service Health insurance information
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Complete Care Rehab LLC, a physical therapy practice based in Eastpointe, Michigan, disclosed a network intrusion that exposed protected health information for 4,764 current and former patients. The practice identified suspicious activity within its IT environment on or around May 11, 2025, posted a Notice of Data Privacy Event to its website on July 2, 2025, and filed the breach with the U.S. Department of Health and Human Services Office for Civil Rights on July 8, 2025. The OCR portal classifies the event as a Hacking/IT Incident at a Network Server.

Third-party cybersecurity experts engaged by the practice confirmed that an unauthorized actor accessed the network and that patient information was viewed or acquired. The substitute notice does not state whether ransomware was deployed, but HIPAA Journal reported that the practice attempted to restore data from backups and the restoration process failed, with patient information lost.

Timeline

  • May 11, 2025. Suspicious activity identified in the Complete Care Rehab IT environment. Third-party cybersecurity experts engaged.
  • July 2, 2025. Notice of Data Privacy Event posted on the Complete Care Rehab website.
  • July 8, 2025. Breach reported to HHS OCR, listing 4,764 affected individuals.
  • July 15, 2025. Strauss Borrelli PLLC announces an investigation on behalf of affected patients. Other class-action firms follow.

Exposed data

Per the substitute notice and forensic findings reported in HIPAA Journal, the categories of information involved include:

  • Names
  • Phone numbers
  • Mailing and email addresses
  • Dates of birth
  • Diagnoses
  • Treatment information and dates of service
  • Health insurance information
  • Social Security numbers (for a limited number of patients)

What is being offered

The publicly available substitute notice and contemporaneous reporting do not specify the credit-monitoring or identity-protection package being offered, the enrollment deadline, or the activation code mechanism. The notification letter mailed to affected individuals is the authoritative source for those terms. If you received a letter, follow the enrollment instructions printed on it before the deadline.

Class action activity

At least three plaintiffs’ firms have opened public investigations of Complete Care Rehab in connection with this incident:

  • Strauss Borrelli PLLC (investigation announced July 15, 2025)
  • Shamis & Gentile P.A.
  • Siri & Glimstad LLP

No consolidated complaint, settlement, or court docket has been publicly reported on this page as of the last update. Class-action investigations are not the same as filed lawsuits and do not guarantee that litigation, certification, or a settlement will follow.

What to do if you may be affected

  • Watch the mail. Notification letters typically follow the OCR filing by several weeks. The letter will list the specific data elements involved in your record and any complimentary credit-monitoring offered.
  • If your Social Security number was involved, place a free credit freeze with each of the three nationwide consumer reporting agencies (Equifax, Experian, TransUnion). A freeze is the single highest-leverage protection against new-account identity theft and is free under federal law.
  • Enroll in any complimentary monitoring offered in your letter before the deadline. Even if you do not believe your SSN was involved, enrollment costs you nothing.
  • Be alert to phishing. Threat actors often follow up breach disclosures with targeted phishing emails and phone calls that reference the breach. Complete Care Rehab will not ask for your SSN, payment, or password by email or phone.
  • Keep your records. Save the notification letter, any enrollment confirmations, and a log of time spent dealing with the breach. These are routinely requested if a class settlement is later announced.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.