Active breach tracker Dublin, Ohio Disclosed February 10, 2025

CPS Solutions Data Breach 2025: Pharmacy Business Associate Email Compromise Hits Multiple U.S. Hospitals · Class Action Filed in S.D. Ohio

CPS Solutions, LLC — the Dublin, Ohio pharmacy operations and consulting firm that manages pharmacy departments for hospitals and health systems nationwide — disclosed on February 10, 2025 that an unauthorized actor accessed an employee Microsoft 365 email account between December 2 and December 4, 2024. The compromise exposed names, Social Security numbers, dates of birth, health insurance and Medicaid/Medicare numbers, and clinical, diagnosis, and prescription information. Hospitals known to be affected include Dayton Children's Hospital, Beacon Health's Three Rivers Health, Hillsdale Hospital, Munson Healthcare, and Summit Healthcare. CPS filed an initial OCR report using a 500-individual placeholder and a proposed class action (Pierce v. CPS Solutions, LLC) was filed in the Southern District of Ohio on April 15, 2025.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Dec 2, 2024

Unauthorized actor begins accessing a CPS Solutions employee Microsoft 365 email account

Dec 4, 2024

CPS Solutions detects suspicious activity, forces password reset, and terminates the unauthorized session

Jan 24, 2025

Document and mailbox review completed; protected health information confirmed exposed

Feb 10, 2025

Individual notification letters mailed; HIPAA breach reported to HHS Office for Civil Rights using a 500-individual placeholder count

Feb 10, 2025

CPS Solutions begins direct notification to affected individuals nationwide

Apr 15, 2025

Proposed class action Pierce v. CPS Solutions, LLC filed in the U.S. District Court for the Southern District of Ohio

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

02

Health records

Don't expire and can't be reissued

Medical record number or patient account number Clinical information Diagnosis or treatment information Prescription information (including medication names)

03

Contact & insurance

Phishing + targeted scams

Full name Address Health insurance information (member/group ID, Medicaid/Medicare number) Provider information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Shamis & Gentile, P.A. Console & Associates, P.C. Strauss Borrelli PLLC
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

CPS Solutions, LLC — a Dublin, Ohio-based pharmacy operations and consulting firm that manages inpatient pharmacy departments for hospitals, health systems, and specialty care facilities across the United States — disclosed on February 10, 2025 that an unauthorized actor accessed an employee Microsoft 365 business email account between December 2 and December 4, 2024. Because CPS is a HIPAA business associate, the exposed mailbox contained protected health information belonging to patients of multiple unaffiliated hospital clients.

CPS detected the intrusion on December 4, 2024, terminated access, and engaged third-party forensics. A document review of the compromised mailbox concluded on January 24, 2025, at which point CPS began preparing individual notification letters that were mailed on February 10, 2025. The initial filing with the HHS Office for Civil Rights used a 500-individual placeholder count — a figure commonly used pending a more accurate determination as downstream hospital clients identify their own affected patients. Subsequent reporting has tied the breach to patients of Dayton Children’s Hospital, Beacon Health’s Three Rivers Health (Michigan), Hillsdale Hospital (Michigan), Munson Healthcare, and Summit Healthcare, among others.

A proposed class action — Pierce v. CPS Solutions, LLC — was filed in the U.S. District Court for the Southern District of Ohio on April 15, 2025, alleging CPS failed to implement basic data-security practices such as encrypting patient information before the email account was compromised.

Timeline

  • December 2, 2024 — Unauthorized actor begins accessing a CPS Solutions employee Microsoft 365 email account.
  • December 4, 2024 — CPS detects suspicious email activity, forces a password reset, and terminates the unauthorized session. Third-party digital forensics specialists are engaged.
  • January 24, 2025 — Document and mailbox review concludes, confirming that protected health information was viewable in the compromised account.
  • February 10, 2025 — CPS Solutions files an initial HIPAA breach notification with HHS OCR using a 500-individual placeholder figure and begins mailing individual notification letters to affected patients of its hospital clients.
  • April 15, 2025 — Proposed class action Pierce v. CPS Solutions, LLC is filed in the U.S. District Court for the Southern District of Ohio.

What was exposed

Per CPS Solutions’ notification letters and subsequent reporting, the categories of information present in the compromised mailbox varied by individual but included:

  • Full name, date of birth, and address
  • Social Security number
  • Health insurance information, including member or group ID numbers and Medicaid or Medicare numbers
  • Medical record number or patient account number
  • Clinical information, provider information, and diagnosis or treatment information
  • Prescription information, including medication names

The intrusion vector was a compromised employee email account, consistent with a phishing or credential-theft business email compromise rather than a network-wide ransomware event. No threat-actor leak-site posting of CPS data has been independently reported in the sources reviewed.

What CPS Solutions is offering

CPS Solutions is offering 24 months of complimentary credit monitoring and identity-theft protection to affected individuals. Enrollment instructions are included in each individual notification letter and are single-use codes tied to the recipient.

Class-action and regulatory posture

The proposed class action Pierce v. CPS Solutions, LLC was filed on April 15, 2025 in the U.S. District Court for the Southern District of Ohio by the firm Shamis & Gentile, P.A. The complaint alleges negligence and failure to implement adequate cybersecurity safeguards. Multiple other plaintiff-side firms — including Console & Associates and Strauss Borrelli PLLC — opened public investigations following the February 10, 2025 disclosure.

The HHS OCR portal entry remains posted with the 500-individual placeholder count. Because CPS is a business associate serving multiple hospital clients, the final affected-individual figure is typically established only after each covered-entity hospital concludes its own review and reports to OCR — meaning the true scope is likely materially larger than 500 once all downstream hospital filings are aggregated.

What to do if you may be affected

  • Read your notification letter carefully. It lists the specific data elements that were exposed for you (which varies by patient) and includes a single-use enrollment code for the 24 months of complimentary credit monitoring.
  • Enroll in the offered credit monitoring before the deadline in your letter. The code is tied to you specifically.
  • Freeze your credit with Equifax, Experian, and TransUnion. Because Social Security numbers were exposed, a security freeze is materially more protective than monitoring alone. Freezes are free and reversible.
  • Watch for medical identity theft. Because diagnosis, insurance, and prescription information was exposed, review every Explanation of Benefits and request your records from your insurer if you see services or prescriptions you did not receive.
  • Be skeptical of targeted phishing. Threat actors who hold name, date of birth, hospital, and prescription information can craft convincing follow-on lures referencing your actual care. Treat unsolicited calls and emails about your CPS-managed prescriptions with caution and verify through known phone numbers.
  • If you receive notification, you are presumptively a putative class member in Pierce v. CPS Solutions. Class counsel typically post a settlement website once a class is certified or a settlement is preliminarily approved; until then, no claim is required.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.