CVS Caremark Data Breach 2025: 2,599 Affected in Paper-Records Disclosure at the Nation's Largest PBM
CVS Caremark, the Rhode Island-based pharmacy benefit manager, filed a HIPAA breach report with HHS OCR on May 13, 2025 disclosing the unauthorized access or disclosure of paper and film records containing the protected health information of 2,599 individuals. Multiple plaintiffs' firms have opened class-action investigations.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
May 13, 2025
CVS Caremark files HIPAA breach notification with HHS Office for Civil Rights covering 2,599 individuals
May 13, 2025
OCR portal lists the incident under 'Unauthorized Access/Disclosure' with location of breached information recorded as 'Paper/Films'
May 21, 2025
Cole & Van Note announces investigation into the CVS Caremark breach on behalf of affected individuals
May 21, 2025
Federman & Sherwood and Srourian Law Firm separately announce class-action investigations
May 13, 2025
CVS Caremark files HIPAA breach notification with HHS Office for Civil Rights covering 2,599 individuals
May 13, 2025
OCR portal lists the incident under 'Unauthorized Access/Disclosure' with location of breached information recorded as 'Paper/Films'
May 21, 2025
Cole & Van Note announces investigation into the CVS Caremark breach on behalf of affected individuals
May 21, 2025
Federman & Sherwood and Srourian Law Firm separately announce class-action investigations
Data exposed
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
CVS Caremark, the pharmacy benefit manager (PBM) arm of CVS Health and one of the three largest PBMs in the United States, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on May 13, 2025, reporting that 2,599 individuals had their protected health information exposed in an unauthorized access or disclosure event involving paper and film records. CVS Caremark is listed on the OCR portal as a business associate based in Rhode Island. Several plaintiffs’ firms have since opened class-action investigations, although as of this writing no consolidated complaint or settlement has been reported in publicly searchable court dockets.
Timeline of what we know
- May 13, 2025 — CVS Caremark files a HIPAA breach report with HHS OCR. The portal entry classifies the incident as “Unauthorized Access/Disclosure,” with the location of breached information listed as “Paper/Films” and the covered-entity type as Business Associate. The reported count is 2,599 individuals.
- May 21, 2025 — Cole & Van Note publicly opens an investigation into the breach and begins soliciting affected individuals for a potential class action. Federman & Sherwood and Srourian Law Firm announce parallel investigations.
- Ongoing — The OCR investigation remains open. No CVS Caremark substitute-notice press release, attacker attribution, or formal class-action complaint has been published in the trade press as of the last update to this page.
What was exposed
The OCR portal entry indicates the breach involved physical paper and film records rather than a network intrusion or vendor compromise. The plaintiffs’ firm investigation pages summarize the exposure as protected health information potentially including:
- Name
- Prescribed medication(s) and other prescription information
- Other PHI elements typically present in PBM correspondence (claims, member ID, plan information)
CVS Caremark has not posted an enumerated list of data elements on its own public website, and no individual notification letter has been published in the press as of this writing. If you receive a letter from CVS Caremark in the mail, that letter is the authoritative source for which data elements were exposed in your specific record.
What CVS Caremark is offering
CVS Caremark has not publicly announced a credit-monitoring vendor, enrollment code, or call-center number tied to this incident. The OCR portal entry does not require entities to disclose those operational details. Affected individuals should rely on the instructions printed on their individual notification letter for any complimentary monitoring or identity-protection services.
Class-action and regulatory posture
Three plaintiffs’ firms — Federman & Sherwood, Cole & Van Note, and Srourian Law Firm — have publicly announced investigations into the breach within roughly a week of the OCR filing. Each is soliciting affected individuals to evaluate claims; none has filed a consolidated class-action complaint that has surfaced in the established legal-news trade press as of the most recent update to this page. ClassAction.org maintains a live news wire for CVS Caremark legal matters and is a reasonable place to monitor for new filings.
The HHS OCR investigation is open. Because the incident involved paper records under a business associate, OCR enforcement here typically focuses on the adequacy of physical-security controls, the business-associate agreement with the covered entity, and the timeliness of notification to both HHS and affected individuals.
What to do if you may be affected
- Watch the mail for an individual notification letter from CVS Caremark. The letter will list the specific data elements exposed in your record and any credit-monitoring offering. Notification letters typically follow an OCR filing by a few weeks to a few months.
- Freeze your credit at all three nationwide credit bureaus (Equifax, Experian, TransUnion). It is free, takes about ten minutes per bureau online, and is the single highest-leverage step against new-account identity theft.
- Review your Explanation of Benefits statements. Medical-identity theft is the most concrete downstream risk when prescription data is exposed. Verify that the medications and pharmacy claims listed on your EOBs are actually yours.
- Be skeptical of unsolicited outreach by phone, text, or email claiming to be from CVS Caremark, your health plan, or a pharmacy. Threat actors routinely follow large breaches with targeted phishing using leaked identifiers.
- If you are contacted by a law firm soliciting your participation in a class action, you are under no obligation to sign anything. Read the engagement letter carefully or consult independent counsel before signing.
Sources
- HHS Office for Civil Rights Breach Portal — the federal regulatory record of this breach.
- Federman & Sherwood — CVS Caremark Data Breach investigation notice
- Cole & Van Note — CVS Caremark Data Breach Investigation (May 21, 2025)
- Srourian Law Firm — CVS Caremark Data Breach: What You Need to Know
- Compliance Junction — Victims of CVS Caremark Data Breach Pursuing Class Action Lawsuit
- ClassAction.org — CVS Caremark, Inc. legal news wire
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Federman & Sherwood — CVS Caremark Data Breach investigation notice
- Cole & Van Note — CVS Caremark Data Breach Investigation (May 21, 2025)
- Srourian Law Firm — CVS Caremark Data Breach: What You Need to Know
- Compliance Junction — Victims of CVS Caremark Data Breach Pursuing Class Action Lawsuit
- ClassAction.org — CVS Caremark, Inc. legal news wire
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.