Active breach tracker Pittsburgh, Pennsylvania Disclosed November 24, 2025

Davies, McFarland & Carroll Data Breach 2025: 54,712 Affected · Hacking/IT Incident · Pittsburgh, PA Business Associate. What To Do.

Davies, McFarland & Carroll LLC, a Pittsburgh, PA medical-malpractice defense firm acting as a HIPAA business associate, reported 54,712 individuals affected by a May 2025 network intrusion. The Lynx ransomware group claimed the attack on June 4, 2025. Notification letters went out November 24, 2025; multiple plaintiffs' firms have opened class-action investigations.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

May 19, 2025

Unauthorized access to Davies, McFarland & Carroll's network begins (per forensic investigation).

May 22, 2025

DM&C detects the network intrusion and terminates the unauthorized access.

Jun 4, 2025

Lynx ransomware group claims responsibility for the attack on its data-leak site.

Sep 25, 2025

Forensic investigation and document review conclude; DM&C confirms files containing sensitive personal and health information were affected.

Nov 24, 2025

DM&C begins mailing individual notification letters and posts substitute notice.

Nov 24, 2025

Breach reported to HHS Office for Civil Rights — 54,712 affected, Hacking/IT Incident at Network Server, Business Associate.

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

02

Health records

Don't expire and can't be reissued

Medical treatment or history

03

Contact & insurance

Phishing + targeted scams

Name Address Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Lynch Carpenter, LLP Markovits, Stock & DeMarco, LLC Strauss Borrelli PLLC Migliaccio & Rathod LLP Federman & Sherwood
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Davies, McFarland & Carroll LLC is a Pittsburgh, Pennsylvania law firm that defends medical-malpractice cases on behalf of hospitals, physicians, and health systems. That work makes it a HIPAA business associate. Covered entities hand the firm protected health information so it can litigate. On November 24, 2025, DM&C reported a Hacking/IT Incident at a Network Server to the HHS Office for Civil Rights, affecting 54,712 individuals, and began mailing notification letters the same day. The intrusion itself was brief, three days in May 2025, but the firm needed roughly four months of forensic and document review to determine whose data had been touched. The Lynx ransomware group claimed credit for the attack in June; DM&C has not publicly confirmed the attribution.

Timeline

  • May 19, 2025. Unauthorized access to the DM&C network begins (per forensic investigation).
  • May 22, 2025. DM&C detects the intrusion and terminates the unauthorized access. External cybersecurity counsel and forensic investigators are engaged.
  • June 4, 2025. The Lynx ransomware group claims responsibility on its data-leak site. DM&C has not confirmed the claim.
  • September 25, 2025. Forensic investigation and document review conclude. DM&C determines that files containing sensitive personal and health information were stored in the impacted systems and may have been accessed.
  • November 24, 2025. DM&C begins mailing individual notification letters, posts a substitute notice on its corporate site, and files with HHS OCR (54,712 affected; Hacking/IT Incident at Network Server; Business Associate).

What was exposed

DM&C’s notice and independent reporting describe a compact but high-sensitivity set of data elements. Not every individual had every element exposed; the notification letter mailed to you is the authoritative list for your record. The categories confirmed across sources include:

  • Name.
  • Address.
  • Date of birth.
  • Social Security number.
  • Medical treatment or history.
  • Health insurance information.

Because DM&C is a defense firm on medical-malpractice matters, the underlying records typically include narrative clinical detail (diagnoses, procedures, dates of care) tied to a specific provider relationship. That is more sensitive than a typical billing-only exposure.

Who’s notifying you (business associate, through a covered entity you may not recognize)

DM&C is a business associate, not a covered entity. Most affected people are not DM&C clients in the everyday sense. They are patients of hospitals, health systems, or physicians whose records the firm received in the course of defending a malpractice claim, often without the patient’s awareness. Practically, that means:

  • Your notification letter may arrive on Davies, McFarland & Carroll letterhead even if you have never heard of the firm. That is expected for a business-associate breach.
  • The covered entity (the hospital or provider that originally held your record) may or may not send a separate communication. HIPAA permits the BA to notify on the covered entity’s behalf.
  • The letter will list the specific data elements exposed for you and explain how to enroll in the credit-monitoring offer DM&C has arranged.

DM&C is offering 12 months of complimentary single-bureau credit monitoring, credit reporting, and credit-score services through Cyberscout (a TransUnion company), with a 90-day enrollment window from the date of the letter.

Class-action posture

No consolidated class action has been filed publicly as of this update. Multiple plaintiffs’ firms have opened pre-litigation investigations and are soliciting affected individuals. Firms that have publicly announced investigations include:

  • Lynch Carpenter, LLP
  • Markovits, Stock & DeMarco, LLC
  • Strauss Borrelli PLLC
  • Migliaccio & Rathod LLP
  • Federman & Sherwood

Typical theories in business-associate breach cases include negligence, breach of fiduciary duty, breach of implied contract, and state consumer-protection claims, with delayed notification (six months between detection and notice here) often pleaded as an aggravating factor. If a complaint is filed and consolidated, we will update this page with the case caption, court, and any settlement terms.

What to do

  • Read the letter carefully. It will identify which data elements were exposed for you specifically and provide the activation code for Cyberscout credit monitoring. Enroll within 90 days of the letter date.
  • Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the most effective single step against new-account fraud given the Social Security number exposure here.
  • Watch for medical-identity misuse. Because clinical and insurance data were involved, scrutinize Explanation of Benefits statements from your health plan, and request a copy of your medical records from any provider where you suspect a discrepancy.
  • Be skeptical of phishing. Outreach that references “Davies McFarland Carroll” or “DM&C data breach settlement” is predictable. Verify any enrollment link through the printed letter or the substitute notice on dmcpc.com. Do not click links in unsolicited email or SMS.
  • Decide whether to engage a class-action firm. Investigations are open but no complaint has been filed publicly. There is no deadline to take a position yet; you can wait until a complaint is filed and a settlement (if any) is preliminarily approved before deciding whether to claim.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.