Davies, McFarland & Carroll Data Breach 2025: 54,712 Affected · Hacking/IT Incident · Pittsburgh, PA Business Associate. What To Do.
Davies, McFarland & Carroll LLC, a Pittsburgh, PA medical-malpractice defense firm acting as a HIPAA business associate, reported 54,712 individuals affected by a May 2025 network intrusion. The Lynx ransomware group claimed the attack on June 4, 2025. Notification letters went out November 24, 2025; multiple plaintiffs' firms have opened class-action investigations.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
May 19, 2025
Unauthorized access to Davies, McFarland & Carroll's network begins (per forensic investigation).
May 22, 2025
DM&C detects the network intrusion and terminates the unauthorized access.
Jun 4, 2025
Lynx ransomware group claims responsibility for the attack on its data-leak site.
Sep 25, 2025
Forensic investigation and document review conclude; DM&C confirms files containing sensitive personal and health information were affected.
Nov 24, 2025
DM&C begins mailing individual notification letters and posts substitute notice.
Nov 24, 2025
Breach reported to HHS Office for Civil Rights — 54,712 affected, Hacking/IT Incident at Network Server, Business Associate.
May 19, 2025
Unauthorized access to Davies, McFarland & Carroll's network begins (per forensic investigation).
May 22, 2025
DM&C detects the network intrusion and terminates the unauthorized access.
Jun 4, 2025
Lynx ransomware group claims responsibility for the attack on its data-leak site.
Sep 25, 2025
Forensic investigation and document review conclude; DM&C confirms files containing sensitive personal and health information were affected.
Nov 24, 2025
DM&C begins mailing individual notification letters and posts substitute notice.
Nov 24, 2025
Breach reported to HHS Office for Civil Rights — 54,712 affected, Hacking/IT Incident at Network Server, Business Associate.
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Davies, McFarland & Carroll LLC is a Pittsburgh, Pennsylvania law firm that defends medical-malpractice cases on behalf of hospitals, physicians, and health systems. That work makes it a HIPAA business associate. Covered entities hand the firm protected health information so it can litigate. On November 24, 2025, DM&C reported a Hacking/IT Incident at a Network Server to the HHS Office for Civil Rights, affecting 54,712 individuals, and began mailing notification letters the same day. The intrusion itself was brief, three days in May 2025, but the firm needed roughly four months of forensic and document review to determine whose data had been touched. The Lynx ransomware group claimed credit for the attack in June; DM&C has not publicly confirmed the attribution.
Timeline
- May 19, 2025. Unauthorized access to the DM&C network begins (per forensic investigation).
- May 22, 2025. DM&C detects the intrusion and terminates the unauthorized access. External cybersecurity counsel and forensic investigators are engaged.
- June 4, 2025. The Lynx ransomware group claims responsibility on its data-leak site. DM&C has not confirmed the claim.
- September 25, 2025. Forensic investigation and document review conclude. DM&C determines that files containing sensitive personal and health information were stored in the impacted systems and may have been accessed.
- November 24, 2025. DM&C begins mailing individual notification letters, posts a substitute notice on its corporate site, and files with HHS OCR (54,712 affected; Hacking/IT Incident at Network Server; Business Associate).
What was exposed
DM&C’s notice and independent reporting describe a compact but high-sensitivity set of data elements. Not every individual had every element exposed; the notification letter mailed to you is the authoritative list for your record. The categories confirmed across sources include:
- Name.
- Address.
- Date of birth.
- Social Security number.
- Medical treatment or history.
- Health insurance information.
Because DM&C is a defense firm on medical-malpractice matters, the underlying records typically include narrative clinical detail (diagnoses, procedures, dates of care) tied to a specific provider relationship. That is more sensitive than a typical billing-only exposure.
Who’s notifying you (business associate, through a covered entity you may not recognize)
DM&C is a business associate, not a covered entity. Most affected people are not DM&C clients in the everyday sense. They are patients of hospitals, health systems, or physicians whose records the firm received in the course of defending a malpractice claim, often without the patient’s awareness. Practically, that means:
- Your notification letter may arrive on Davies, McFarland & Carroll letterhead even if you have never heard of the firm. That is expected for a business-associate breach.
- The covered entity (the hospital or provider that originally held your record) may or may not send a separate communication. HIPAA permits the BA to notify on the covered entity’s behalf.
- The letter will list the specific data elements exposed for you and explain how to enroll in the credit-monitoring offer DM&C has arranged.
DM&C is offering 12 months of complimentary single-bureau credit monitoring, credit reporting, and credit-score services through Cyberscout (a TransUnion company), with a 90-day enrollment window from the date of the letter.
Class-action posture
No consolidated class action has been filed publicly as of this update. Multiple plaintiffs’ firms have opened pre-litigation investigations and are soliciting affected individuals. Firms that have publicly announced investigations include:
- Lynch Carpenter, LLP
- Markovits, Stock & DeMarco, LLC
- Strauss Borrelli PLLC
- Migliaccio & Rathod LLP
- Federman & Sherwood
Typical theories in business-associate breach cases include negligence, breach of fiduciary duty, breach of implied contract, and state consumer-protection claims, with delayed notification (six months between detection and notice here) often pleaded as an aggravating factor. If a complaint is filed and consolidated, we will update this page with the case caption, court, and any settlement terms.
What to do
- Read the letter carefully. It will identify which data elements were exposed for you specifically and provide the activation code for Cyberscout credit monitoring. Enroll within 90 days of the letter date.
- Freeze your credit with Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the most effective single step against new-account fraud given the Social Security number exposure here.
- Watch for medical-identity misuse. Because clinical and insurance data were involved, scrutinize Explanation of Benefits statements from your health plan, and request a copy of your medical records from any provider where you suspect a discrepancy.
- Be skeptical of phishing. Outreach that references “Davies McFarland Carroll” or “DM&C data breach settlement” is predictable. Verify any enrollment link through the printed letter or the substitute notice on dmcpc.com. Do not click links in unsolicited email or SMS.
- Decide whether to engage a class-action firm. Investigations are open but no complaint has been filed publicly. There is no deadline to take a position yet; you can wait until a complaint is filed and a settlement (if any) is preliminarily approved before deciding whether to claim.
Sources
- Davies, McFarland & Carroll — Notice Regarding Data Security Incident. The entity’s own substitute notice hosted on its corporate site.
- HHS Office for Civil Rights Breach Portal. Federal regulatory record: 54,712 affected, Hacking/IT Incident, Network Server, Business Associate, filed November 24, 2025.
- HIPAA Journal — Davies, McFarland & Carroll; Awakenings Center Data Breaches Impact 72,500 Individuals. Trade-press confirmation of dates, BA status, Cyberscout monitoring, and affected population.
- Comparitech — Pittsburgh law firm notifies 54,000+ people of data breach. Independent reporting on data elements, the 90-day enrollment window, and Lynx ransomware attribution.
- Lynch Carpenter, LLP — DM&C Data Breach Investigation. Plaintiffs’-firm investigation notice.
- Strauss Borrelli PLLC — DM&C Data Breach Investigation. Second plaintiffs’-firm investigation notice confirming dates and affected count.
- Markovits, Stock & DeMarco, LLC — Class Action Investigation. Third plaintiffs’-firm investigation, identifying DM&C’s BA status with covered entities.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Davies, McFarland & Carroll — Notice Regarding Data Security Incident (substitute notice)
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Davies, McFarland & Carroll; Awakenings Center Data Breaches Impact 72,500 Individuals
- Comparitech — Pittsburgh law firm notifies 54,000+ people of data breach
- Lynch Carpenter, LLP — DM&C Data Breach Investigation
- Strauss Borrelli PLLC — Davies, McFarland & Carroll Data Breach Investigation
- Markovits, Stock & DeMarco, LLC — DM&C Data Breach Class Action Investigation
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.