Ennoble Care & Circa Health Data Breach 2025: 36,332 Home-Care, Hospice, and Palliative Patients Exposed via Employee Email Compromise. What To Do
Ennoble Care & Circa Health, LLC, a Hackensack, NJ-based home-based primary care, palliative care, and hospice provider, disclosed an employee email account compromise discovered April 17, 2025 and filed with HHS OCR on September 18, 2025, reporting 36,332 affected individuals. Exposed data included names, addresses, dates of birth, and hospice and clinical-order status. Shamis & Gentile is investigating, and a federal class action (Pagan v. Ennoble Care LLC) has been filed in the District of New Jersey. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Apr 17, 2025
Ennoble Care discovers unauthorized access to an employee email account
Sep 18, 2025
Ennoble Care files HIPAA breach notification with HHS OCR (36,332 affected, Hacking/IT Incident, Email)
Nov 28, 2025
HIPAA Journal publicly reports the breach; Ennoble notice and response line published
Apr 17, 2025
Ennoble Care discovers unauthorized access to an employee email account
Sep 18, 2025
Ennoble Care files HIPAA breach notification with HHS OCR (36,332 affected, Hacking/IT Incident, Email)
Nov 28, 2025
HIPAA Journal publicly reports the breach; Ennoble notice and response line published
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Ennoble Care & Circa Health, LLC, a Hackensack, NJ-based provider of home-based primary care, palliative care, and hospice services, confirmed that an unauthorized party accessed an employee email account, exposing the protected health information of 36,332 patients across its multi-state service footprint.
Timeline
- April 17, 2025 — Ennoble Care discovers that an employee email account may have been subject to unauthorized access and launches a forensic investigation. (Source: Ennoble Care notice.)
- September 18, 2025 — Ennoble Care files the HIPAA breach notification with the HHS Office for Civil Rights, classifying the event as a Hacking/IT Incident at Email and reporting 36,332 affected individuals. (Source: HHS OCR Breach Portal.)
- November 28, 2025 — Public reporting and the entity’s substitute notice surface, with a dedicated response line published at 844-934-6547 (Monday–Friday, 11 a.m. to 8 p.m. ET). (Source: HIPAA Journal.)
What was exposed
Per Ennoble Care’s notice, potentially impacted information includes:
- Name
- Address
- Date of birth
- Hospice status (admitted, recertified, discharged, or revoked)
- Status dates (admission date, certification period, discharge or revocation date)
- Clinical orders status (CTI, SN, MSW, CH, HHA, and similar service codes)
Ennoble Care states that no evidence was found indicating that its cloud-based electronic health record was compromised. The breach was confined to a single employee mailbox. (Ennoble Care notice)
Sensitive-population considerations
Ennoble Care is a home-based primary care, palliative care, and hospice provider serving seniors and homebound patients across New York, New Jersey, Pennsylvania, Maryland, Washington, D.C., Virginia, Georgia, and additional states in its clinical footprint. The patient population skews elderly, chronically ill, and end-of-life, with many enrolled in hospice or active palliative care at the time of exposure. (HIPAA Journal; Ennoble Care notice)
A breach disclosing hospice status, recertification cycles, and discharge or revocation dates carries acute downstream risk for this population that a generic identity-theft framing understates:
- Surviving family members and estates may receive notification on behalf of a deceased patient. The hospice status field can confirm end-of-life timing useful to obituary-driven fraud.
- Guardians, healthcare proxies, and powers of attorney frequently manage finances for these patients and should treat the notification as their own.
- Reverse-mortgage, life-insurance, and Medicare-fraud schemes specifically target households flagged as having a seriously ill or recently deceased member.
Class-action posture
A federal class action has been filed: Pagan v. Ennoble Care LLC, No. 2:26-cv-02591 (D.N.J.). (Justia docket)
Shamis & Gentile P.A. is publicly investigating claims on behalf of affected individuals. (ClaimDepot investigation)
The HHS OCR investigation remains open per the breach portal entry.
What to do
- Read your notification letter carefully. Ennoble Care’s letter lists the specific data elements implicated for your record and any complimentary protections offered. The dedicated response line is 844-934-6547 (Monday to Friday, 11 a.m. to 8 p.m. ET). (Ennoble Care notice)
- Place free credit freezes at Equifax, Experian, and TransUnion. Ennoble Care’s notice highlights the no-cost one-year fraud alert and the no-cost security freeze as the primary recommended steps. (Ennoble Care notice)
- Monitor explanation-of-benefits statements from Medicare, Medicaid, and any private insurer. Medical identity theft targeting hospice and home-care populations frequently surfaces first as unfamiliar charges on EOBs.
- If you manage finances for an Ennoble Care patient — as guardian, power of attorney, healthcare proxy, or surviving family member — treat the notification as your own and freeze credit on the patient’s behalf.
- Stop the ongoing flow of your home-care data. HealthConsent files HIPAA restriction requests across home-health, hospice, and prescription networks.
Sources
- Ennoble Care: Notice Regarding Data Security Incident — entity substitute notice with full data-element list and response phone number.
- HIPAA Journal: Data Breaches Announced by Ennoble Care & Circa Health — trade-press coverage including service footprint and EHR scope.
- ClaimDepot: Ennoble Care Data Breach Lawsuit Investigation — Shamis & Gentile P.A. plaintiff-side investigation.
- Pagan v. Ennoble Care LLC, 2:26-cv-02591 (D.N.J.) — federal class-action docket.
- HHS Office for Civil Rights Breach Portal — federal regulatory filing (36,332 affected; Hacking/IT Incident; Email).
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Ennoble Care: Notice Regarding Data Security Incident
- HIPAA Journal: Data Breaches Announced by Ennoble Care & Circa Health
- ClaimDepot: Ennoble Care Data Breach Lawsuit Investigation (Shamis & Gentile)
- Pagan v. Ennoble Care LLC, 2:26-cv-02591 (D.N.J.) — Justia docket
- HHS Office for Civil Rights Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.