Excellent Home Care Services Data Breach 2025: 16,278 New York Home-Care Patients Exposed in Email Account Intrusion
Excellent Home Care Services, LLC, a Brooklyn-based home health agency serving Bronx, Kings, Nassau, New York, and Queens counties, reported a December 17, 2025 breach to HHS OCR affecting 16,278 individuals. An unauthorized actor accessed an employee email account on November 25, 2025, exposing names, Social Security numbers, Medicare/Medicaid numbers, and plan-of-care medical information for a predominantly elderly home-care population.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Nov 25, 2025
Unauthorized third party accesses an employee email account; activity detected the same day
Nov 25, 2025
Attacker gained access
Dec 17, 2025
Individual notification letters mailed; breach reported to HHS Office for Civil Rights (16,278 individuals)
Dec 17, 2025
HIPAA breach filing posted to the HHS OCR public portal as Hacking/IT Incident, Network Server
Dec 18, 2025
Public notice of data breach issued via newswire
Dec 22, 2025
Strauss Borrelli PLLC announces class-action investigation
Feb 18, 2026
Federman & Sherwood announces class-action investigation
Nov 25, 2025
Unauthorized third party accesses an employee email account; activity detected the same day
Nov 25, 2025
Attacker gained access
Dec 17, 2025
Individual notification letters mailed; breach reported to HHS Office for Civil Rights (16,278 individuals)
Dec 17, 2025
HIPAA breach filing posted to the HHS OCR public portal as Hacking/IT Incident, Network Server
Dec 18, 2025
Public notice of data breach issued via newswire
Dec 22, 2025
Strauss Borrelli PLLC announces class-action investigation
Feb 18, 2026
Federman & Sherwood announces class-action investigation
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Excellent Home Care Services, LLC, a Brooklyn-based home health agency that delivers skilled nursing and personal-care services across Bronx, Kings, Nassau, New York, and Queens counties, confirmed that an unauthorized third party accessed an employee email account on November 25, 2025. The intrusion was identified the same day, and a forensic review concluded that files in the account contained protected health information for 16,278 individuals. The breach was reported to the HHS Office for Civil Rights on December 17, 2025 and is recorded on the federal portal as a Hacking/IT Incident affecting a network server.
Timeline
- November 25, 2025 — An unauthorized actor accesses an employee email account “for a brief period.” Excellent identifies the activity the same day and secures the account.
- December 17, 2025 — Individual notification letters are mailed to affected patients; the incident is filed with the HHS Office for Civil Rights.
- December 18, 2025 — Excellent posts a public Notice of Data Breach via newswire.
- December 22, 2025 — Strauss Borrelli PLLC announces a class-action investigation.
- February 18, 2026 — Federman & Sherwood announces a separate class-action investigation.
What was exposed
The data elements confirmed exposed vary by individual but include:
- Full name
- Address and phone number
- Date of birth and gender
- Social Security number
- Medicare or Medicaid number
- Medical information related to the patient’s plan of care
Not every data element was present for every individual. The combination of Social Security number, Medicare or Medicaid number, and plan-of-care medical detail is the most consequential pairing in this filing.
Sensitive population: elderly home-care patients
Excellent’s patient base is predominantly seniors and adults recovering from medical events who receive in-home skilled nursing and personal care. That population profile materially raises the downstream risk from this incident. Medicare and Medicaid identifiers enable medical-identity theft and false-claim submissions that can pollute a patient’s medical record and trigger benefits-eligibility problems that are notoriously difficult to unwind, particularly for dual-eligible beneficiaries. Plan-of-care detail combined with home address and phone number gives a threat actor highly targeted social-engineering material for the kind of “Medicare,” “pharmacy,” or “home-care coordinator” phone fraud that has been repeatedly documented against this demographic. Older adults are also less likely to use credit-monitoring tools or to detect medical-billing anomalies on their own, which is why family caregivers and adult children should treat this notice as actionable for the patient in their care.
What the entity is offering
Excellent has stated that it has made identity monitoring services available to affected individuals. The notification letters include enrollment instructions and a dedicated incident hotline at 1-833-918-6974, staffed 8:00 a.m. to 5:30 p.m. Eastern, Monday through Friday. The agency reports that it secured the affected account, reset credentials, restricted access, reviewed and updated its Microsoft 365 security settings, and added geographic access restrictions and enhanced monitoring.
Class-action and regulatory posture
As of this writing, no class-action complaint has been filed in court against Excellent Home Care Services. Three plaintiffs’ firms have publicly announced investigations: Strauss Borrelli PLLC (announced December 22, 2025), Federman & Sherwood (announced February 18, 2026), and Levi & Korsinsky, LLP. The HHS OCR portal entry is open and remains under federal regulatory review.
What to do if you may be affected
- Enroll in the offered identity monitoring. The enrollment code in your letter is single-use and time-limited; do not wait.
- Freeze your credit with Equifax, Experian, and TransUnion. Because Social Security numbers were exposed, a credit freeze is materially more protective than monitoring alone. It is free, reversible, and the right baseline for an elderly or fixed-income patient.
- Watch for Medicare and Medicaid fraud. Request and review your Medicare Summary Notice (or Medicaid statement) for services and equipment you did not receive. Report suspect claims to 1-800-MEDICARE or your state Medicaid fraud line. Medical-identity theft on a Medicare or Medicaid record is one of the hardest forms of identity theft to remediate.
- Be alert to targeted phone and mail scams. A threat actor with your name, address, date of birth, and plan-of-care context can impersonate a home-care coordinator, pharmacy, or “Medicare” representative very convincingly. Hang up and call back using a number you already trust, not one provided on the inbound call.
- Family caregivers: act on the patient’s behalf. If you hold a healthcare proxy or financial power of attorney, place the freeze, complete the monitoring enrollment, and review benefits statements directly. This breach population is one that will not, on average, complete those steps unassisted.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record (filing dated 2025-12-17; Hacking/IT Incident, Network Server, 16,278 affected).
- HIPAA Journal — New York Home Healthcare Provider Identifies Email Account Breach — incident timeline, exposed data elements, affected counties.
- Notice of Data Breach (EIN Presswire via Fox40) — official entity notice text, remediation measures, hotline number.
- Strauss Borrelli PLLC — Excellent Home Care Services Data Breach Investigation — plaintiff-side investigation announcement.
- Federman & Sherwood — Excellent Home Care Services, LLC Data Breach Investigation — confirms 16,278-individual count and OCR filing date.
- HIPAA Times — Excellent Home Care Services email breach exposes patient information — independent secondary reporting confirming the email-account vector.
- Levi & Korsinsky, LLP — Investigation Announcement — third plaintiffs’ firm investigation notice.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — New York Home Healthcare Provider Identifies Email Account Breach
- Notice of Data Breach (EIN Presswire via Fox40)
- Strauss Borrelli PLLC — Excellent Home Care Services Data Breach Investigation
- Federman & Sherwood — Excellent Home Care Services, LLC Data Breach Investigation
- HIPAA Times — Excellent Home Care Services email breach exposes patient information
- Levi & Korsinsky, LLP — Investigation Announcement (PR Inside)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.