Active breach tracker New York Disclosed December 17, 2025

Excellent Home Care Services Data Breach 2025: 16,278 New York Home-Care Patients Exposed in Email Account Intrusion

Excellent Home Care Services, LLC, a Brooklyn-based home health agency serving Bronx, Kings, Nassau, New York, and Queens counties, reported a December 17, 2025 breach to HHS OCR affecting 16,278 individuals. An unauthorized actor accessed an employee email account on November 25, 2025, exposing names, Social Security numbers, Medicare/Medicaid numbers, and plan-of-care medical information for a predominantly elderly home-care population.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Nov 25, 2025

Unauthorized third party accesses an employee email account; activity detected the same day

Nov 25, 2025

Attacker gained access

Dec 17, 2025

Individual notification letters mailed; breach reported to HHS Office for Civil Rights (16,278 individuals)

Dec 17, 2025

HIPAA breach filing posted to the HHS OCR public portal as Hacking/IT Incident, Network Server

Dec 18, 2025

Public notice of data breach issued via newswire

Dec 22, 2025

Strauss Borrelli PLLC announces class-action investigation

Feb 18, 2026

Federman & Sherwood announces class-action investigation

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

03

Contact & insurance

Phishing + targeted scams

Full name Address Phone number Gender Medicare or Medicaid number Medical information related to plan of care

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Federman & Sherwood Strauss Borrelli PLLC Levi & Korsinsky, LLP
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Excellent Home Care Services, LLC, a Brooklyn-based home health agency that delivers skilled nursing and personal-care services across Bronx, Kings, Nassau, New York, and Queens counties, confirmed that an unauthorized third party accessed an employee email account on November 25, 2025. The intrusion was identified the same day, and a forensic review concluded that files in the account contained protected health information for 16,278 individuals. The breach was reported to the HHS Office for Civil Rights on December 17, 2025 and is recorded on the federal portal as a Hacking/IT Incident affecting a network server.

Timeline

  • November 25, 2025 — An unauthorized actor accesses an employee email account “for a brief period.” Excellent identifies the activity the same day and secures the account.
  • December 17, 2025 — Individual notification letters are mailed to affected patients; the incident is filed with the HHS Office for Civil Rights.
  • December 18, 2025 — Excellent posts a public Notice of Data Breach via newswire.
  • December 22, 2025 — Strauss Borrelli PLLC announces a class-action investigation.
  • February 18, 2026 — Federman & Sherwood announces a separate class-action investigation.

What was exposed

The data elements confirmed exposed vary by individual but include:

  • Full name
  • Address and phone number
  • Date of birth and gender
  • Social Security number
  • Medicare or Medicaid number
  • Medical information related to the patient’s plan of care

Not every data element was present for every individual. The combination of Social Security number, Medicare or Medicaid number, and plan-of-care medical detail is the most consequential pairing in this filing.

Sensitive population: elderly home-care patients

Excellent’s patient base is predominantly seniors and adults recovering from medical events who receive in-home skilled nursing and personal care. That population profile materially raises the downstream risk from this incident. Medicare and Medicaid identifiers enable medical-identity theft and false-claim submissions that can pollute a patient’s medical record and trigger benefits-eligibility problems that are notoriously difficult to unwind, particularly for dual-eligible beneficiaries. Plan-of-care detail combined with home address and phone number gives a threat actor highly targeted social-engineering material for the kind of “Medicare,” “pharmacy,” or “home-care coordinator” phone fraud that has been repeatedly documented against this demographic. Older adults are also less likely to use credit-monitoring tools or to detect medical-billing anomalies on their own, which is why family caregivers and adult children should treat this notice as actionable for the patient in their care.

What the entity is offering

Excellent has stated that it has made identity monitoring services available to affected individuals. The notification letters include enrollment instructions and a dedicated incident hotline at 1-833-918-6974, staffed 8:00 a.m. to 5:30 p.m. Eastern, Monday through Friday. The agency reports that it secured the affected account, reset credentials, restricted access, reviewed and updated its Microsoft 365 security settings, and added geographic access restrictions and enhanced monitoring.

Class-action and regulatory posture

As of this writing, no class-action complaint has been filed in court against Excellent Home Care Services. Three plaintiffs’ firms have publicly announced investigations: Strauss Borrelli PLLC (announced December 22, 2025), Federman & Sherwood (announced February 18, 2026), and Levi & Korsinsky, LLP. The HHS OCR portal entry is open and remains under federal regulatory review.

What to do if you may be affected

  • Enroll in the offered identity monitoring. The enrollment code in your letter is single-use and time-limited; do not wait.
  • Freeze your credit with Equifax, Experian, and TransUnion. Because Social Security numbers were exposed, a credit freeze is materially more protective than monitoring alone. It is free, reversible, and the right baseline for an elderly or fixed-income patient.
  • Watch for Medicare and Medicaid fraud. Request and review your Medicare Summary Notice (or Medicaid statement) for services and equipment you did not receive. Report suspect claims to 1-800-MEDICARE or your state Medicaid fraud line. Medical-identity theft on a Medicare or Medicaid record is one of the hardest forms of identity theft to remediate.
  • Be alert to targeted phone and mail scams. A threat actor with your name, address, date of birth, and plan-of-care context can impersonate a home-care coordinator, pharmacy, or “Medicare” representative very convincingly. Hang up and call back using a number you already trust, not one provided on the inbound call.
  • Family caregivers: act on the patient’s behalf. If you hold a healthcare proxy or financial power of attorney, place the freeze, complete the monitoring enrollment, and review benefits statements directly. This breach population is one that will not, on average, complete those steps unassisted.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.