Active breach tracker Ferndale, MI Disclosed April 30, 2026

Exclusive Physicians PLLC (EPIC Health) Data Breach 2026: 58,000 Detroit-Area Patients Exposed. No SSN. What To Do

Exclusive Physicians PLLC, doing business as EPIC Health, a Detroit-area primary care medical group, disclosed in April 2026 a January 2026 network intrusion exposing names, dates of birth, demographic and contact information, insurance payor, and diagnosis category for 58,000 patients. EMR was not accessed. SSN and financial data not in scope. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jan 3, 2026

Unauthorized actor accessed network and exfiltrated files

Jan 7, 2026

EPIC Health detected suspicious activity; engaged forensics and federal law enforcement

Apr 30, 2026

Filed with HHS OCR; notification letters mailed

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth

02

Health records

Don't expire and can't be reissued

Diagnosis category

03

Contact & insurance

Phishing + targeted scams

Full name Age Marital status Home address Home and cell phone numbers Email address Patient ID Insurance payor name
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Exclusive Physicians PLLC operates the brand EPIC Health (Exclusive Physicians - Integrated & Comprehensive), a Michigan primary-care medical group founded in 2001 and headquartered in Ferndale at 911 E 9 Mile Road. Additional clinics are in Detroit (Livernois Ave) and Southfield. The group employs roughly 22 physicians across internal medicine, family medicine, pediatrics, cardiology, and ancillary specialties. EPIC Health accepts Medicare and Medicaid and primarily serves urban Detroit and Oakland County. (Note: this entity is unrelated to Epic Systems, the EHR vendor.)

On January 3, 2026, an unauthorized actor accessed EPIC Health’s network and exfiltrated files. EPIC Health detected suspicious activity on January 7, 2026, engaged a cybersecurity forensics firm, and notified federal law enforcement. During the investigation period, EPIC Health states it obtained “assurances” from the threat actor that the acquired data was deleted — a phrasing consistent with an extortion-style intrusion (likely with a paid resolution, though EPIC Health does not confirm payment).

EPIC Health filed with the HHS Office for Civil Rights on April 30, 2026, confirming 58,000 affected individuals. No ransomware group has publicly claimed credit. No leak-site listing has been identified.

What was stolen

Per EPIC Health’s notice, exposed data includes:

  • Full name
  • Date of birth, age, marital status
  • Home address
  • Home and cell phone numbers
  • Email address
  • Patient ID
  • Insurance payor name
  • Diagnosis category

The notice explicitly confirms:

  • The EMR system was not accessed.
  • Social Security numbers were not involved.
  • Financial account information was not involved.

The diagnosis category is the most sensitive element. The breadth of clinical detail is narrower than most healthcare breaches; the underlying medical record content remained protected.

What EPIC Health is offering

The notice describes enhanced security measures, additional safeguards, and ongoing cybersecurity review. It does not enumerate complimentary credit monitoring or identity-theft protection — defensible given no SSN or financial data was in scope. Call center: 1-844-920-0164.

What to do

  1. Be alert to phishing that references your EPIC Health appointments, diagnosis category, or insurance carrier. The exposed dataset is enough to support targeted “appointment follow-up” or “lab result delivery” scam outreach.
  2. Review your Explanation of Benefits statements for unfamiliar primary-care or specialty claims.
  3. Place free credit freezes as a baseline precaution even though SSN was not exposed.
  4. Stop the ongoing flow of your healthcare data. HealthConsent files HIPAA restriction requests so the demographic and diagnosis-category data exposed in this breach is not continuously re-shared by downstream entities.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.