Active breach tracker FL Disclosed March 21, 2025

Fyzical Acquisition Holdings LLC Data Breach 2025: 43,045 Affected · Email Hacking Incident · FL Business Associate. Class-Action Investigations Open. What To Do.

Fyzical Acquisition Holdings LLC, the Florida-based parent of the 500+ location Fyzical Therapy & Balance Centers franchise, filed a HIPAA breach notification with HHS OCR on March 21, 2025 reporting 43,045 affected individuals from a hacking incident on a network server. Public reporting ties this filing to a December 2024 email environment compromise that exposed SSNs, driver's licenses, financial account info, and medical records. Multiple class-action firms are investigating. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Dec 9, 2024

Suspicious activity detected in Fyzical email environment; investigation launched

Dec 9, 2024

Attacker gained access

Mar 21, 2025

Fyzical Acquisition Holdings LLC reports breach to HHS OCR — 43,045 affected, Hacking/IT Incident, Network Server

Nov 25, 2025

Forensic data review concludes; specific data elements confirmed

Dec 19, 2025

Individual notification letters begin mailing; New Hampshire Attorney General notified (6 NH residents confirmed affected)

Dec 22, 2025

Texas Attorney General notified (1,801 TX residents confirmed affected); Notice of Data Security Incident posted to Fyzical website

Dec 23, 2025

Strauss Borrelli PLLC and Lynch Carpenter LLP open class-action investigations

Dec 29, 2025

Federman & Sherwood announces data breach investigation

Jan 20, 2026

Bragar Eagel & Squire P.C. announces investigation into FYZICAL Provider Solutions data breach

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number / state ID

03

Contact & insurance

Phishing + targeted scams

Full name Financial account information Credit/debit card information Health insurance information Medical information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC (investigation opened December 23, 2025) Lynch Carpenter LLP (investigation announced December 23, 2025) Levi & Korsinsky LLP (investigation announced January 2026) Bragar Eagel & Squire P.C. (investigation announced January 20, 2026) Murphy Law Firm (investigation open) Federman & Sherwood (investigation announced December 29, 2025) Shamis & Gentile P.A. (investigation open) Ellzey, Kherkher, Sanford & Montgomery LLP / EKSM (investigation open)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Fyzical Acquisition Holdings LLC, the Florida-based parent company of Fyzical Therapy & Balance Centers (a physical therapy and rehabilitation franchise with more than 500 locations across 46 states), filed a HIPAA breach notification with HHS OCR on March 21, 2025, reporting 43,045 affected individuals in a Hacking/IT Incident logged against a Network Server. Subsequent public reporting through late 2025 and early 2026 ties the OCR filing to a December 9, 2024 email environment compromise that ultimately exposed Social Security numbers, driver’s licenses, financial account information, health insurance data, and medical records. As a business associate to its network of clinic locations, Fyzical handled the OCR submission and consumer notifications on behalf of affected patients.

Timeline

  • December 9, 2024 — Fyzical identifies suspicious activity inside its corporate email environment. An investigation confirms an unauthorized third party accessed emails and attached files.
  • March 21, 2025 — Fyzical Acquisition Holdings LLC files with HHS OCR: 43,045 affected, Hacking/IT Incident, Network Server, Business Associate.
  • November 25, 2025 — Forensic data review completes. Fyzical confirms the specific data elements involved.
  • December 19, 2025 — Fyzical begins mailing individual notification letters and offers complimentary IDX identity-theft protection services to affected individuals. On the same date, Fyzical notifies the New Hampshire Attorney General (6 NH residents confirmed in that filing).
  • December 22, 2025 — Fyzical notifies the Texas Attorney General (1,801 Texans confirmed in that filing) and posts a Notice of Data Security Incident on its corporate website.
  • December 23, 2025 onward — Multiple class-action firms (Strauss Borrelli, Lynch Carpenter, Levi & Korsinsky, Murphy Law Firm, Bragar Eagel & Squire) announce investigations of Fyzical Acquisition Holdings LLC and “FYZICAL Provider Solutions.”
  • December 29, 2025 — Federman & Sherwood announces its own investigation into the breach.

The roughly 12-month gap between detection and individual notification is one of the largest healthcare-breach notification delays of the 2024-2025 cycle and is a likely focal point of any class-action complaint.

What was exposed

Per Fyzical’s own notice and the Texas AG filing, the affected data set may include any combination of the following per individual:

  • Full name
  • Date of birth
  • Social Security number
  • Driver’s license number or state ID number
  • Financial account information
  • Credit and debit card information
  • Health insurance information
  • Medical information (treatment, diagnosis, and related PHI generated through Fyzical clinic visits)

This is a near-complete identity-theft and medical-fraud data set. The presence of SSN plus driver’s license plus financial account information together places affected individuals at elevated risk for new-account fraud, tax-refund fraud, and medical identity theft.

What Fyzical is offering

Per the New Hampshire Attorney General notice filed December 19, 2025, Fyzical offered all affected individuals complimentary identity-protection services through IDX Identity, including:

  • 12 months of credit monitoring and CyberScan dark-web monitoring
  • A $1,000,000 insurance reimbursement policy covering identity-theft related losses
  • Fully managed ID theft recovery services

Enrollment requires the unique activation code printed on your individual notification letter. If you have not yet received a letter but believe you may be affected, call the dedicated incident hotline: 1-844-942-2124 (per the entity’s own December 22, 2025 website notice). The hotline can confirm whether your records were involved and provide enrollment assistance.

No enrollment deadline has been publicly posted as of this update. Enroll as soon as your letter arrives.

Who notifies you (Business Associate context)

Fyzical Acquisition Holdings LLC is functioning as the HIPAA business associate here — it provides shared back-office services (including the email environment that was compromised) to the Fyzical Therapy & Balance Centers franchise locations that treated you as a patient. Under HIPAA, the covered-entity clinic was responsible for the underlying PHI, but Fyzical Acquisition Holdings, as the BA that experienced the incident, is handling the breach response and individual notifications.

What that means for you in practice:

  • Your notification letter is from Fyzical Acquisition Holdings LLC (or “FYZICAL Provider Solutions”), not from your individual physical therapy clinic.
  • The letter is being mailed in waves starting December 19, 2025. Many affected individuals are still receiving letters into early-to-mid 2026.
  • Your local Fyzical clinic may have no operational role in answering breach-specific questions. Call the dedicated incident hotline printed on the Fyzical notification letter rather than your clinic.

Class-action posture

As of early June 2026, multiple plaintiffs’ firms have opened investigations into Fyzical Acquisition Holdings LLC. No consolidated data-breach complaint has been publicly confirmed in the docket as of this update. Firms publicly investigating:

  • Strauss Borrelli PLLC
  • Lynch Carpenter LLP
  • Levi & Korsinsky LLP
  • Bragar Eagel & Squire P.C.
  • Murphy Law Firm
  • Federman & Sherwood (investigation announced December 29, 2025)
  • Shamis & Gentile P.A.
  • Ellzey, Kherkher, Sanford & Montgomery LLP / EKSM (Houston, TX)

The breach has the hallmarks of cases that produce a consolidated multi-district complaint: SSN exposure, multi-state AG filings (Texas and New Hampshire confirmed), a BA acting on behalf of a national franchise, and a notification gap of nearly 12 months between detection and consumer letters.

You do not need to retain counsel to preserve your rights at this stage. Any settlement will run through a court-supervised notice process.

What to do if you may be affected

  1. Read the Fyzical notification letter carefully when it arrives — specifically the section listing which data elements were involved in your file. The categories above are the universe of what may have been exposed; your particular letter will state the subset that applied to you.
  2. Enroll in the complimentary IDX identity-theft protection offered in your letter. Per the New Hampshire AG notice filed December 19, 2025, the offer includes 12 months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed ID theft recovery services. Use the activation code printed on your letter — public enrollment links are not available.
  3. Place free credit freezes at Equifax, Experian, and TransUnion. SSN exposure makes this the single highest-leverage step. It takes about ten minutes per bureau and does not affect your credit score.
  4. File IRS Form 14039 (Identity Theft Affidavit) proactively if you have not yet filed taxes for the year — SSN compromise increases the risk of fraudulent tax-refund filings.
  5. Watch your Explanation of Benefits (EOB) statements from your health insurer for treatment you did not receive — medical-information exposure raises the risk of medical identity theft.
  6. Stop the ongoing flow of your health information to downstream marketing, data-broker, and analytics pipelines. HealthConsent files HIPAA Section 164.522 restriction requests with the covered entities and business associates that hold your records, including franchise-style physical-therapy networks like Fyzical.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.