Fyzical Acquisition Holdings LLC Data Breach 2025: 43,045 Affected · Email Hacking Incident · FL Business Associate. Class-Action Investigations Open. What To Do.
Fyzical Acquisition Holdings LLC, the Florida-based parent of the 500+ location Fyzical Therapy & Balance Centers franchise, filed a HIPAA breach notification with HHS OCR on March 21, 2025 reporting 43,045 affected individuals from a hacking incident on a network server. Public reporting ties this filing to a December 2024 email environment compromise that exposed SSNs, driver's licenses, financial account info, and medical records. Multiple class-action firms are investigating. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Dec 9, 2024
Suspicious activity detected in Fyzical email environment; investigation launched
Dec 9, 2024
Attacker gained access
Mar 21, 2025
Fyzical Acquisition Holdings LLC reports breach to HHS OCR — 43,045 affected, Hacking/IT Incident, Network Server
Nov 25, 2025
Forensic data review concludes; specific data elements confirmed
Dec 19, 2025
Individual notification letters begin mailing; New Hampshire Attorney General notified (6 NH residents confirmed affected)
Dec 22, 2025
Texas Attorney General notified (1,801 TX residents confirmed affected); Notice of Data Security Incident posted to Fyzical website
Dec 23, 2025
Strauss Borrelli PLLC and Lynch Carpenter LLP open class-action investigations
Dec 29, 2025
Federman & Sherwood announces data breach investigation
Jan 20, 2026
Bragar Eagel & Squire P.C. announces investigation into FYZICAL Provider Solutions data breach
Dec 9, 2024
Suspicious activity detected in Fyzical email environment; investigation launched
Dec 9, 2024
Attacker gained access
Mar 21, 2025
Fyzical Acquisition Holdings LLC reports breach to HHS OCR — 43,045 affected, Hacking/IT Incident, Network Server
Nov 25, 2025
Forensic data review concludes; specific data elements confirmed
Dec 19, 2025
Individual notification letters begin mailing; New Hampshire Attorney General notified (6 NH residents confirmed affected)
Dec 22, 2025
Texas Attorney General notified (1,801 TX residents confirmed affected); Notice of Data Security Incident posted to Fyzical website
Dec 23, 2025
Strauss Borrelli PLLC and Lynch Carpenter LLP open class-action investigations
Dec 29, 2025
Federman & Sherwood announces data breach investigation
Jan 20, 2026
Bragar Eagel & Squire P.C. announces investigation into FYZICAL Provider Solutions data breach
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Fyzical Acquisition Holdings LLC, the Florida-based parent company of Fyzical Therapy & Balance Centers (a physical therapy and rehabilitation franchise with more than 500 locations across 46 states), filed a HIPAA breach notification with HHS OCR on March 21, 2025, reporting 43,045 affected individuals in a Hacking/IT Incident logged against a Network Server. Subsequent public reporting through late 2025 and early 2026 ties the OCR filing to a December 9, 2024 email environment compromise that ultimately exposed Social Security numbers, driver’s licenses, financial account information, health insurance data, and medical records. As a business associate to its network of clinic locations, Fyzical handled the OCR submission and consumer notifications on behalf of affected patients.
Timeline
- December 9, 2024 — Fyzical identifies suspicious activity inside its corporate email environment. An investigation confirms an unauthorized third party accessed emails and attached files.
- March 21, 2025 — Fyzical Acquisition Holdings LLC files with HHS OCR: 43,045 affected, Hacking/IT Incident, Network Server, Business Associate.
- November 25, 2025 — Forensic data review completes. Fyzical confirms the specific data elements involved.
- December 19, 2025 — Fyzical begins mailing individual notification letters and offers complimentary IDX identity-theft protection services to affected individuals. On the same date, Fyzical notifies the New Hampshire Attorney General (6 NH residents confirmed in that filing).
- December 22, 2025 — Fyzical notifies the Texas Attorney General (1,801 Texans confirmed in that filing) and posts a Notice of Data Security Incident on its corporate website.
- December 23, 2025 onward — Multiple class-action firms (Strauss Borrelli, Lynch Carpenter, Levi & Korsinsky, Murphy Law Firm, Bragar Eagel & Squire) announce investigations of Fyzical Acquisition Holdings LLC and “FYZICAL Provider Solutions.”
- December 29, 2025 — Federman & Sherwood announces its own investigation into the breach.
The roughly 12-month gap between detection and individual notification is one of the largest healthcare-breach notification delays of the 2024-2025 cycle and is a likely focal point of any class-action complaint.
What was exposed
Per Fyzical’s own notice and the Texas AG filing, the affected data set may include any combination of the following per individual:
- Full name
- Date of birth
- Social Security number
- Driver’s license number or state ID number
- Financial account information
- Credit and debit card information
- Health insurance information
- Medical information (treatment, diagnosis, and related PHI generated through Fyzical clinic visits)
This is a near-complete identity-theft and medical-fraud data set. The presence of SSN plus driver’s license plus financial account information together places affected individuals at elevated risk for new-account fraud, tax-refund fraud, and medical identity theft.
What Fyzical is offering
Per the New Hampshire Attorney General notice filed December 19, 2025, Fyzical offered all affected individuals complimentary identity-protection services through IDX Identity, including:
- 12 months of credit monitoring and CyberScan dark-web monitoring
- A $1,000,000 insurance reimbursement policy covering identity-theft related losses
- Fully managed ID theft recovery services
Enrollment requires the unique activation code printed on your individual notification letter. If you have not yet received a letter but believe you may be affected, call the dedicated incident hotline: 1-844-942-2124 (per the entity’s own December 22, 2025 website notice). The hotline can confirm whether your records were involved and provide enrollment assistance.
No enrollment deadline has been publicly posted as of this update. Enroll as soon as your letter arrives.
Who notifies you (Business Associate context)
Fyzical Acquisition Holdings LLC is functioning as the HIPAA business associate here — it provides shared back-office services (including the email environment that was compromised) to the Fyzical Therapy & Balance Centers franchise locations that treated you as a patient. Under HIPAA, the covered-entity clinic was responsible for the underlying PHI, but Fyzical Acquisition Holdings, as the BA that experienced the incident, is handling the breach response and individual notifications.
What that means for you in practice:
- Your notification letter is from Fyzical Acquisition Holdings LLC (or “FYZICAL Provider Solutions”), not from your individual physical therapy clinic.
- The letter is being mailed in waves starting December 19, 2025. Many affected individuals are still receiving letters into early-to-mid 2026.
- Your local Fyzical clinic may have no operational role in answering breach-specific questions. Call the dedicated incident hotline printed on the Fyzical notification letter rather than your clinic.
Class-action posture
As of early June 2026, multiple plaintiffs’ firms have opened investigations into Fyzical Acquisition Holdings LLC. No consolidated data-breach complaint has been publicly confirmed in the docket as of this update. Firms publicly investigating:
- Strauss Borrelli PLLC
- Lynch Carpenter LLP
- Levi & Korsinsky LLP
- Bragar Eagel & Squire P.C.
- Murphy Law Firm
- Federman & Sherwood (investigation announced December 29, 2025)
- Shamis & Gentile P.A.
- Ellzey, Kherkher, Sanford & Montgomery LLP / EKSM (Houston, TX)
The breach has the hallmarks of cases that produce a consolidated multi-district complaint: SSN exposure, multi-state AG filings (Texas and New Hampshire confirmed), a BA acting on behalf of a national franchise, and a notification gap of nearly 12 months between detection and consumer letters.
You do not need to retain counsel to preserve your rights at this stage. Any settlement will run through a court-supervised notice process.
What to do if you may be affected
- Read the Fyzical notification letter carefully when it arrives — specifically the section listing which data elements were involved in your file. The categories above are the universe of what may have been exposed; your particular letter will state the subset that applied to you.
- Enroll in the complimentary IDX identity-theft protection offered in your letter. Per the New Hampshire AG notice filed December 19, 2025, the offer includes 12 months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed ID theft recovery services. Use the activation code printed on your letter — public enrollment links are not available.
- Place free credit freezes at Equifax, Experian, and TransUnion. SSN exposure makes this the single highest-leverage step. It takes about ten minutes per bureau and does not affect your credit score.
- File IRS Form 14039 (Identity Theft Affidavit) proactively if you have not yet filed taxes for the year — SSN compromise increases the risk of fraudulent tax-refund filings.
- Watch your Explanation of Benefits (EOB) statements from your health insurer for treatment you did not receive — medical-information exposure raises the risk of medical identity theft.
- Stop the ongoing flow of your health information to downstream marketing, data-broker, and analytics pipelines. HealthConsent files HIPAA Section 164.522 restriction requests with the covered entities and business associates that hold your records, including franchise-style physical-therapy networks like Fyzical.
Sources on this page
- HHS Office for Civil Rights Breach Portal — federal regulatory record of this breach (entry: Fyzical Acquisition Holdings, LLC, FL, Business Associate, 43,045, 2025-03-21, Hacking/IT Incident, Network Server).
- HIPAA Journal: Data Breach Affects Patients of Multiple Fyzical Therapy & Balance Centers — established trade press coverage of detection date, data elements, and notification cadence.
- Strauss Borrelli PLLC: Fyzical Acquisition Holdings Data Breach Investigation — class-action investigation page with Florida HQ confirmation and detailed data-element list.
- Lynch Carpenter LLP / GlobeNewswire (Dec 23, 2025) — investigation announcement.
- Bragar Eagel & Squire P.C. / GlobeNewswire (Jan 20, 2026) — investigation announcement; uses “FYZICAL Provider Solutions” naming.
- Levi & Korsinsky LLP Investigation Announcement — additional plaintiffs’-firm investigation.
- ClassActionU: Fyzical Acquisition Holdings LLC Data Breach Lawsuit — consolidated class-action investigation tracker.
- Federman & Sherwood: Data Breach Investigation (Dec 29, 2025) — additional plaintiffs’-firm investigation; confirms December 29, 2025 announcement date.
- ClaimDepot: Fyzical Data Breach — 1,801 Texas Residents Affected — state AG filing data; Texas and New Hampshire resident counts confirmed.
- Murphy Law Firm: Fyzical Data Breach Case Page — confirms IDX identity-theft protection offered to affected individuals; ongoing investigation.
- New Hampshire Attorney General: Fyzical Acquisition Holdings Notice of Data Event (Dec 19, 2025) — NH AG filing; confirms 6 NH residents affected, IDX monitoring offer (12 months credit + CyberScan, $1,000,000 insurance reimbursement policy, fully managed ID theft recovery), and December 19, 2025 notification date.
- My Data Breach Attorney: Fyzical Acquisition Holdings LLC Data Breach Investigation — additional plaintiffs’-firm investigation page; confirms Sarasota, FL headquarters and ongoing legal review.
- Fyzical Acquisition Holdings LLC: Notice of Data Privacy Event (Dec 22, 2025) — entity’s own primary notice PDF; confirms incident date, data elements, IDX monitoring offer, and dedicated hotline 1-844-942-2124.
- Ellzey, Kherkher, Sanford & Montgomery LLP (EKSM): Fyzical Acquisition Holdings Data Breach Investigation — Houston-based firm with active investigation; additional plaintiffs’-firm coverage.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal: Data Breach Affects Patients of Multiple Fyzical Therapy & Balance Centers
- Strauss Borrelli PLLC: Fyzical Acquisition Holdings Data Breach Investigation
- GlobeNewswire: Lynch Carpenter Investigates Fyzical Data Breach Claims (Dec 23, 2025)
- GlobeNewswire: Bragar Eagel & Squire Investigating FYZICAL Provider Solutions Data Breach (Jan 20, 2026)
- Levi & Korsinsky LLP Investigation Announcement
- ClassActionU: Fyzical Acquisition Holdings LLC Data Breach Lawsuit
- Federman & Sherwood: Fyzical Acquisition Holdings LLC Data Breach Investigation (Dec 29, 2025)
- ClaimDepot: Fyzical Data Breach Impacts 1,801 in Texas (state AG resident count)
- Murphy Law Firm: Fyzical Data Breach Case Page
- New Hampshire Attorney General: Fyzical Acquisition Holdings Notice of Data Event (Dec 19, 2025)
- My Data Breach Attorney: Fyzical Acquisition Holdings LLC Data Breach Investigation
- Fyzical Acquisition Holdings LLC: Notice of Data Privacy Event (Dec 22, 2025) — entity's own notice PDF confirming incident date, data elements, hotline 1-844-942-2124
- Ellzey, Kherkher, Sanford & Montgomery LLP (EKSM): Fyzical Acquisition Holdings Data Breach Investigation
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.