Gaylord Hospital Data Breach 2025: 62,232 Patients Exposed in SafePay Ransomware Attack · CT
Gaylord Specialty Healthcare (Wallingford, CT) reported a ransomware intrusion that exposed Social Security numbers, financial data, and medical records for 62,232 individuals. The SafePay group claimed responsibility and leaked 160 GB. Filed with HHS OCR on February 28, 2025; individual notifications mailed beginning September 24, 2025.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Dec 16, 2024
Unauthorized access to Gaylord network begins
Dec 19, 2024
Suspicious activity identified; network connectivity disrupted; forensic investigation begins
Jan 22, 2025
SafePay ransomware group posts Gaylord on its dark web leak site, claiming 160 GB of exfiltrated data
Feb 28, 2025
Provisional HIPAA breach notification filed with HHS Office for Civil Rights; substitute notice posted to gaylord.org
Aug 25, 2025
Forensic file review concludes that personal data was likely acquired between December 16 and December 19, 2024
Sep 24, 2025
Individual notification letters mailed to affected patients and employees
Dec 16, 2024
Unauthorized access to Gaylord network begins
Dec 19, 2024
Suspicious activity identified; network connectivity disrupted; forensic investigation begins
Jan 22, 2025
SafePay ransomware group posts Gaylord on its dark web leak site, claiming 160 GB of exfiltrated data
Feb 28, 2025
Provisional HIPAA breach notification filed with HHS Office for Civil Rights; substitute notice posted to gaylord.org
Aug 25, 2025
Forensic file review concludes that personal data was likely acquired between December 16 and December 19, 2024
Sep 24, 2025
Individual notification letters mailed to affected patients and employees
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Gaylord Specialty Healthcare, the nonprofit long-term acute care and rehabilitation hospital in Wallingford, Connecticut, confirmed that an unauthorized actor was inside its network from December 16 through December 19, 2024. Suspicious activity was identified on December 19, 2024 when network connectivity was disrupted, and a months-long forensic file review concluded on August 25, 2025 that personal, identity, financial, and medical information for 62,232 patients and employees had likely been acquired. The intrusion was claimed by the SafePay ransomware group, which posted Gaylord on its dark web leak site in late January 2025 and alleged it had exfiltrated 160 GB of data. Gaylord filed its HIPAA breach notification with the HHS Office for Civil Rights on February 28, 2025, and began mailing individual notification letters on September 24, 2025.
Gaylord operates one of the few specialty hospitals in New England focused on stroke, spinal cord injury, traumatic brain injury, and ventilator-dependent rehabilitation. The breadth of data exposed reflects that mission. The population includes not only the usual identity and financial elements, but detailed long-term-care clinical context, diagnosis codes, treatment locations, provider names, and admission and discharge dates.
Timeline
- December 16, 2024. Unauthorized access to Gaylord’s network begins.
- December 19, 2024. Suspicious activity is identified, network connectivity is disrupted, and a third-party forensic firm is engaged.
- January 22, 2025. SafePay ransomware group lists Gaylord on its Tor leak site, claiming 160 GB of exfiltrated data.
- February 28, 2025. Provisional HIPAA breach notification filed with HHS OCR. Substitute notice posted to gaylord.org.
- August 25, 2025. Forensic and document review concludes that personal data was likely acquired during the December 16 to December 19 access window.
- September 24, 2025. Individual notification letters mailed to affected patients and employees.
What was exposed
The data elements confirmed exposed vary by individual, but the population includes long-term acute care patients, rehabilitation patients, and employees. Affected categories include:
- Name and date of birth
- Social Security number and taxpayer identification number
- Driver’s license or state-issued ID number
- Passport number
- Payment card number with CVV, and bank account and routing numbers
- Medical record number and patient account number
- Mental and physical health conditions, diagnoses, and diagnosis codes
- Treatment information, procedure types, and provider names
- Admission and discharge dates and treatment locations
- Prescription information
- Billing, claims, and treatment cost information
- Health insurance information
The combination of full SSN, government ID, payment card with CVV, and detailed clinical history puts the Gaylord population at unusually high risk for both classical identity theft and medical identity theft. The double-extortion posture of SafePay, with data already posted publicly, means the protective window for any individual element has effectively closed.
What Gaylord is offering
Gaylord is offering complimentary credit monitoring through Cyberscout, a TransUnion company, including single-bureau credit monitoring, single-bureau credit report, and single-bureau credit score services. Enrollment instructions and a single-use activation code are included in the individual notification letters. Affected individuals must enroll within 90 days of the date on their letter.
The hospital has also stated that it implemented additional security enhancements to its information systems following the incident.
Class-action and regulatory posture
The HHS OCR portal entry remains open pending closure of the federal investigation. As of this writing, no consolidated class action complaint has been filed in federal court in Connecticut against Gaylord that we have been able to identify. ClassAction.org has marked its attorney review complete without confirming a filed complaint. Eight plaintiff firms have publicly opened investigations and are soliciting affected individuals:
- Edelson Lechtzin LLP
- Murphy Law Firm
- Federman & Sherwood
- Strauss Borrelli PLLC
- Schubert Jonckheer & Kolbe LLP
- Srourian Law Firm
- Shamis & Gentile P.A.
- Migliaccio & Rathod LLP
State attorney general filings are extensive. Gaylord filed breach notices with at least 14 state offices: California, Iowa, Maine (75 Maine residents affected), Massachusetts (516 Massachusetts residents affected, notified September 24, 2025), Montana, Nebraska, New Hampshire (notified September 29, 2025), Oregon, Rhode Island, South Carolina, Texas, Vermont, Washington, and the federal HHS OCR. The breadth of state AG filings indicates a geographically distributed patient and employee population extending well beyond Connecticut.
Given the population size, the SSN and payment card exposure, and the SafePay leak-site posting, a class action filing in the District of Connecticut would be unsurprising.
What to do if you may be affected
- Enroll in the offered Cyberscout monitoring within the 90-day window in your letter. The enrollment code is single-use.
- Freeze your credit with Equifax, Experian, and TransUnion. Because Social Security numbers and government-ID elements were exposed and posted publicly, a security freeze is materially more protective than monitoring alone. Freezes are free and reversible.
- Replace the affected payment card. Payment card numbers including CVVs were exposed. Call the number on the back of any card you used at Gaylord for billing and have it reissued.
- Watch for medical identity theft. Because diagnosis, treatment, and insurance information was exposed, review every Explanation of Benefits and request a copy of your medical record from your health insurer if you see services you did not receive.
- Be alert to highly targeted phishing. A SafePay-style leak-site posting means threat actors and downstream buyers can pair your name, date of birth, address, diagnosis, and provider into very convincing follow-on lures by phone, text, or email. Treat any unexpected outreach referencing your Gaylord care with skepticism, and verify by calling Gaylord directly using a phone number from gaylord.org rather than a number provided in the message.
- Save your notification letter. If a class action is filed and certified, the letter and the breach-notice claim number are typically required to support a claim.
- Stop the ongoing flow of your rehabilitation and long-term acute care data. HealthConsent files HIPAA restriction requests so the diagnosis, treatment, and insurance information exposed in this breach is not continuously re-shared across health information exchanges, insurers, and downstream data vendors.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record of the February 28, 2025 filing.
- HIPAA Journal — Connecticut Medical Rehabilitation Center Announces Hacking Incident — incident timeline, exposed-data categories, credit-monitoring offer.
- ClassAction.org — Gaylord Specialty Healthcare Data Breach — consumer-facing breach summary and investigation status.
- GlobeNewswire — Edelson Lechtzin LLP Investigating Gaylord Specialty Healthcare Breach — plaintiff-firm investigation notice.
- Strauss Borrelli PLLC — Gaylord Specialty Healthcare Data Breach Investigation — plaintiff-firm investigation notice.
- Federman & Sherwood — Gaylord Specialty Healthcare Data Breach Investigation — plaintiff-firm investigation notice.
- Murphy Law Firm — Gaylord Data Breach — plaintiff-firm investigation summary.
- Gaylord Specialty Healthcare — entity website carrying the substitute notice of data security incident.
- ClaimDepot — Gaylord Healthcare Data Breach — state AG filing details: 75 Maine residents, 516 Massachusetts residents; 14 AG notifications documented.
- Migliaccio & Rathod LLP — Gaylord Specialty Healthcare Data Breach Investigation — additional plaintiff-firm investigation notice.
- BreachSense — Gaylord Data Breach — independent SafePay attribution confirmation; 160 GB leak size.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Connecticut Medical Rehabilitation Center Announces Hacking Incident
- ClassAction.org — Gaylord Specialty Healthcare Data Breach Impacts SSNs, Medical Info
- GlobeNewswire — Edelson Lechtzin LLP Investigating Claims on Behalf of Gaylord Patients
- Strauss Borrelli PLLC — Gaylord Specialty Healthcare Data Breach Investigation
- Federman & Sherwood — Gaylord Specialty Healthcare Data Breach Investigation
- Murphy Law Firm — Gaylord Data Breach Case Page
- Gaylord Specialty Healthcare (official site)
- ClaimDepot — Gaylord Healthcare Discloses Data Breach Following Ransomware Attack
- Migliaccio & Rathod LLP — Gaylord Specialty Healthcare Data Breach Investigation
- BreachSense — Gaylord Data Breach Report (SafePay attribution, 160 GB)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.