Active breach tracker Durham, North Carolina Disclosed March 4, 2025

Hillcrest Convalescent Center Data Breach 2025: 106,194 Skilled Nursing Residents and Patients in Durham, NC Had Names, SSNs, and Medical Records Exposed. Class Action Settlement Pending. What To Do

Hillcrest Convalescent Center, a skilled nursing facility in Durham, NC, confirmed unauthorized network access from June to July 2024 exposed SSNs, medical records, and financial data for 106,194 individuals. A class action settlement is pending final court approval (hearing August 24, 2026); claim deadline is August 26, 2026. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jun 27, 2024

Unauthorized access begins, per the Washington Attorney General filing access window of June 27 to July 24, 2024

Jun 27, 2024

Hillcrest identifies suspicious network activity, secures the environment, engages third-party cybersecurity experts, and notifies law enforcement

Feb 13, 2025

Forensic investigation and document review complete; affected individuals and data elements identified

Feb 28, 2025

Hillcrest begins mailing individual notification letters to affected individuals

Mar 2, 2025

Substitute notice posted publicly and distributed via PR Newswire

Mar 4, 2025

Breach reported to HHS OCR as Hacking/IT Incident at Network Server, Healthcare Provider, 106,194 individuals; filing also made with the Washington State Attorney General reporting 772 WA residents affected

Mar 6, 2025

Strauss Borrelli PLLC opens public class-action investigation

Mar 7, 2025

Murphy Law Firm announces investigation of class claims (GlobeNewswire)

Mar 8, 2025

Federman & Sherwood announces investigation (GlobeNewswire)

Jun 5, 2025

Original deadline to enroll in complimentary TransUnion credit monitoring and identity restoration (12 to 24 months depending on state of residence)

May 28, 2026

Settlement notification mailing sent to class members by Simpluris Inc., the court-appointed settlement administrator (hccdatasettlement.com)

Jul 27, 2026

Deadline to opt out of or object to the proposed class action settlement; Superior Court of Durham County, NC, Case No. 25CV002700-310

Aug 24, 2026

Final Approval Hearing at 10:00 a.m., Superior Court of Durham County, NC

Aug 26, 2026

Claim deadline to submit a valid Claim Form and receive a cash payment or other benefits from the settlement (hccdatasettlement.com)

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license or state ID number (subset, per WA AG filing and settlement website) Passport number (subset, per WA AG filing)

02

Health records

Don't expire and can't be reissued

Treatment information

03

Contact & insurance

Phishing + targeted scams

Full name Address (confirmed by settlement website and Texas AG filing) Other government-issued ID numbers (subset, per settlement website) Financial and banking account information (subset, per WA AG, Texas AG, and settlement website) Health insurance policy / member ID number Medical information Healthcare provider information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC (investigation) Federman & Sherwood (investigation) Murphy Law Firm (investigation) Attorneys working with ClassAction.org (investigation completed) Simpluris Inc. (appointed settlement administrator)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Hillcrest Convalescent Center, a skilled nursing and rehabilitation provider in Durham, North Carolina, disclosed in early March 2025 that an unauthorized third party accessed its network in the summer of 2024 and acquired files containing the most sensitive categories of personal and protected health information on 106,194 individuals across Hillcrest Convalescent Center and its sister facility Hillcrest Raleigh at Crabtree Valley. The intrusion was identified on June 27, 2024, forensic review concluded February 13, 2025, notification letters began mailing February 28, 2025, and the incident was reported to the U.S. Department of Health and Human Services Office for Civil Rights on March 4, 2025 as a Hacking/IT Incident at a Network Server.

A class action lawsuit was filed in the Superior Court of Durham County, North Carolina (Case No. 25CV002700-310). A proposed settlement has been reached. Settlement notification mailed to class members on May 28, 2026. The court has scheduled a Final Approval Hearing for August 24, 2026. The deadline to submit a claim for a cash payment is August 26, 2026. The deadline to opt out or object is July 27, 2026. The settlement website is hccdatasettlement.com.

Because Hillcrest’s population skews heavily toward elderly residents and short-term rehab patients, this breach carries a distinct profile of identity-theft and medical-fraud risk that does not apply cleanly to a typical employer or carrier disclosure. The facts below come from Hillcrest’s own substitute notice, the HHS OCR portal entry, multiple state Attorney General filings, HIPAA Journal, the PR Newswire release, the official settlement website, and the public investigation announcements of plaintiff firms.

Timeline

  • June 27, 2024 — Hillcrest identifies suspicious activity on its network, secures the environment, engages third-party cybersecurity specialists, and notifies law enforcement. The Washington Attorney General filing reports the unauthorized-access window as June 27 to July 24, 2024.
  • February 13, 2025 — Forensic investigation and document review complete; Hillcrest finalizes the list of affected individuals and the specific data elements involved.
  • February 28, 2025 — Hillcrest begins mailing individual notification letters to affected individuals with addresses on file.
  • March 2, 2025 — Substitute notice posted on hillcrestnc.com and distributed via PR Newswire.
  • March 4, 2025 — Breach reported to HHS OCR (106,194 affected, Hacking/IT Incident, Network Server) and filed with the Washington State Attorney General (772 Washington residents affected).
  • March 6 to 8, 2025 — Strauss Borrelli PLLC, Murphy Law Firm, and Federman & Sherwood announce public investigations of potential class claims.
  • June 5, 2025 — Original deadline for affected individuals to enroll in the complimentary TransUnion credit-monitoring and identity-restoration services offered by Hillcrest.
  • May 28, 2026 — Simpluris Inc. (court-appointed settlement administrator) mails settlement notification to class members; the official settlement website at hccdatasettlement.com goes live.
  • July 27, 2026 — Deadline to opt out of or object to the proposed settlement.
  • August 24, 2026 — Final Approval Hearing, Superior Court of Durham County, NC, 10:00 a.m.
  • August 26, 2026 — Claim deadline to submit a Claim Form for a cash payment or other settlement benefits.

What was exposed

Hillcrest’s substitute notice, multiple state Attorney General filings, and the settlement website together itemize the following data elements as having been accessed or acquired. The exact mix varies by individual.

  • Full name
  • Address (confirmed by the settlement website and Texas AG filing)
  • Date of birth
  • Social Security number
  • Driver’s license or state ID number (subset of individuals, per Washington AG and settlement website)
  • Other government-issued ID numbers (subset, per settlement website)
  • Passport number (subset, per Washington AG)
  • Financial and banking account information (subset, per Washington AG, Texas AG, and settlement website)
  • Health insurance policy / member ID number
  • Medical information
  • Treatment information
  • Healthcare provider information

This is the full HIPAA-regulated bundle plus government-ID and, for some individuals, home address and financial-account data. It is the highest-severity tier of breach disclosure for U.S. consumers because Social Security numbers and dates of birth do not change, and medical and treatment records cannot be reissued the way a payment card can.

Hillcrest made state-specific filings with at least 13 state attorneys general, confirming residents were affected in California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, North Carolina, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington, among other states. Resident counts confirmed publicly include: Texas (2,917), Massachusetts (983), Maine (340), Iowa (679), and Washington (772).

Sensitive-population considerations (elderly residents)

Skilled nursing breaches sit in a different operational reality than breaches at a clinic, insurer, or employer.

  • The affected individual may not be the person reading the mail. Notifications were addressed to the patient or resident on file. Many Hillcrest residents have a spouse, adult child, or court-appointed agent acting as HIPAA personal representative and financial fiduciary. If you are that representative, the letter and the enrollment window applied to you on behalf of the resident.
  • Elderly and cognitively impaired adults are disproportionately targeted by identity-theft, government-imposter, and tax-refund-fraud schemes. The combination of a confirmed nursing-home address, a date of birth, and a Social Security number is well-suited to fraudulent tax filings, Medicare-benefit redirection, and synthetic-identity construction.
  • Medical-identity theft has long latency. Misuse of medical and insurance information often surfaces months or years later. A claim by an unknown provider on a Medicare summary notice, or a balance-due notice for care the resident never received, is the typical early signal. Routine review is the only reliable detection.
  • Deceased residents are not protected by the same fraud controls as living individuals. If a notification arrived for a deceased family member, request a credit freeze and a deceased flag from the three nationwide credit bureaus and from the Social Security Administration, and file IRS Form 14039 if a fraudulent return appears.

What the entity is offering

Per the substitute notice and the PR Newswire release, Hillcrest is providing:

  • Between 12 and 24 months of complimentary credit monitoring and identity-restoration services through TransUnion. Duration depends on the state of residence at the time of the breach. Enrollment is not automatic; affected individuals must use the activation code in the notification letter.
  • A dedicated assistance line at 1-833-799-4042, staffed 8:00 AM to 8:00 PM Eastern, for questions about the incident, the data elements involved, and credit-monitoring enrollment.
  • Guidance on credit freezes, fraud alerts, and review of credit reports, set out in the standard “Steps You Can Take” rider included with each notification letter.
  • An enrollment deadline of June 5, 2025 for the credit-monitoring offer. Individuals who missed the original deadline should call the assistance line to ask whether late enrollment is still being processed.

The notice does not commit to reimbursement of out-of-pocket losses, identity-theft insurance, or any extension beyond the TransUnion package.

Class-action posture

A class action lawsuit — In re Hillcrest Convalescent Center, Inc. Data Breach Litigation, Case No. 25CV002700-310 — was filed in the Superior Court of Durham County, North Carolina. The parties have agreed to a proposed settlement, which the court has not yet finally approved as of the date of this page.

Key settlement dates:

  • May 28, 2026 — Settlement notification mailed to class members by Simpluris Inc. (court-appointed settlement administrator).
  • July 27, 2026 — Deadline to opt out of the settlement (preserves your right to sue separately) or to object in writing to the court.
  • August 24, 2026 — Final Approval Hearing, 10:00 a.m.
  • August 26, 2026 — Deadline to submit a Claim Form online or by mail to receive a cash payment or other benefits.

To file a claim, visit hccdatasettlement.com. You can also download the Claim Form from that site or call or email the Settlement Administrator for a paper copy. Settlement benefits include cash payments and other remedies for documented losses; the total settlement fund has not been publicly disclosed on the settlement website.

Hillcrest denies any wrongdoing. The settlement, if finally approved, would resolve all claims related to the June 2024 data incident.

Plaintiff firms that publicly announced pre-litigation investigations include:

  • Strauss Borrelli PLLC (announced March 6, 2025)
  • Murphy Law Firm (announced March 7, 2025, via GlobeNewswire)
  • Federman & Sherwood (announced March 8, 2025, via GlobeNewswire)
  • Attorneys working with ClassAction.org (investigation marked complete)

What to do

If you or a family member received a Hillcrest notification letter or settlement notice:

  • File a settlement claim before August 26, 2026. Visit hccdatasettlement.com to submit a Claim Form online. You can also download a paper form from the site. Settlement benefits include a cash payment for documented losses and potentially other relief. If you want to preserve the right to sue separately, you must opt out by July 27, 2026 (before that date).
  • Enroll in the TransUnion credit-monitoring and identity-restoration package Hillcrest is paying for. The activation code is in the notification letter, and the original deadline was June 5, 2025. If you missed it, call 1-833-799-4042 (8:00 AM to 8:00 PM Eastern) and ask whether late enrollment is still being processed.
  • Place a credit freeze at all three nationwide credit bureaus (Equifax, Experian, TransUnion) for the resident, and for yourself if you are the personal representative. Freezes are free, take roughly ten minutes per bureau, and are the single highest-leverage protection against new-account fraud opened with a stolen SSN.
  • Establish or confirm a “my Social Security” account and an IRS Identity Protection PIN for the resident if they do not already exist. This blocks the two most common downstream attacks on elderly individuals: a fraudulent tax refund and redirection of Social Security direct deposit.
  • Review Medicare Summary Notices and any Medicare Advantage or Part D explanations of benefits monthly for at least the next 24 months. Flag any provider, date of service, or procedure code you do not recognize and report it to 1-800-MEDICARE.
  • Document and retain everything. Keep the notification letter, the enrollment confirmation, the settlement notice, and any later correspondence. Your notification letter is your proof of class membership.
  • If the affected individual is deceased, add a deceased flag with the Social Security Administration, request “Deceased, Do Not Issue Credit” notations from each credit bureau, and file IRS Form 14039 if a fraudulent return appears.
  • Stop the ongoing flow of your nursing and rehabilitation records. HealthConsent files HIPAA restriction requests so the medical, treatment, and insurance data exposed in this breach is not continuously re-shared across post-acute care networks, insurance eligibility platforms, and downstream providers.

I confirm that every fact in this entry is sourced to Hillcrest’s substitute notice, the HHS OCR portal entry, the Washington State Attorney General filing, the Iowa Attorney General filing, the official settlement website (hccdatasettlement.com), ClaimDepot’s multi-AG filing summary, HIPAA Journal, PR Newswire, or a named plaintiff-firm announcement linked in the Sources section below.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.