Hillcrest Convalescent Center Data Breach 2025: 106,194 Skilled Nursing Residents and Patients in Durham, NC Had Names, SSNs, and Medical Records Exposed. Class Action Settlement Pending. What To Do
Hillcrest Convalescent Center, a skilled nursing facility in Durham, NC, confirmed unauthorized network access from June to July 2024 exposed SSNs, medical records, and financial data for 106,194 individuals. A class action settlement is pending final court approval (hearing August 24, 2026); claim deadline is August 26, 2026. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jun 27, 2024
Unauthorized access begins, per the Washington Attorney General filing access window of June 27 to July 24, 2024
Jun 27, 2024
Hillcrest identifies suspicious network activity, secures the environment, engages third-party cybersecurity experts, and notifies law enforcement
Feb 13, 2025
Forensic investigation and document review complete; affected individuals and data elements identified
Feb 28, 2025
Hillcrest begins mailing individual notification letters to affected individuals
Mar 2, 2025
Substitute notice posted publicly and distributed via PR Newswire
Mar 4, 2025
Breach reported to HHS OCR as Hacking/IT Incident at Network Server, Healthcare Provider, 106,194 individuals; filing also made with the Washington State Attorney General reporting 772 WA residents affected
Mar 6, 2025
Strauss Borrelli PLLC opens public class-action investigation
Mar 7, 2025
Murphy Law Firm announces investigation of class claims (GlobeNewswire)
Mar 8, 2025
Federman & Sherwood announces investigation (GlobeNewswire)
Jun 5, 2025
Original deadline to enroll in complimentary TransUnion credit monitoring and identity restoration (12 to 24 months depending on state of residence)
May 28, 2026
Settlement notification mailing sent to class members by Simpluris Inc., the court-appointed settlement administrator (hccdatasettlement.com)
Jul 27, 2026
Deadline to opt out of or object to the proposed class action settlement; Superior Court of Durham County, NC, Case No. 25CV002700-310
Aug 24, 2026
Final Approval Hearing at 10:00 a.m., Superior Court of Durham County, NC
Aug 26, 2026
Claim deadline to submit a valid Claim Form and receive a cash payment or other benefits from the settlement (hccdatasettlement.com)
Jun 27, 2024
Unauthorized access begins, per the Washington Attorney General filing access window of June 27 to July 24, 2024
Jun 27, 2024
Hillcrest identifies suspicious network activity, secures the environment, engages third-party cybersecurity experts, and notifies law enforcement
Feb 13, 2025
Forensic investigation and document review complete; affected individuals and data elements identified
Feb 28, 2025
Hillcrest begins mailing individual notification letters to affected individuals
Mar 2, 2025
Substitute notice posted publicly and distributed via PR Newswire
Mar 4, 2025
Breach reported to HHS OCR as Hacking/IT Incident at Network Server, Healthcare Provider, 106,194 individuals; filing also made with the Washington State Attorney General reporting 772 WA residents affected
Mar 6, 2025
Strauss Borrelli PLLC opens public class-action investigation
Mar 7, 2025
Murphy Law Firm announces investigation of class claims (GlobeNewswire)
Mar 8, 2025
Federman & Sherwood announces investigation (GlobeNewswire)
Jun 5, 2025
Original deadline to enroll in complimentary TransUnion credit monitoring and identity restoration (12 to 24 months depending on state of residence)
May 28, 2026
Settlement notification mailing sent to class members by Simpluris Inc., the court-appointed settlement administrator (hccdatasettlement.com)
Jul 27, 2026
Deadline to opt out of or object to the proposed class action settlement; Superior Court of Durham County, NC, Case No. 25CV002700-310
Aug 24, 2026
Final Approval Hearing at 10:00 a.m., Superior Court of Durham County, NC
Aug 26, 2026
Claim deadline to submit a valid Claim Form and receive a cash payment or other benefits from the settlement (hccdatasettlement.com)
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Hillcrest Convalescent Center, a skilled nursing and rehabilitation provider in Durham, North Carolina, disclosed in early March 2025 that an unauthorized third party accessed its network in the summer of 2024 and acquired files containing the most sensitive categories of personal and protected health information on 106,194 individuals across Hillcrest Convalescent Center and its sister facility Hillcrest Raleigh at Crabtree Valley. The intrusion was identified on June 27, 2024, forensic review concluded February 13, 2025, notification letters began mailing February 28, 2025, and the incident was reported to the U.S. Department of Health and Human Services Office for Civil Rights on March 4, 2025 as a Hacking/IT Incident at a Network Server.
A class action lawsuit was filed in the Superior Court of Durham County, North Carolina (Case No. 25CV002700-310). A proposed settlement has been reached. Settlement notification mailed to class members on May 28, 2026. The court has scheduled a Final Approval Hearing for August 24, 2026. The deadline to submit a claim for a cash payment is August 26, 2026. The deadline to opt out or object is July 27, 2026. The settlement website is hccdatasettlement.com.
Because Hillcrest’s population skews heavily toward elderly residents and short-term rehab patients, this breach carries a distinct profile of identity-theft and medical-fraud risk that does not apply cleanly to a typical employer or carrier disclosure. The facts below come from Hillcrest’s own substitute notice, the HHS OCR portal entry, multiple state Attorney General filings, HIPAA Journal, the PR Newswire release, the official settlement website, and the public investigation announcements of plaintiff firms.
Timeline
- June 27, 2024 — Hillcrest identifies suspicious activity on its network, secures the environment, engages third-party cybersecurity specialists, and notifies law enforcement. The Washington Attorney General filing reports the unauthorized-access window as June 27 to July 24, 2024.
- February 13, 2025 — Forensic investigation and document review complete; Hillcrest finalizes the list of affected individuals and the specific data elements involved.
- February 28, 2025 — Hillcrest begins mailing individual notification letters to affected individuals with addresses on file.
- March 2, 2025 — Substitute notice posted on hillcrestnc.com and distributed via PR Newswire.
- March 4, 2025 — Breach reported to HHS OCR (106,194 affected, Hacking/IT Incident, Network Server) and filed with the Washington State Attorney General (772 Washington residents affected).
- March 6 to 8, 2025 — Strauss Borrelli PLLC, Murphy Law Firm, and Federman & Sherwood announce public investigations of potential class claims.
- June 5, 2025 — Original deadline for affected individuals to enroll in the complimentary TransUnion credit-monitoring and identity-restoration services offered by Hillcrest.
- May 28, 2026 — Simpluris Inc. (court-appointed settlement administrator) mails settlement notification to class members; the official settlement website at hccdatasettlement.com goes live.
- July 27, 2026 — Deadline to opt out of or object to the proposed settlement.
- August 24, 2026 — Final Approval Hearing, Superior Court of Durham County, NC, 10:00 a.m.
- August 26, 2026 — Claim deadline to submit a Claim Form for a cash payment or other settlement benefits.
What was exposed
Hillcrest’s substitute notice, multiple state Attorney General filings, and the settlement website together itemize the following data elements as having been accessed or acquired. The exact mix varies by individual.
- Full name
- Address (confirmed by the settlement website and Texas AG filing)
- Date of birth
- Social Security number
- Driver’s license or state ID number (subset of individuals, per Washington AG and settlement website)
- Other government-issued ID numbers (subset, per settlement website)
- Passport number (subset, per Washington AG)
- Financial and banking account information (subset, per Washington AG, Texas AG, and settlement website)
- Health insurance policy / member ID number
- Medical information
- Treatment information
- Healthcare provider information
This is the full HIPAA-regulated bundle plus government-ID and, for some individuals, home address and financial-account data. It is the highest-severity tier of breach disclosure for U.S. consumers because Social Security numbers and dates of birth do not change, and medical and treatment records cannot be reissued the way a payment card can.
Hillcrest made state-specific filings with at least 13 state attorneys general, confirming residents were affected in California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, North Carolina, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington, among other states. Resident counts confirmed publicly include: Texas (2,917), Massachusetts (983), Maine (340), Iowa (679), and Washington (772).
Sensitive-population considerations (elderly residents)
Skilled nursing breaches sit in a different operational reality than breaches at a clinic, insurer, or employer.
- The affected individual may not be the person reading the mail. Notifications were addressed to the patient or resident on file. Many Hillcrest residents have a spouse, adult child, or court-appointed agent acting as HIPAA personal representative and financial fiduciary. If you are that representative, the letter and the enrollment window applied to you on behalf of the resident.
- Elderly and cognitively impaired adults are disproportionately targeted by identity-theft, government-imposter, and tax-refund-fraud schemes. The combination of a confirmed nursing-home address, a date of birth, and a Social Security number is well-suited to fraudulent tax filings, Medicare-benefit redirection, and synthetic-identity construction.
- Medical-identity theft has long latency. Misuse of medical and insurance information often surfaces months or years later. A claim by an unknown provider on a Medicare summary notice, or a balance-due notice for care the resident never received, is the typical early signal. Routine review is the only reliable detection.
- Deceased residents are not protected by the same fraud controls as living individuals. If a notification arrived for a deceased family member, request a credit freeze and a deceased flag from the three nationwide credit bureaus and from the Social Security Administration, and file IRS Form 14039 if a fraudulent return appears.
What the entity is offering
Per the substitute notice and the PR Newswire release, Hillcrest is providing:
- Between 12 and 24 months of complimentary credit monitoring and identity-restoration services through TransUnion. Duration depends on the state of residence at the time of the breach. Enrollment is not automatic; affected individuals must use the activation code in the notification letter.
- A dedicated assistance line at 1-833-799-4042, staffed 8:00 AM to 8:00 PM Eastern, for questions about the incident, the data elements involved, and credit-monitoring enrollment.
- Guidance on credit freezes, fraud alerts, and review of credit reports, set out in the standard “Steps You Can Take” rider included with each notification letter.
- An enrollment deadline of June 5, 2025 for the credit-monitoring offer. Individuals who missed the original deadline should call the assistance line to ask whether late enrollment is still being processed.
The notice does not commit to reimbursement of out-of-pocket losses, identity-theft insurance, or any extension beyond the TransUnion package.
Class-action posture
A class action lawsuit — In re Hillcrest Convalescent Center, Inc. Data Breach Litigation, Case No. 25CV002700-310 — was filed in the Superior Court of Durham County, North Carolina. The parties have agreed to a proposed settlement, which the court has not yet finally approved as of the date of this page.
Key settlement dates:
- May 28, 2026 — Settlement notification mailed to class members by Simpluris Inc. (court-appointed settlement administrator).
- July 27, 2026 — Deadline to opt out of the settlement (preserves your right to sue separately) or to object in writing to the court.
- August 24, 2026 — Final Approval Hearing, 10:00 a.m.
- August 26, 2026 — Deadline to submit a Claim Form online or by mail to receive a cash payment or other benefits.
To file a claim, visit hccdatasettlement.com. You can also download the Claim Form from that site or call or email the Settlement Administrator for a paper copy. Settlement benefits include cash payments and other remedies for documented losses; the total settlement fund has not been publicly disclosed on the settlement website.
Hillcrest denies any wrongdoing. The settlement, if finally approved, would resolve all claims related to the June 2024 data incident.
Plaintiff firms that publicly announced pre-litigation investigations include:
- Strauss Borrelli PLLC (announced March 6, 2025)
- Murphy Law Firm (announced March 7, 2025, via GlobeNewswire)
- Federman & Sherwood (announced March 8, 2025, via GlobeNewswire)
- Attorneys working with ClassAction.org (investigation marked complete)
What to do
If you or a family member received a Hillcrest notification letter or settlement notice:
- File a settlement claim before August 26, 2026. Visit hccdatasettlement.com to submit a Claim Form online. You can also download a paper form from the site. Settlement benefits include a cash payment for documented losses and potentially other relief. If you want to preserve the right to sue separately, you must opt out by July 27, 2026 (before that date).
- Enroll in the TransUnion credit-monitoring and identity-restoration package Hillcrest is paying for. The activation code is in the notification letter, and the original deadline was June 5, 2025. If you missed it, call 1-833-799-4042 (8:00 AM to 8:00 PM Eastern) and ask whether late enrollment is still being processed.
- Place a credit freeze at all three nationwide credit bureaus (Equifax, Experian, TransUnion) for the resident, and for yourself if you are the personal representative. Freezes are free, take roughly ten minutes per bureau, and are the single highest-leverage protection against new-account fraud opened with a stolen SSN.
- Establish or confirm a “my Social Security” account and an IRS Identity Protection PIN for the resident if they do not already exist. This blocks the two most common downstream attacks on elderly individuals: a fraudulent tax refund and redirection of Social Security direct deposit.
- Review Medicare Summary Notices and any Medicare Advantage or Part D explanations of benefits monthly for at least the next 24 months. Flag any provider, date of service, or procedure code you do not recognize and report it to 1-800-MEDICARE.
- Document and retain everything. Keep the notification letter, the enrollment confirmation, the settlement notice, and any later correspondence. Your notification letter is your proof of class membership.
- If the affected individual is deceased, add a deceased flag with the Social Security Administration, request “Deceased, Do Not Issue Credit” notations from each credit bureau, and file IRS Form 14039 if a fraudulent return appears.
- Stop the ongoing flow of your nursing and rehabilitation records. HealthConsent files HIPAA restriction requests so the medical, treatment, and insurance data exposed in this breach is not continuously re-shared across post-acute care networks, insurance eligibility platforms, and downstream providers.
I confirm that every fact in this entry is sourced to Hillcrest’s substitute notice, the HHS OCR portal entry, the Washington State Attorney General filing, the Iowa Attorney General filing, the official settlement website (hccdatasettlement.com), ClaimDepot’s multi-AG filing summary, HIPAA Journal, PR Newswire, or a named plaintiff-firm announcement linked in the Sources section below.
Sources
- Hillcrest Convalescent Center — Notice of Data Security Event — the entity’s official substitute notice.
- HHS Office for Civil Rights Breach Portal — federal regulatory record (106,194 affected, Hacking/IT Incident, Network Server, reported 2025-03-04).
- In re Hillcrest Convalescent Center, Inc. Data Breach Litigation — Official Settlement Website — Case No. 25CV002700-310, Superior Court of Durham County, NC; settlement notification mailed May 28, 2026; claim deadline August 26, 2026; final approval hearing August 24, 2026.
- Washington State Attorney General — Hillcrest Convalescent Center, Inc. — state filing confirming the June 27 to July 24, 2024 access window and the additional data elements (driver’s license / state ID, passport, financial-account data) for the subset of affected Washington residents (772 WA residents).
- Iowa Attorney General — 2025 Security Breach Notifications — Hillcrest Convalescent Center listed as Healthcare entity, reported 3-3-2025.
- Iowa AG — Hillcrest Convalescent Center notification letter (Fox Rothschild LLP, March 3, 2025) — confirms 679 Iowa residents affected, 12 months complimentary credit monitoring.
- ClaimDepot: Hillcrest Data Breach Impacts 106,194 People — aggregator summary confirming AG filings in California, Maine, Massachusetts, Texas, Iowa, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Vermont, and Washington; state resident counts for Texas (2,917), Massachusetts (983), and Maine (340).
- HIPAA Journal: Hillcrest Convalescent Center Announces 106K-Record Data Breach — established trade-press summary.
- PR Newswire: Notice of Data Security Event — public-release version of the substitute notice, confirming the involvement of both Hillcrest Convalescent Center and Hillcrest Raleigh at Crabtree Valley.
- Strauss Borrelli PLLC: Hillcrest Convalescent Center Data Breach Investigation — plaintiff-firm investigation announcement (March 6, 2025).
- Murphy Law Firm via GlobeNewswire: Investigates Legal Claims — plaintiff-firm investigation announcement (March 7, 2025).
- ClassAction.org: Hillcrest Convalescent Center Data Breach Lawsuit Investigation — class-action investigation tracker (page now marked “for reference only”; confirms Texas AG filing also included addresses and government ID numbers).
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Hillcrest Convalescent Center — Notice of Data Security Event (official substitute notice)
- HHS Office for Civil Rights Breach Portal
- Washington State Attorney General — Hillcrest Convalescent Center, Inc. data breach filing
- HIPAA Journal: Hillcrest Convalescent Center Announces 106K-Record Data Breach
- PR Newswire: Notice of Data Security Event (Hillcrest)
- Strauss Borrelli PLLC: Hillcrest Convalescent Center Data Breach Investigation
- Murphy Law Firm via GlobeNewswire: Investigates Legal Claims
- ClassAction.org: Hillcrest Convalescent Center Data Breach Lawsuit Investigation
- In re Hillcrest Convalescent Center, Inc. Data Breach Litigation — Official Settlement Website (Case No. 25CV002700-310, Superior Court of Durham County, NC)
- Iowa Attorney General — 2025 Security Breach Notifications (Hillcrest Convalescent Center, Healthcare, reported 3-3-2025)
- Iowa AG — Hillcrest Convalescent Center breach notification letter (Fox Rothschild LLP, March 3, 2025; 679 Iowa residents, 12 months monitoring)
- ClaimDepot: Hillcrest Data Breach Impacts 106,194 People — AG filing summary (CA, ME, MA, TX, IA, MT, NE, NH, OR, RI, SC, VT, WA filings confirmed)
- Simpluris Inc. (settlement administrator) — Facebook announcement of settlement notification mailing, May 28, 2026
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.