Active breach tracker Brooklyn, New York Disclosed July 21, 2025

Infinite Services, Inc. Data Breach 2025: 31,742 Affected in May Ransomware Attack on Brooklyn-Based Home Therapy Provider

Infinite Services, Inc., a Brooklyn, NY-based provider of in-home physical, occupational, speech, and behavioral therapy, detected a ransomware intrusion on May 5, 2025 and filed a HIPAA breach notification with HHS OCR on July 21, 2025 reporting 31,742 affected individuals. Names, Social Security numbers, dates of birth, member ID numbers, health insurance information, medical records, financial account information, and driver's license numbers were potentially exposed. No ransom was paid.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

May 5, 2025

Employees unable to log into the network; Infinite Services discovers ransomware activity and powers off the affected server, interrupting encryption

May 5, 2025

Attacker gained access

Jun 23, 2025

Investigation determines the compromised server contained patient and employee information; entity decides to notify all potentially affected individuals rather than wait for data-mining results

Jul 21, 2025

HIPAA breach notification filed with HHS Office for Civil Rights — 31,742 individuals reported

Jul 22, 2025

Sample notification letter filed with the New Hampshire Attorney General

Jul 23, 2025

Notification filed with the Massachusetts Office of Consumer Affairs and Business Regulation

Jul 24, 2025

Strauss Borrelli PLLC announces a class-action investigation

Jul 25, 2025

Individual notification letters mailed to affected patients and employees

Aug 1, 2025

Migliaccio & Rathod LLP announces a parallel class-action investigation

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number

02

Health records

Don't expire and can't be reissued

Medical records

03

Contact & insurance

Phishing + targeted scams

Full name Address Member identification number Health insurance information Financial account information Credit or debit card number

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC (investigation) Migliaccio & Rathod LLP (investigation)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Brooklyn-based Infinite Services, Inc., an in-home provider of physical, occupational, speech, and behavioral therapy serving pediatric and geriatric patients, detected a ransomware intrusion on May 5, 2025 when employees could not log into the company’s network. The affected server was powered off before encryption completed. On July 21, 2025, Infinite Services filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights reporting 31,742 affected individuals, and notification letters were mailed on July 25, 2025. No ransom was paid.

Timeline

  • May 5, 2025 — Employees are unable to log into the network. Infinite Services discovers ransomware activity on a file server and powers the server off, which interrupts the encryption process. Outside cybersecurity counsel and forensic experts are engaged.
  • June 23, 2025 — Forensic review determines the compromised server contained patient and employee information. Because exact per-individual data mining would have delayed notice, Infinite Services elects to notify all potentially affected individuals.
  • July 21, 2025 — A HIPAA breach notification listing 31,742 individuals is filed with HHS OCR.
  • July 22, 2025 — A sample notification letter is filed with the New Hampshire Attorney General.
  • July 23, 2025 — Notification is filed with the Massachusetts Office of Consumer Affairs and Business Regulation.
  • July 24, 2025 — Strauss Borrelli PLLC announces a class-action investigation.
  • July 25, 2025 — Individual notification letters begin going out to affected patients and employees.
  • August 1, 2025 — Migliaccio & Rathod LLP announces a parallel class-action investigation.

What was exposed

Per the sample notification filed with the New Hampshire and Massachusetts attorneys general, and confirmed by Strauss Borrelli’s investigation summary, the data elements involved vary by individual and may include:

  • Full name
  • Address
  • Date of birth
  • Social Security number
  • Driver’s license number
  • Member identification number
  • Health insurance information
  • Medical records
  • Financial account information
  • Credit or debit card number

Infinite Services states that at the time notification letters were sent, no threat actor had publicly claimed the attack and none of the data had been published online.

What Infinite Services is offering

Infinite Services is providing affected individuals with complimentary identity protection through IDX, including:

  • 12 to 24 months of credit and CyberScan dark-web monitoring (duration varies by data exposed for each individual)
  • A $1 million identity theft insurance policy with a $0 deductible
  • Fully managed identity theft recovery services

A dedicated call center is referenced in the notification letter for breach-specific questions and enrollment in IDX monitoring.

Class-action posture

As of the most recent public update, no class-action complaint has been filed against Infinite Services. Strauss Borrelli PLLC (announced July 24, 2025) and Migliaccio & Rathod LLP (announced August 1, 2025) are publicly soliciting affected individuals as part of pre-suit investigations. ClassAction.org separately conducted and concluded an investigation without filing a complaint. The HHS Office for Civil Rights investigation tied to the 31,742-person OCR submission remains open.

What to do

Social Security numbers, driver’s license numbers, and financial account information were potentially exposed. Treat this as a high-severity exposure and stack defenses:

  1. Freeze your credit at all three bureaus — Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau online, and blocks new-account fraud at the source. This is the single highest-leverage step when SSNs are in play.
  2. Enroll in the IDX monitoring offered by Infinite Services if your notification letter includes an activation code. Credit and CyberScan monitoring is no substitute for a freeze, but it is free and surfaces misuse earlier.
  3. Pull your free annual credit reports at AnnualCreditReport.com and review for accounts or inquiries you do not recognize.
  4. Request an Identity Protection PIN (IP PIN) from the IRS at irs.gov/ippin to block fraudulent federal returns filed under your SSN. File IRS Form 14039 if you see a rejected return or suspicious IRS correspondence.
  5. Replace your driver’s license through the New York DMV if your license number was listed as exposed; license-number fraud is harder to unwind than credit-card fraud once it propagates.
  6. Watch for medical identity theft. Review Explanation of Benefits statements from your health insurer and report any claim you do not recognize to the insurer and to HHS OCR.
  7. Be skeptical of phone, text, and email outreach claiming to be from Infinite Services. Threat actors routinely follow large healthcare breaches with targeted phishing. Infinite Services will not ask for your full SSN or financial account details by phone to “verify” your record.
  8. Keep your notification letter. It documents the exposure window and the specific data elements affecting you, both of which matter for any later identity-theft claim or class-action recovery.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.