Active breach tracker Hendersonville, TN Disclosed April 9, 2026

Interventional Pain Center Data Breach 2026: 3,171 Tennessee Pain Patients Exposed. Controlled-Substance Prescription History in Scope. What To Do

Interventional Pain Center, PLLC, a Tennessee pain management practice in Hendersonville and Nashville, disclosed in April 2026 a December 2025 employee email compromise exposing names, Social Security numbers, driver's licenses, dates of birth, medical history, diagnoses, treatment, and prescription information for 3,171 patients. Controlled-substance prescription records are particularly sensitive. No credit monitoring named in the public notice. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Dec 1, 2025

Unauthorized access to employee email account begins

Dec 11, 2025

Discovery

Mar 17, 2026

Forensic investigation completed

Mar 31, 2026

HHS OCR filing

Apr 9, 2026

Substitute notice posted; Cole & Van Note class-action investigation announced

Apr 9, 2026

Disclosed publicly

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security number Driver's license number Date of birth

02

Health records

Don't expire and can't be reissued

Medical history, diagnoses, conditions Treatment information Prescription information

03

Contact & insurance

Phishing + targeted scams

Full name Home address, ZIP Treating physician details Health insurance / subscriber numbers

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Cole & Van Note (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Interventional Pain Center, PLLC (IPC) is a Tennessee pain management practice headquartered in Hendersonville (Hendersonville Medical Center) with a second location at 3443 Dickerson Pike, Suite 730, Nashville, TN. Founded in 2013 by Dr. Brad Wilson, D.O., the practice specializes in interventional pain management — a specialty centered on chronic pain, controlled-substance prescribing, and procedures including nerve blocks, epidurals, and injections.

Between December 1 and December 11, 2025, an unauthorized individual accessed an IPC employee email account. IPC discovered the unauthorized access on December 11, 2025. The forensic investigation completed on March 17, 2026, IPC filed with HHS OCR on March 31, 2026, and the substitute notice was posted in April 2026 — confirming 3,171 affected individuals.

The OCR classification (“Hacking/IT Incident at Email”) and the notice’s generic “unauthorized individual” language are consistent with a business email compromise (BEC) pattern rather than a network ransomware intrusion. No ransomware group has claimed responsibility. No leak-site listing has been observed.

Why this is uniquely sensitive

IPC is a controlled-substance-prescribing pain practice. Opioid and controlled-substance prescription history is among the most stigmatizing categories of PHI — exposure carries implications for employment background checks, insurance underwriting, child custody disputes, and ongoing DEA scrutiny of patient prescribing patterns.

What was stolen

Per the entity’s substitute notice:

  • Full name, home address, ZIP
  • Social Security number
  • Driver’s license number
  • Date of birth
  • Medical history, diagnoses, conditions
  • Treatment information
  • Prescription information (controlled substances are within this category)
  • Treating physician details
  • Health insurance / subscriber numbers

What IPC is offering

IPC’s substitute notice does not name a credit-monitoring service. Patients are directed to obtain free annual credit reports and to place fraud alerts or freezes at Equifax, Experian, and TransUnion on their own.

  • Dedicated call center: 877-507-2651 (Monday to Friday, 8 a.m. to 5 p.m. Central)

The absence of credit monitoring is unusual for a breach with full SSN exposure and is likely a focal point of any class action.

What to do

  1. Place free credit freezes at Equifax, Experian, TransUnion. IPC is not providing monitoring.
  2. File IRS Form 14039. Full SSN is in scope.
  3. Consider purchasing your own credit monitoring given the SSN + DOB + prescription exposure profile.
  4. If your prescription history matters professionally (employment background checks, custody, professional licensing), document the breach in case it surfaces in future records.
  5. Stop the ongoing flow of your pain-management and prescription data. HealthConsent files HIPAA restriction requests so the controlled-substance prescription data exposed in this breach is not continuously re-shared across pharmacy benefit managers, PDMPs, and insurance networks.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.