Interventional Pain Center Data Breach 2026: 3,171 Tennessee Pain Patients Exposed. Controlled-Substance Prescription History in Scope. What To Do
Interventional Pain Center, PLLC, a Tennessee pain management practice in Hendersonville and Nashville, disclosed in April 2026 a December 2025 employee email compromise exposing names, Social Security numbers, driver's licenses, dates of birth, medical history, diagnoses, treatment, and prescription information for 3,171 patients. Controlled-substance prescription records are particularly sensitive. No credit monitoring named in the public notice. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Dec 1, 2025
Unauthorized access to employee email account begins
Dec 11, 2025
Discovery
Mar 17, 2026
Forensic investigation completed
Mar 31, 2026
HHS OCR filing
Apr 9, 2026
Substitute notice posted; Cole & Van Note class-action investigation announced
Apr 9, 2026
Disclosed publicly
Dec 1, 2025
Unauthorized access to employee email account begins
Dec 11, 2025
Discovery
Mar 17, 2026
Forensic investigation completed
Mar 31, 2026
HHS OCR filing
Apr 9, 2026
Substitute notice posted; Cole & Van Note class-action investigation announced
Apr 9, 2026
Disclosed publicly
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Interventional Pain Center, PLLC (IPC) is a Tennessee pain management practice headquartered in Hendersonville (Hendersonville Medical Center) with a second location at 3443 Dickerson Pike, Suite 730, Nashville, TN. Founded in 2013 by Dr. Brad Wilson, D.O., the practice specializes in interventional pain management — a specialty centered on chronic pain, controlled-substance prescribing, and procedures including nerve blocks, epidurals, and injections.
Between December 1 and December 11, 2025, an unauthorized individual accessed an IPC employee email account. IPC discovered the unauthorized access on December 11, 2025. The forensic investigation completed on March 17, 2026, IPC filed with HHS OCR on March 31, 2026, and the substitute notice was posted in April 2026 — confirming 3,171 affected individuals.
The OCR classification (“Hacking/IT Incident at Email”) and the notice’s generic “unauthorized individual” language are consistent with a business email compromise (BEC) pattern rather than a network ransomware intrusion. No ransomware group has claimed responsibility. No leak-site listing has been observed.
Why this is uniquely sensitive
IPC is a controlled-substance-prescribing pain practice. Opioid and controlled-substance prescription history is among the most stigmatizing categories of PHI — exposure carries implications for employment background checks, insurance underwriting, child custody disputes, and ongoing DEA scrutiny of patient prescribing patterns.
What was stolen
Per the entity’s substitute notice:
- Full name, home address, ZIP
- Social Security number
- Driver’s license number
- Date of birth
- Medical history, diagnoses, conditions
- Treatment information
- Prescription information (controlled substances are within this category)
- Treating physician details
- Health insurance / subscriber numbers
What IPC is offering
IPC’s substitute notice does not name a credit-monitoring service. Patients are directed to obtain free annual credit reports and to place fraud alerts or freezes at Equifax, Experian, and TransUnion on their own.
- Dedicated call center: 877-507-2651 (Monday to Friday, 8 a.m. to 5 p.m. Central)
The absence of credit monitoring is unusual for a breach with full SSN exposure and is likely a focal point of any class action.
What to do
- Place free credit freezes at Equifax, Experian, TransUnion. IPC is not providing monitoring.
- File IRS Form 14039. Full SSN is in scope.
- Consider purchasing your own credit monitoring given the SSN + DOB + prescription exposure profile.
- If your prescription history matters professionally (employment background checks, custody, professional licensing), document the breach in case it surfaces in future records.
- Stop the ongoing flow of your pain-management and prescription data. HealthConsent files HIPAA restriction requests so the controlled-substance prescription data exposed in this breach is not continuously re-shared across pharmacy benefit managers, PDMPs, and insurance networks.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Interventional Pain Center: Substitute Notice (PDF)
- Interventional Pain Center Homepage
- Cole & Van Note: IPC Investigation
- ClassActionU: Interventional Pain Center Listing
- ClaimDepot: Interventional Pain Center 2026
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.