IPPC Long-Term Care Pharmacy Data Breach 2026: 133,862 Patients Across 6 States Exposed. Very Broad PII Including SSN, Passport, Payment Card. What To Do
IPPC, the long-term care pharmacy network operating IPPC Inc., IPPC of New York LLC, and Innovative Pharmacy LLC, disclosed in February 2026 a September 2025 network intrusion exposing names, Social Security numbers, driver's license numbers, payment card information, passport numbers, Medicare/Medicaid IDs, and prescription data for 133,862 patients across NJ, NY, PA, DE, MD, and VA. 24 months Cyberscout monitoring offered. Federal class action already filed. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Sep 18, 2025
Unauthorized access began
Sep 19, 2025
Detected; systems taken offline; federal law enforcement notified
Feb 9, 2026
File review concluded; PHI/PII involvement confirmed
Feb 27, 2026
Substitute notice published; HHS OCR filing
Apr 1, 2026
Individual notification letters mailed (via Cyberscout)
Apr 4, 2026
Federal class action filed (Murphy v. IPPC, D.N.J.)
Sep 18, 2025
Unauthorized access began
Sep 19, 2025
Detected; systems taken offline; federal law enforcement notified
Feb 9, 2026
File review concluded; PHI/PII involvement confirmed
Feb 27, 2026
Substitute notice published; HHS OCR filing
Apr 1, 2026
Individual notification letters mailed (via Cyberscout)
Apr 4, 2026
Federal class action filed (Murphy v. IPPC, D.N.J.)
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
IPPC is a long-term care pharmacy network founded in 1988 and headquartered in Morganville, New Jersey. It operates three legal entities (IPPC Inc., IPPC of New York LLC, and Innovative Pharmacy LLC) and three physical pharmacy locations:
- IPPC Pharmacy of New Jersey — 703 Ginesi Drive, Morganville, NJ 07751 (732-617-8686)
- Innovative Pharmacy of Pennsylvania — 2014 Ford Road Unit B, Bristol, PA 19004 (877-731-5786)
- IPPC Pharmacy of New York — 101 Fairchild Ave Ste 5, Plainview, NY 11803 (516-544-4311)
IPPC dispenses medications to assisted-living facilities, skilled nursing facilities, residential health-care facilities, and group homes across New Jersey, New York, Pennsylvania, Delaware, Maryland, and Virginia. It uses facility-oriented blister and multidose packaging integrated with electronic medication administration record (eMAR) systems.
On September 18 to 19, 2025, an unauthorized third party accessed IPPC’s network and copied files. IPPC detected the activity and took affected systems offline. Federal law enforcement was notified, and a third-party cybersecurity firm was engaged for forensic investigation. On February 9, 2026, the file review concluded that PHI and PII were in the compromised files. IPPC published a substitute notice on February 27, 2026, the same day it filed with the US Department of Health and Human Services Office for Civil Rights — confirming 133,862 affected individuals.
Individual notification letters were mailed beginning April 1, 2026 (handled by Cyberscout from PO Box 1286, Dearborn, MI). Three days later, the first federal class action was filed: Murphy v. IPPC Inc. et al., 3:26-cv-03597 (D.N.J.), seeking more than $5 million in damages.
No ransomware group has publicly claimed responsibility for the intrusion. No data tied to IPPC has been observed on dark-web leak sites.
What was stolen
The compromised data is unusually broad. The notification letter lists:
Identity and financial elements:
- Full name
- Date of birth
- Social Security number
- Driver’s license / government ID number
- Individual Taxpayer Identification Number (ITIN)
- Passport number
- Payment card information
- Financial account information
Healthcare identifiers and records:
- Medicare and Medicaid identifier
- Medical record number and patient account number
- Diagnosis, treatment, and procedure information
- Prescription information
- Health insurance information
- Treating and referring provider name
- Admission and discharge dates
The combination of SSN + ITIN + passport number + driver’s license + payment card + financial account is among the most complete identity-document sets exposed in any healthcare breach this year. Most healthcare breaches expose SSN and maybe driver’s license. The inclusion of passport and ITIN here means non-US-citizen residents, recently naturalized residents, and undocumented residents in IPPC-served LTC facilities have unusually severe exposure.
The Medicare/Medicaid identifier exposure is particularly serious for the LTC population, which is overwhelmingly Medicare or dual-eligible. A fraudster with your Medicare Beneficiary Identifier can submit false healthcare claims under your coverage.
What IPPC is offering
Affected individuals are being directed to Cyberscout (a TransUnion company) for 24 months of complimentary credit monitoring and identity theft protection. The 24-month duration is longer than typical (12 months is more common in 2026 breaches), reflecting the breadth of the exposed identity-document set.
- Enrollment:
bfs.cyberscout.com/activate(activation code from your letter required) - Dedicated response line: 833-877-7455 (Monday to Friday, 8 a.m. to 8 p.m. Eastern, excluding US holidays)
- Email: [email protected]
What to do if you received a notification letter
This week:
- Enroll in Cyberscout before your 90-day enrollment window closes.
- Place a free credit freeze at Equifax, Experian, and TransUnion. With this many identity documents exposed, the freeze is essential.
- File IRS Form 14039 to prevent fraudulent tax-return filings under your SSN or ITIN.
- If you are a Medicare beneficiary, call 1-800-MEDICARE and request a new Medicare Beneficiary Identifier. Your old number is in the breach dataset and could be used for fraudulent claims.
- If your passport was exposed, contact the US State Department if you observe unusual activity related to international travel or identity-document fraud. There is no central freeze for passport numbers, but a record of awareness is useful if fraudulent activity occurs later.
- Monitor your bank and credit-card statements daily for the next 30 days. With payment card and financial account info exposed, direct account fraud is a realistic risk.
This month:
- Stop the ongoing flow of your prescription and pharmacy data. HealthConsent files HIPAA restriction requests, FTC HBNR deletion requests, and state-law deletion requests so the prescription, diagnosis, and treatment data exposed in this breach is not continuously re-shared by data brokers and prescription-network resellers.
- If you are an LTC resident or a family caregiver: confirm that your facility has notified you separately about the IPPC relationship. Many LTC residents do not realize their pharmacy is IPPC, since IPPC operates behind the scenes for the facility.
Frequently asked questions
Why is so much identity-document data in a pharmacy’s records?
Long-term care pharmacy intake commonly captures full identification documents for Medicare-dual-eligible billing, residency-verification, and insurance coordination. Passport and ITIN exposure suggests that some IPPC patients are non-US citizens or recently naturalized, whose intake required these documents.
Should I sue?
A federal class action has already been filed (Murphy v. IPPC Inc., 3:26-cv-03597, D.N.J.) seeking more than $5 million. Five additional plaintiffs’ firms are publicly investigating. We are not a law firm and cannot give legal advice.
Is HealthConsent affiliated with IPPC?
No. HealthConsent is an independent health-data privacy service.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- IPPC: Notice of Recent Data Privacy Event
- IPPC Pharmacy Homepage
- IPPC Pharmacy Locations
- HIPAA Journal: IPPC Innovative Pharmacy Data Breach
- Paubox: IPPC Breach Affects 133,862 People
- Vermont Attorney General: IPPC Filing (61 VT residents)
- McKnight's Senior Living: $5M Lawsuit Coverage
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.