Active breach tracker Morganville, NJ Disclosed February 27, 2026

IPPC Long-Term Care Pharmacy Data Breach 2026: 133,862 Patients Across 6 States Exposed. Very Broad PII Including SSN, Passport, Payment Card. What To Do

IPPC, the long-term care pharmacy network operating IPPC Inc., IPPC of New York LLC, and Innovative Pharmacy LLC, disclosed in February 2026 a September 2025 network intrusion exposing names, Social Security numbers, driver's license numbers, payment card information, passport numbers, Medicare/Medicaid IDs, and prescription data for 133,862 patients across NJ, NY, PA, DE, MD, and VA. 24 months Cyberscout monitoring offered. Federal class action already filed. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Sep 18, 2025

Unauthorized access began

Sep 19, 2025

Detected; systems taken offline; federal law enforcement notified

Feb 9, 2026

File review concluded; PHI/PII involvement confirmed

Feb 27, 2026

Substitute notice published; HHS OCR filing

Apr 1, 2026

Individual notification letters mailed (via Cyberscout)

Apr 4, 2026

Federal class action filed (Murphy v. IPPC, D.N.J.)

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license / government ID number Passport number

02

Health records

Don't expire and can't be reissued

Medical record number and patient account number Diagnosis, treatment, and procedure information Prescription information

03

Contact & insurance

Phishing + targeted scams

Full name Medicare and Medicaid identifier Individual Taxpayer Identification Number (ITIN) Health insurance information Payment card information Financial account information Treating and referring provider name Admission and discharge dates

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Cole & Van Note (publicly investigating) Federman & Sherwood (publicly investigating) Barnow & Associates (publicly investigating) Bryson Harris Suciu & DeMay (publicly investigating) Gibbs Law Group (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

IPPC is a long-term care pharmacy network founded in 1988 and headquartered in Morganville, New Jersey. It operates three legal entities (IPPC Inc., IPPC of New York LLC, and Innovative Pharmacy LLC) and three physical pharmacy locations:

  • IPPC Pharmacy of New Jersey — 703 Ginesi Drive, Morganville, NJ 07751 (732-617-8686)
  • Innovative Pharmacy of Pennsylvania — 2014 Ford Road Unit B, Bristol, PA 19004 (877-731-5786)
  • IPPC Pharmacy of New York — 101 Fairchild Ave Ste 5, Plainview, NY 11803 (516-544-4311)

IPPC dispenses medications to assisted-living facilities, skilled nursing facilities, residential health-care facilities, and group homes across New Jersey, New York, Pennsylvania, Delaware, Maryland, and Virginia. It uses facility-oriented blister and multidose packaging integrated with electronic medication administration record (eMAR) systems.

On September 18 to 19, 2025, an unauthorized third party accessed IPPC’s network and copied files. IPPC detected the activity and took affected systems offline. Federal law enforcement was notified, and a third-party cybersecurity firm was engaged for forensic investigation. On February 9, 2026, the file review concluded that PHI and PII were in the compromised files. IPPC published a substitute notice on February 27, 2026, the same day it filed with the US Department of Health and Human Services Office for Civil Rights — confirming 133,862 affected individuals.

Individual notification letters were mailed beginning April 1, 2026 (handled by Cyberscout from PO Box 1286, Dearborn, MI). Three days later, the first federal class action was filed: Murphy v. IPPC Inc. et al., 3:26-cv-03597 (D.N.J.), seeking more than $5 million in damages.

No ransomware group has publicly claimed responsibility for the intrusion. No data tied to IPPC has been observed on dark-web leak sites.

What was stolen

The compromised data is unusually broad. The notification letter lists:

Identity and financial elements:

  • Full name
  • Date of birth
  • Social Security number
  • Driver’s license / government ID number
  • Individual Taxpayer Identification Number (ITIN)
  • Passport number
  • Payment card information
  • Financial account information

Healthcare identifiers and records:

  • Medicare and Medicaid identifier
  • Medical record number and patient account number
  • Diagnosis, treatment, and procedure information
  • Prescription information
  • Health insurance information
  • Treating and referring provider name
  • Admission and discharge dates

The combination of SSN + ITIN + passport number + driver’s license + payment card + financial account is among the most complete identity-document sets exposed in any healthcare breach this year. Most healthcare breaches expose SSN and maybe driver’s license. The inclusion of passport and ITIN here means non-US-citizen residents, recently naturalized residents, and undocumented residents in IPPC-served LTC facilities have unusually severe exposure.

The Medicare/Medicaid identifier exposure is particularly serious for the LTC population, which is overwhelmingly Medicare or dual-eligible. A fraudster with your Medicare Beneficiary Identifier can submit false healthcare claims under your coverage.

What IPPC is offering

Affected individuals are being directed to Cyberscout (a TransUnion company) for 24 months of complimentary credit monitoring and identity theft protection. The 24-month duration is longer than typical (12 months is more common in 2026 breaches), reflecting the breadth of the exposed identity-document set.

  • Enrollment: bfs.cyberscout.com/activate (activation code from your letter required)
  • Dedicated response line: 833-877-7455 (Monday to Friday, 8 a.m. to 8 p.m. Eastern, excluding US holidays)
  • Email: [email protected]

What to do if you received a notification letter

This week:

  1. Enroll in Cyberscout before your 90-day enrollment window closes.
  2. Place a free credit freeze at Equifax, Experian, and TransUnion. With this many identity documents exposed, the freeze is essential.
  3. File IRS Form 14039 to prevent fraudulent tax-return filings under your SSN or ITIN.
  4. If you are a Medicare beneficiary, call 1-800-MEDICARE and request a new Medicare Beneficiary Identifier. Your old number is in the breach dataset and could be used for fraudulent claims.
  5. If your passport was exposed, contact the US State Department if you observe unusual activity related to international travel or identity-document fraud. There is no central freeze for passport numbers, but a record of awareness is useful if fraudulent activity occurs later.
  6. Monitor your bank and credit-card statements daily for the next 30 days. With payment card and financial account info exposed, direct account fraud is a realistic risk.

This month:

  1. Stop the ongoing flow of your prescription and pharmacy data. HealthConsent files HIPAA restriction requests, FTC HBNR deletion requests, and state-law deletion requests so the prescription, diagnosis, and treatment data exposed in this breach is not continuously re-shared by data brokers and prescription-network resellers.
  2. If you are an LTC resident or a family caregiver: confirm that your facility has notified you separately about the IPPC relationship. Many LTC residents do not realize their pharmacy is IPPC, since IPPC operates behind the scenes for the facility.

Frequently asked questions

Why is so much identity-document data in a pharmacy’s records?

Long-term care pharmacy intake commonly captures full identification documents for Medicare-dual-eligible billing, residency-verification, and insurance coordination. Passport and ITIN exposure suggests that some IPPC patients are non-US citizens or recently naturalized, whose intake required these documents.

Should I sue?

A federal class action has already been filed (Murphy v. IPPC Inc., 3:26-cv-03597, D.N.J.) seeking more than $5 million. Five additional plaintiffs’ firms are publicly investigating. We are not a law firm and cannot give legal advice.

Is HealthConsent affiliated with IPPC?

No. HealthConsent is an independent health-data privacy service.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.