Active breach tracker Marathon, Florida Disclosed July 19, 2025

Keys Pathology Associates Data Breach 2025: 20,000 Affected via Genesis Billing Services Vendor Hack. What To Do.

Keys Pathology Associates, PA (Marathon, FL) filed a HIPAA breach with HHS OCR on July 19, 2025 reporting 20,000 affected after its billing vendor Genesis Billing Services was hacked on May 20, 2025. Notification letters mailed September 5, 2025. Names, Social Security numbers, driver's license numbers, dates of birth, and health information were involved. Plaintiff firms have opened investigations; no class-action complaint has been filed yet.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

May 20, 2025

Unauthorized actor accesses a Genesis Billing Services server containing Keys Pathology patient data, per the entity's later forensic findings

May 27, 2025

Genesis Billing Services notifies Keys Pathology Associates that its server was breached and that patient data was downloaded and encrypted

Jul 19, 2025

Keys Pathology files HIPAA breach notification with HHS Office for Civil Rights reporting 20,000 affected individuals, Hacking/IT Incident at Network Server, business associate involved

Sep 4, 2025

Substitute breach notice filed with the New Hampshire Department of Justice

Sep 5, 2025

Keys Pathology begins mailing individual notification letters to affected patients, offering complimentary single-bureau credit monitoring, credit score, and credit report services

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number

03

Contact & insurance

Phishing + targeted scams

Full name Address Phone number Health information Credit or debit card number (per Massachusetts filing)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Keys Pathology Associates, PA is a Marathon, Florida anatomic and clinical pathology practice. The breach reported here did not originate inside Keys Pathology’s own network. It originated at Genesis Billing Services, a North Carolina billing vendor that Keys Pathology used as a business associate and that held patient data on a third-party server outside Keys Pathology’s direct control.

On May 20, 2025, an unauthorized actor accessed the Genesis Billing Services server containing Keys Pathology patient data, downloaded files, and encrypted the affected systems. Genesis notified Keys Pathology of the incident on May 27, 2025. Keys Pathology filed the HIPAA breach with the U.S. Department of Health and Human Services Office for Civil Rights on July 19, 2025, reporting 20,000 affected individuals in a “Hacking/IT Incident” at “Network Server,” with a business associate involved.

After receiving and reviewing the unstructured data file from Genesis on August 21, 2025, Keys Pathology began mailing individual notification letters on September 5, 2025. A subsequent filing with the Maine Attorney General reported a revised count of 13,756 affected individuals. The 20,000 figure on the OCR portal is the initial estimate; the page records both numbers because the final count may continue to move as state filings reconcile.

Keys Pathology has stated that it terminated its relationship with Genesis Billing Services in response to the incident.

Timeline

  • May 20, 2025 — Unauthorized actor accesses the Genesis Billing Services server holding Keys Pathology patient data, downloads files, and encrypts systems.
  • May 27, 2025 — Genesis notifies Keys Pathology of the breach.
  • July 19, 2025 — Keys Pathology files the breach with HHS OCR (20,000 affected, Hacking/IT Incident, Network Server, business associate involved).
  • August 21, 2025 — Keys Pathology receives the unstructured data file from Genesis for review.
  • September 4, 2025 — Substitute breach notice filed with the New Hampshire Department of Justice.
  • September 5, 2025 — Keys Pathology begins mailing individual notification letters; offers complimentary credit monitoring.

What was exposed

According to the substitute notice and follow-on coverage, the files involved contained varying combinations of the following:

  • Full name
  • Address
  • Date of birth
  • Phone number
  • Social Security number
  • Driver’s license number
  • Health information
  • Credit or debit card number (per a separate filing with the Massachusetts Office of Consumer Affairs and Business Regulation)

Not every individual had every field exposed. The specific elements affecting a given person are listed in that person’s individual notification letter.

What Keys Pathology is offering

Affected individuals are being offered complimentary single-bureau credit monitoring, credit score, and credit report services. The enrollment code is included in the individual notification letter.

Class-action posture

As of this update, no class-action complaint has been filed on the public court dockets we reviewed for this incident. Multiple plaintiff firms have publicly opened investigations and are accepting intake, including Strauss Borrelli PLLC, Barnow and Associates, P.C., Federman & Sherwood, and Migliaccio & Rathod LLP. We will update this page when a complaint is filed or a case number becomes public.

What to do if you may be affected

This week:

  1. Place a free credit freeze with Equifax, Experian, and TransUnion. Because Social Security numbers and driver’s license numbers were in the stolen files, account-takeover and new-account fraud are realistic risks. A freeze prevents new accounts from being opened in your name and is more protective than monitoring alone.
  2. Enroll in the complimentary credit monitoring offered in your individual notification letter using the enrollment code in the letter. It is free to you. Note that the offering is single-bureau; a freeze across all three bureaus is broader protection.
  3. If your letter confirms SSN exposure, file IRS Form 14039 (Identity Theft Affidavit) before tax-filing season to flag your SSN against fraudulent tax-refund filings, and consider placing a fraud alert with the Social Security Administration.

This month:

  1. Watch health insurance EOBs and medical bills. Because health information was in the exposed files, medical identity theft (services billed under your name and insurance) is a downstream risk that credit monitoring will not catch. Review every EOB for services you did not receive and report discrepancies to your insurer.
  2. If a credit or debit card number was listed in your letter, request a card reissue from your bank and turn on transaction alerts. Card numbers tied to this filing were flagged in the Massachusetts notice.
  3. Stop the ongoing flow of your medical data. Once health information leaves a covered entity’s perimeter, it gets scraped, enriched, and resold by data brokers. HealthConsent files HIPAA restriction requests, FTC Health Breach Notification Rule deletion requests, and state-law deletion requests across the data-broker ecosystem so the medical record exposed in this breach is not continuously re-sold downstream.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.