Active breach tracker Garner, North Carolina Disclosed August 1, 2025

Langdon & Company LLP CPAs Data Breach 2025: 46,061 NC Disability, Mental Health & SUD Patients Exposed. Lawsuit Filed. What To Do

Langdon & Company LLP, a Garner, NC CPA firm and Easterseals PORT Health business associate, confirmed a 2024 network intrusion exposed SSNs, Taxpayer IDs, financial accounts, and medical data for 46,061 individuals. A class action was filed August 28, 2025. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Apr 21, 2024

Unauthorized actor begins accessing Langdon & Company's network

Apr 28, 2024

Langdon identifies unusual network activity, engages outside cybersecurity experts, and contains the intrusion

Jun 3, 2025

Forensic file review concludes; affected-individual list finalized; Langdon notifies Easterseals PORT Health NC & VA

Aug 1, 2025

Breach filed with HHS Office for Civil Rights (Business Associate, Network Server, 46,061 individuals); substitute notice posted; individual letters begin going out

Aug 12, 2025

Multiple plaintiffs' firms publicly open class-action investigations

Aug 21, 2025

Notice provided to the New Hampshire Attorney General and other state regulators

Aug 28, 2025

Class action complaint filed in U.S. District Court, Eastern District of North Carolina (Lynch Carpenter + Zimmerman Reed)

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

03

Contact & insurance

Phishing + targeted scams

Full name Address Taxpayer Identification number Financial account numbers Medical information Health insurance information Digital signature

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Lynch Carpenter LLP (filed) Zimmerman Reed LLP (filed) Federman & Sherwood (investigating) Strauss Borrelli PLLC (investigating) Migliaccio & Rathod LLP (investigating) Markovits, Stock & DeMarco, LLC (investigating) Schubert Jonckheer & Kolbe LLP (SLFLA) (investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Langdon & Company, LLP is a certified public accounting firm in Garner, North Carolina that provides audit, tax, and accounting services to nonprofit and healthcare clients. As a business associate of Easterseals PORT Health North Carolina & Virginia (formerly Easterseals UCP), Langdon handled files containing protected health information and identity data for Easterseals clients.

What happened

Easterseals PORT Health is one of the largest disability service nonprofits in the Carolinas and Virginia, providing services to approximately 40,200 individuals and families each year across more than 11,000 home, facility, and community locations. Its service lines include support for people with intellectual and developmental disabilities (IDD), behavioral and mental health treatment, applied behavior analysis (ABA) therapy, and SAMHSA-certified opioid treatment programs offering methadone maintenance.

Between April 21 and April 28, 2024, an unauthorized actor accessed Langdon’s network and exfiltrated files. Langdon detected the intrusion on April 28, 2024, immediately engaged outside cybersecurity experts, notified federal law enforcement, and contained the incident. The scope and volume of affected files required more than a year of forensic review to determine exactly which Easterseals documents were involved and whose data was included.

The affected-individual list was finalized on June 3, 2025, and the breach was reported to the U.S. Department of Health and Human Services Office for Civil Rights on August 1, 2025 as a Hacking/IT Incident affecting a Network Server and 46,061 individuals. No threat actor has been publicly attributed in any source reviewed.

What was stolen

Per Langdon’s substitute notice and state attorney-general filings, the files involved varying combinations of the following data elements:

  • Full name
  • Address
  • Date of birth
  • Social Security number
  • Taxpayer Identification number
  • Financial account numbers
  • Medical information
  • Health insurance information
  • Digital signature

Not every affected person had every element exposed. The notification letter you receive will list the specific data elements implicated for your record.

A note on particularly sensitive records. Because Easterseals PORT Health operates SAMHSA-certified opioid treatment programs, some affected individuals may have substance use disorder (SUD) treatment records. If your connection to Easterseals was through an opioid treatment program or substance use service, your records may be protected under 42 CFR Part 2 in addition to HIPAA. Part 2 provides stronger re-disclosure restrictions and, as of February 16, 2026, supports a private right of action. The breach notice does not specify whether OTP patient records were among those exfiltrated; contact Langdon’s hotline at 1-833-353-9950 to ask about the specific data elements in your record.

What Langdon is offering

Langdon is providing complimentary credit monitoring and identity theft protection services to affected individuals. The enrollment code, duration of coverage, and monitoring vendor are included in your individual notification letter. Use the enrollment code in your letter; it is single-use and tied to your record.

Langdon has set up a dedicated assistance line at 1-833-353-9950, Monday through Friday, 9 a.m. to 9 p.m. Eastern time, excluding holidays, for questions about the breach and your notification.

Who is notifying you and why

If you received a letter, it almost certainly arrived from Langdon & Company, LLP (or from a settlement-administration vendor on its behalf) rather than from your healthcare provider directly. Langdon is the business associate under HIPAA. It is not your doctor’s office, your insurer, or Easterseals itself. Langdon is the accounting firm that performed audit and financial work for Easterseals PORT Health, and that is why information about Easterseals clients was sitting on Langdon’s network.

Accountant-side breaches are a recurring pattern in healthcare. CPA firms, billing vendors, IT contractors, and managed-services providers routinely hold copies of PHI for their healthcare clients, so a single compromise of the vendor can expose data from every covered entity that vendor serves.

Class actions

A class action complaint was filed on August 28, 2025 in the U.S. District Court for the Eastern District of North Carolina by Lynch Carpenter LLP and Zimmerman Reed LLP, on behalf of Easterseals patients alleged to be children, veterans, and disabled individuals whose data Langdon failed to protect. The Law360 report on the filing characterizes the suit as targeting Langdon’s security posture relative to its obligations as a healthcare business associate.

At least five additional firms opened investigations in August 2025: Federman & Sherwood, Strauss Borrelli PLLC, Migliaccio & Rathod LLP, Markovits Stock & DeMarco LLC, and Schubert Jonckheer & Kolbe (SLFLA). The ClassAction.org aggregator, which published August 12, 2025 and last updated November 11, 2025, noted its investigation as complete at that time. Docket details for the Eastern District complaint were not publicly confirmed in sources reviewed beyond the Law360 report.

The HHS OCR portal entry was filed open. The North Carolina Department of Justice and the New Hampshire Department of Justice received parallel notice; state breach-notification filings have been confirmed in at least both jurisdictions. The notice letter also references notifications to New York and Oregon residents.

What to do

  1. Enroll in the complimentary credit monitoring using the enrollment code in your notification letter. The code is single-use. If you have not received a letter and believe you are affected, call 1-833-353-9950 for confirmation.

  2. Freeze your credit with Equifax, Experian, and TransUnion. Social Security numbers and Taxpayer Identification numbers were exposed in this breach, which makes a credit freeze materially more protective than monitoring alone. Freezes are free, online, and reversible.

  3. Request an IRS Identity Protection PIN. Because TINs were exposed alongside SSNs, file your federal return as early as possible and consider requesting an IRS IP PIN at irs.gov. The IP PIN blocks anyone else from filing a return in your name using your SSN.

  4. Watch for medical identity theft. Health insurance information was exposed. Review every Explanation of Benefits statement and request a copy of your claims history from your insurer if you see services you did not receive.

  5. If your Easterseals services involved substance use or opioid treatment. Confirm with Langdon’s hotline which specific data elements were in your record. SUD treatment records carry additional protections under 42 CFR Part 2, and you have the right to ask how your record was used or shared. Document any suspicious re-disclosure.

  6. Be alert to targeted phishing. A threat actor holding your name, address, DOB, SSN, and an apparent Easterseals or CPA-firm context can craft convincing scam calls and emails. Call Langdon’s hotline at 1-833-353-9950 directly using the number from your letter, not a number provided to you in an unsolicited call or message.

  7. Stop the ongoing flow of your disability and behavioral-health data. Even after a breach, your protected health information continues to move between providers, payers, clearinghouses, and their business associates. HealthConsent files HIPAA restriction requests so the medical, mental-health, and insurance data exposed in this breach is not continuously re-shared across the healthcare data networks that connect Easterseals, its payers, and its vendors.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.