Langdon & Company LLP CPAs Data Breach 2025: 46,061 NC Disability, Mental Health & SUD Patients Exposed. Lawsuit Filed. What To Do
Langdon & Company LLP, a Garner, NC CPA firm and Easterseals PORT Health business associate, confirmed a 2024 network intrusion exposed SSNs, Taxpayer IDs, financial accounts, and medical data for 46,061 individuals. A class action was filed August 28, 2025. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Apr 21, 2024
Unauthorized actor begins accessing Langdon & Company's network
Apr 28, 2024
Langdon identifies unusual network activity, engages outside cybersecurity experts, and contains the intrusion
Jun 3, 2025
Forensic file review concludes; affected-individual list finalized; Langdon notifies Easterseals PORT Health NC & VA
Aug 1, 2025
Breach filed with HHS Office for Civil Rights (Business Associate, Network Server, 46,061 individuals); substitute notice posted; individual letters begin going out
Aug 12, 2025
Multiple plaintiffs' firms publicly open class-action investigations
Aug 21, 2025
Notice provided to the New Hampshire Attorney General and other state regulators
Aug 28, 2025
Class action complaint filed in U.S. District Court, Eastern District of North Carolina (Lynch Carpenter + Zimmerman Reed)
Apr 21, 2024
Unauthorized actor begins accessing Langdon & Company's network
Apr 28, 2024
Langdon identifies unusual network activity, engages outside cybersecurity experts, and contains the intrusion
Jun 3, 2025
Forensic file review concludes; affected-individual list finalized; Langdon notifies Easterseals PORT Health NC & VA
Aug 1, 2025
Breach filed with HHS Office for Civil Rights (Business Associate, Network Server, 46,061 individuals); substitute notice posted; individual letters begin going out
Aug 12, 2025
Multiple plaintiffs' firms publicly open class-action investigations
Aug 21, 2025
Notice provided to the New Hampshire Attorney General and other state regulators
Aug 28, 2025
Class action complaint filed in U.S. District Court, Eastern District of North Carolina (Lynch Carpenter + Zimmerman Reed)
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Langdon & Company, LLP is a certified public accounting firm in Garner, North Carolina that provides audit, tax, and accounting services to nonprofit and healthcare clients. As a business associate of Easterseals PORT Health North Carolina & Virginia (formerly Easterseals UCP), Langdon handled files containing protected health information and identity data for Easterseals clients.
What happened
Easterseals PORT Health is one of the largest disability service nonprofits in the Carolinas and Virginia, providing services to approximately 40,200 individuals and families each year across more than 11,000 home, facility, and community locations. Its service lines include support for people with intellectual and developmental disabilities (IDD), behavioral and mental health treatment, applied behavior analysis (ABA) therapy, and SAMHSA-certified opioid treatment programs offering methadone maintenance.
Between April 21 and April 28, 2024, an unauthorized actor accessed Langdon’s network and exfiltrated files. Langdon detected the intrusion on April 28, 2024, immediately engaged outside cybersecurity experts, notified federal law enforcement, and contained the incident. The scope and volume of affected files required more than a year of forensic review to determine exactly which Easterseals documents were involved and whose data was included.
The affected-individual list was finalized on June 3, 2025, and the breach was reported to the U.S. Department of Health and Human Services Office for Civil Rights on August 1, 2025 as a Hacking/IT Incident affecting a Network Server and 46,061 individuals. No threat actor has been publicly attributed in any source reviewed.
What was stolen
Per Langdon’s substitute notice and state attorney-general filings, the files involved varying combinations of the following data elements:
- Full name
- Address
- Date of birth
- Social Security number
- Taxpayer Identification number
- Financial account numbers
- Medical information
- Health insurance information
- Digital signature
Not every affected person had every element exposed. The notification letter you receive will list the specific data elements implicated for your record.
A note on particularly sensitive records. Because Easterseals PORT Health operates SAMHSA-certified opioid treatment programs, some affected individuals may have substance use disorder (SUD) treatment records. If your connection to Easterseals was through an opioid treatment program or substance use service, your records may be protected under 42 CFR Part 2 in addition to HIPAA. Part 2 provides stronger re-disclosure restrictions and, as of February 16, 2026, supports a private right of action. The breach notice does not specify whether OTP patient records were among those exfiltrated; contact Langdon’s hotline at 1-833-353-9950 to ask about the specific data elements in your record.
What Langdon is offering
Langdon is providing complimentary credit monitoring and identity theft protection services to affected individuals. The enrollment code, duration of coverage, and monitoring vendor are included in your individual notification letter. Use the enrollment code in your letter; it is single-use and tied to your record.
Langdon has set up a dedicated assistance line at 1-833-353-9950, Monday through Friday, 9 a.m. to 9 p.m. Eastern time, excluding holidays, for questions about the breach and your notification.
Who is notifying you and why
If you received a letter, it almost certainly arrived from Langdon & Company, LLP (or from a settlement-administration vendor on its behalf) rather than from your healthcare provider directly. Langdon is the business associate under HIPAA. It is not your doctor’s office, your insurer, or Easterseals itself. Langdon is the accounting firm that performed audit and financial work for Easterseals PORT Health, and that is why information about Easterseals clients was sitting on Langdon’s network.
Accountant-side breaches are a recurring pattern in healthcare. CPA firms, billing vendors, IT contractors, and managed-services providers routinely hold copies of PHI for their healthcare clients, so a single compromise of the vendor can expose data from every covered entity that vendor serves.
Class actions
A class action complaint was filed on August 28, 2025 in the U.S. District Court for the Eastern District of North Carolina by Lynch Carpenter LLP and Zimmerman Reed LLP, on behalf of Easterseals patients alleged to be children, veterans, and disabled individuals whose data Langdon failed to protect. The Law360 report on the filing characterizes the suit as targeting Langdon’s security posture relative to its obligations as a healthcare business associate.
At least five additional firms opened investigations in August 2025: Federman & Sherwood, Strauss Borrelli PLLC, Migliaccio & Rathod LLP, Markovits Stock & DeMarco LLC, and Schubert Jonckheer & Kolbe (SLFLA). The ClassAction.org aggregator, which published August 12, 2025 and last updated November 11, 2025, noted its investigation as complete at that time. Docket details for the Eastern District complaint were not publicly confirmed in sources reviewed beyond the Law360 report.
The HHS OCR portal entry was filed open. The North Carolina Department of Justice and the New Hampshire Department of Justice received parallel notice; state breach-notification filings have been confirmed in at least both jurisdictions. The notice letter also references notifications to New York and Oregon residents.
What to do
-
Enroll in the complimentary credit monitoring using the enrollment code in your notification letter. The code is single-use. If you have not received a letter and believe you are affected, call 1-833-353-9950 for confirmation.
-
Freeze your credit with Equifax, Experian, and TransUnion. Social Security numbers and Taxpayer Identification numbers were exposed in this breach, which makes a credit freeze materially more protective than monitoring alone. Freezes are free, online, and reversible.
-
Request an IRS Identity Protection PIN. Because TINs were exposed alongside SSNs, file your federal return as early as possible and consider requesting an IRS IP PIN at irs.gov. The IP PIN blocks anyone else from filing a return in your name using your SSN.
-
Watch for medical identity theft. Health insurance information was exposed. Review every Explanation of Benefits statement and request a copy of your claims history from your insurer if you see services you did not receive.
-
If your Easterseals services involved substance use or opioid treatment. Confirm with Langdon’s hotline which specific data elements were in your record. SUD treatment records carry additional protections under 42 CFR Part 2, and you have the right to ask how your record was used or shared. Document any suspicious re-disclosure.
-
Be alert to targeted phishing. A threat actor holding your name, address, DOB, SSN, and an apparent Easterseals or CPA-firm context can craft convincing scam calls and emails. Call Langdon’s hotline at 1-833-353-9950 directly using the number from your letter, not a number provided to you in an unsolicited call or message.
-
Stop the ongoing flow of your disability and behavioral-health data. Even after a breach, your protected health information continues to move between providers, payers, clearinghouses, and their business associates. HealthConsent files HIPAA restriction requests so the medical, mental-health, and insurance data exposed in this breach is not continuously re-shared across the healthcare data networks that connect Easterseals, its payers, and its vendors.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Langdon & Company; Michigan Medicine Announce Data Breaches
- Easterseals PORT Health NC & VA — Official Langdon & Co. LLP, CPAs Data Security Incident Notice (PDF)
- New Hampshire Attorney General — Langdon CPA breach notice (August 21, 2025)
- ClassAction.org — Langdon & Company Data Breach Impacts Easterseals Patients
- Federman & Sherwood — Langdon & Company, LLP CPAs Data Breach Investigation
- Strauss Borrelli PLLC — Langdon & Company Data Breach Investigation
- GlobeNewswire — Lynch Carpenter Investigates Claims in Langdon & Company Data Breach
- Law360 — Accounting Firm Sued Over Breach Of Easterseals Data (August 28, 2025)
- HIPAA Times — Langdon & Co data security incident affects over 46K
- ClaimDepot — Langdon & Company Data Breach Affects 46,061 Individuals
- Data Privacy Justice — Langdon / Easterseals PORT Health Data Breach Investigation
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.