Marshfield Clinic Health System Data Breach 2025: 35,952 Patients Notified After Employee Email Compromise
Marshfield Clinic Health System disclosed a HIPAA breach to HHS OCR on November 7, 2025 affecting 35,952 current and former patients. Unauthorized access to employee email accounts on August 26–27, 2025 exposed names, contact details, dates of birth, insurance and medical record numbers, diagnosis and treatment information, lab results, and medications. Plaintiff firms are investigating class-action claims.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Aug 26, 2025
Unauthorized third party gains access to employee email accounts
Aug 27, 2025
Access ends and Marshfield Clinic identifies the intrusion
Nov 7, 2025
Marshfield Clinic files HIPAA breach report with HHS OCR covering 35,952 individuals
Nov 13, 2025
Marshfield Clinic publicly confirms the incident through local Wisconsin media
Nov 17, 2025
Cole & Van Note announces class-action investigation
Nov 20, 2025
Lynch Carpenter LLP announces class-action investigation
Aug 26, 2025
Unauthorized third party gains access to employee email accounts
Aug 27, 2025
Access ends and Marshfield Clinic identifies the intrusion
Nov 7, 2025
Marshfield Clinic files HIPAA breach report with HHS OCR covering 35,952 individuals
Nov 13, 2025
Marshfield Clinic publicly confirms the incident through local Wisconsin media
Nov 17, 2025
Cole & Van Note announces class-action investigation
Nov 20, 2025
Lynch Carpenter LLP announces class-action investigation
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Marshfield Clinic Health System, an integrated health system headquartered in Marshfield, Wisconsin with locations across Wisconsin and Michigan’s Upper Peninsula, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on November 7, 2025, reporting 35,952 affected individuals in a hacking incident involving employee email accounts.
Timeline
- August 26–27, 2025 — An unauthorized third party accessed several Marshfield Clinic employee email accounts. The forensic investigation concluded the intruder had access only during that approximately 24-hour window before the activity was identified and stopped.
- August 27, 2025 — Marshfield Clinic identifies the unauthorized access and begins a forensic review of the affected mailboxes.
- November 7, 2025 — Marshfield Clinic reports the incident to HHS OCR as a Hacking/IT Incident with the location of breached PHI listed as Email, covering 35,952 current and former patients.
- November 13, 2025 — Local Wisconsin media outlets confirm Marshfield Clinic’s public disclosure, including WSAW, WQOW, WEAU, and WSAU, and report that notification letters are being sent by U.S. mail.
- November 17 and November 20, 2025 — Plaintiff firms Cole & Van Note and Lynch Carpenter LLP announce class-action investigations into the breach.
What was exposed
Marshfield Clinic told patients and the press that the data potentially accessed or copied from the compromised mailboxes varied by individual and may have included:
- Name
- Address and phone number
- Date of birth
- Health insurance information, including insurance ID number
- Medical record number
- Dates of service
- Treatment and diagnosis information
- Lab results
- Medications
The HHS OCR Breach Portal categorizes the location of breached information as Email and the type of breach as a Hacking/IT Incident. No attacker group, ransom demand, or dark-web leak has been publicly attributed to this incident in the sources reviewed. Marshfield has not publicly stated whether Social Security numbers were among the data elements in the compromised mailboxes; reporting on this point is inconsistent across secondary outlets, and the entity’s own statements quoted in local Wisconsin press did not list Social Security numbers.
What Marshfield is offering
Marshfield Clinic is notifying affected individuals by U.S. mail and has stated it will offer complimentary identity-monitoring services. The specific monitoring provider, duration of coverage, and enrollment deadline are expected to be detailed in the individual notification letters; those terms have not been published in Marshfield’s public statements covered by the sources reviewed.
Class-action posture
As of the most recent reporting reviewed, at least two plaintiff firms have publicly announced investigations into potential class claims arising from the breach:
- Cole & Van Note announced its investigation on November 17, 2025.
- Lynch Carpenter LLP announced its investigation on November 20, 2025 via GlobeNewswire.
No filed complaint, docket number, or court of filing has been identified in the sources reviewed. Both announcements are solicitations to potential class members; neither describes a complaint already on file.
What to do
- Watch for a notification letter mailed by Marshfield Clinic to the address it has on file for you. The letter will list the specific data elements affected for your record and explain how to enroll in the complimentary identity-monitoring service Marshfield is offering. If your address has changed since you were last seen at a Marshfield facility, update it with the clinic’s medical records department.
- Freeze your credit with the three nationwide consumer reporting agencies: Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the single highest-leverage step against identity theft if your insurance ID, date of birth, or other personally identifying details were in the affected mailboxes.
- Be cautious of follow-on phishing. Because this breach exposed treatment information, medication lists, and lab results, an attacker who obtained the stolen mail content could craft convincing healthcare-themed phishing messages. Treat unsolicited calls, texts, and emails referencing your Marshfield care as suspicious, and verify by calling Marshfield Clinic through a number you find on their official website rather than from the message.
- Read class-action announcements carefully. The firms named above are investigating claims; submitting your information to a plaintiff firm does not enroll you in a settlement and does not obligate you. There is no settlement to claim against today.
- Bookmark this page. We update it as Marshfield publishes a substitute notice, as state attorney general filings appear, and if a class complaint is filed in federal court.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record (35,952 affected; Email; Hacking/IT Incident; reported November 7, 2025).
- HIPAA Journal — November 2025 Healthcare Data Breach Report — lists Marshfield Clinic among November 2025’s largest reported breaches.
- WSAW — Marshfield Clinic investigates unauthorized access to employee email accounts — entity statement on access dates and data elements.
- WQOW — Marshfield Clinic notifies patients of possible August data breach — local Wisconsin reporting on notification by mail.
- Paubox — Marshfield Clinic confirms data breach after employee email compromised — independent summary of entity statements.
- Lynch Carpenter LLP investigation announcement (GlobeNewswire) — November 20, 2025 plaintiff-firm investigation notice.
- Cole & Van Note — Marshfield Clinic Health System Data Breach Investigation — November 17, 2025 plaintiff-firm investigation notice.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — November 2025 Healthcare Data Breach Report
- WSAW — Marshfield Clinic investigates unauthorized access to employee email accounts (Nov 13, 2025)
- WQOW — Marshfield Clinic notifies patients of possible August data breach
- Paubox — Marshfield Clinic confirms data breach after employee email compromised
- Lynch Carpenter LLP — Investigation announcement (GlobeNewswire, Nov 20, 2025)
- Cole & Van Note — Marshfield Clinic Health System Data Breach Investigation (Nov 17, 2025)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.