Active breach tracker Marshfield, Wisconsin Disclosed November 7, 2025

Marshfield Clinic Health System Data Breach 2025: 35,952 Patients Notified After Employee Email Compromise

Marshfield Clinic Health System disclosed a HIPAA breach to HHS OCR on November 7, 2025 affecting 35,952 current and former patients. Unauthorized access to employee email accounts on August 26–27, 2025 exposed names, contact details, dates of birth, insurance and medical record numbers, diagnosis and treatment information, lab results, and medications. Plaintiff firms are investigating class-action claims.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Aug 26, 2025

Unauthorized third party gains access to employee email accounts

Aug 27, 2025

Access ends and Marshfield Clinic identifies the intrusion

Nov 7, 2025

Marshfield Clinic files HIPAA breach report with HHS OCR covering 35,952 individuals

Nov 13, 2025

Marshfield Clinic publicly confirms the incident through local Wisconsin media

Nov 17, 2025

Cole & Van Note announces class-action investigation

Nov 20, 2025

Lynch Carpenter LLP announces class-action investigation

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth

02

Health records

Don't expire and can't be reissued

Medical record number Treatment and diagnosis information Lab results Medications

03

Contact & insurance

Phishing + targeted scams

Name Address Phone number Health insurance information (including insurance ID number) Dates of service

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Lynch Carpenter LLP Cole & Van Note
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Marshfield Clinic Health System, an integrated health system headquartered in Marshfield, Wisconsin with locations across Wisconsin and Michigan’s Upper Peninsula, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on November 7, 2025, reporting 35,952 affected individuals in a hacking incident involving employee email accounts.

Timeline

  • August 26–27, 2025 — An unauthorized third party accessed several Marshfield Clinic employee email accounts. The forensic investigation concluded the intruder had access only during that approximately 24-hour window before the activity was identified and stopped.
  • August 27, 2025 — Marshfield Clinic identifies the unauthorized access and begins a forensic review of the affected mailboxes.
  • November 7, 2025 — Marshfield Clinic reports the incident to HHS OCR as a Hacking/IT Incident with the location of breached PHI listed as Email, covering 35,952 current and former patients.
  • November 13, 2025 — Local Wisconsin media outlets confirm Marshfield Clinic’s public disclosure, including WSAW, WQOW, WEAU, and WSAU, and report that notification letters are being sent by U.S. mail.
  • November 17 and November 20, 2025 — Plaintiff firms Cole & Van Note and Lynch Carpenter LLP announce class-action investigations into the breach.

What was exposed

Marshfield Clinic told patients and the press that the data potentially accessed or copied from the compromised mailboxes varied by individual and may have included:

  • Name
  • Address and phone number
  • Date of birth
  • Health insurance information, including insurance ID number
  • Medical record number
  • Dates of service
  • Treatment and diagnosis information
  • Lab results
  • Medications

The HHS OCR Breach Portal categorizes the location of breached information as Email and the type of breach as a Hacking/IT Incident. No attacker group, ransom demand, or dark-web leak has been publicly attributed to this incident in the sources reviewed. Marshfield has not publicly stated whether Social Security numbers were among the data elements in the compromised mailboxes; reporting on this point is inconsistent across secondary outlets, and the entity’s own statements quoted in local Wisconsin press did not list Social Security numbers.

What Marshfield is offering

Marshfield Clinic is notifying affected individuals by U.S. mail and has stated it will offer complimentary identity-monitoring services. The specific monitoring provider, duration of coverage, and enrollment deadline are expected to be detailed in the individual notification letters; those terms have not been published in Marshfield’s public statements covered by the sources reviewed.

Class-action posture

As of the most recent reporting reviewed, at least two plaintiff firms have publicly announced investigations into potential class claims arising from the breach:

  • Cole & Van Note announced its investigation on November 17, 2025.
  • Lynch Carpenter LLP announced its investigation on November 20, 2025 via GlobeNewswire.

No filed complaint, docket number, or court of filing has been identified in the sources reviewed. Both announcements are solicitations to potential class members; neither describes a complaint already on file.

What to do

  • Watch for a notification letter mailed by Marshfield Clinic to the address it has on file for you. The letter will list the specific data elements affected for your record and explain how to enroll in the complimentary identity-monitoring service Marshfield is offering. If your address has changed since you were last seen at a Marshfield facility, update it with the clinic’s medical records department.
  • Freeze your credit with the three nationwide consumer reporting agencies: Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and is the single highest-leverage step against identity theft if your insurance ID, date of birth, or other personally identifying details were in the affected mailboxes.
  • Be cautious of follow-on phishing. Because this breach exposed treatment information, medication lists, and lab results, an attacker who obtained the stolen mail content could craft convincing healthcare-themed phishing messages. Treat unsolicited calls, texts, and emails referencing your Marshfield care as suspicious, and verify by calling Marshfield Clinic through a number you find on their official website rather than from the message.
  • Read class-action announcements carefully. The firms named above are investigating claims; submitting your information to a plaintiff firm does not enroll you in a settlement and does not obligate you. There is no settlement to claim against today.
  • Bookmark this page. We update it as Marshfield publishes a substitute notice, as state attorney general filings appear, and if a class complaint is filed in federal court.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.