Mazzola Mardon Data Breach 2026: 2,123 Longshoremen Health Fund Members Exposed. ERISA Law Firm Business Associate. What To Do
Mazzola Mardon, P.C., a New York labor and ERISA law firm representing the Management-ILA Managed Health Care Trust Fund (longshoremen's union health plan), disclosed an August 2025 network intrusion. Names, Social Security numbers, driver's licenses, mental and physical condition records, treatment, diagnosis, prescriptions, Medicare IDs, and health insurance data for 2,123 plan members exposed. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Aug 8, 2025
Hacker accesses network and exfiltrates files
Aug 8, 2025
Breach detected
Jan 27, 2026
File review completed (~5 months of analysis)
Mar 23, 2026
Individual notification letters mailed
Apr 15, 2026
HHS OCR submission; substitute breach notice issued
Aug 8, 2025
Hacker accesses network and exfiltrates files
Aug 8, 2025
Breach detected
Jan 27, 2026
File review completed (~5 months of analysis)
Mar 23, 2026
Individual notification letters mailed
Apr 15, 2026
HHS OCR submission; substitute breach notice issued
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Mazzola Mardon, P.C. (formally Marrinan & Mazzola Mardon, P.C., founded 1955) is not a medical practice. It is a New York labor and ERISA law firm at 26 Broadway, Floor 17, New York, NY. The firm appears on the HHS OCR breach portal because it serves as ERISA counsel — a HIPAA business associate — to the Management-ILA Managed Health Care Trust Fund (MILA), a multiemployer Taft-Hartley health and welfare fund providing medical, behavioral health, and prescription drug benefits to International Longshoremen’s Association members and management.
On August 8, 2025, an unauthorized actor accessed Mazzola Mardon’s network and exfiltrated files. The firm completed its file review on January 27, 2026 (~5 months of analysis). Individual notification letters were mailed on March 23, 2026, and the substitute breach notice was issued and HHS OCR filing made on April 15, 2026 — confirming 2,123 affected individuals.
The 220-day gap from intrusion to notice is at the long end of acceptable under HIPAA. No ransomware group has publicly claimed responsibility; no leak-site listing has been observed.
Why this filing names a law firm, not a doctor’s office
The HHS OCR listing under “Mazzola Mardon, P.C.” can mislead readers into expecting a medical practice. The actual covered entity is the Management-ILA Managed Health Care Trust Fund. Mazzola Mardon is the business associate — the legal counsel — that held a copy of fund member records as part of its ERISA representation.
This is a law-firm-as-business-associate breach affecting an ILA longshoremen’s health fund, not a clinical-care breach.
What was stolen
Per the substitute notice:
- Full name, home address, date of birth
- Social Security number
- Driver’s license / state ID
- Financial account information
- Mental or physical condition
- Treatment / diagnosis information
- Dates of service, provider name, procedure type
- Prescription information
- Medical record number
- Medicare ID
- Health insurance information
- Billing / claim information
The combination of SSN + financial account + mental health + Medicare ID is a particularly sensitive exposure profile.
What Mazzola Mardon is offering
Public reporting does not confirm a complimentary credit monitoring program. Given the SSN + financial account + Medicare ID exposure, the industry standard would be 12-24 months of credit monitoring. Read your specific notification letter carefully — the offer (if any), enrollment instructions, and call center number will be listed there.
What to do
- Read your specific notification letter to confirm what data elements were involved and what monitoring is offered.
- If you are an ILA longshoreman, ILA management employee, or a dependent, check your MILA member portal for guidance and contact MILA directly.
- Place free credit freezes at Equifax, Experian, TransUnion. Full SSN, driver’s license, and financial account are all in scope.
- File IRS Form 14039.
- Watch your Medicare Summary Notice for unfamiliar claims.
- Stop the ongoing flow of your fund member data. HealthConsent files HIPAA restriction requests covering Taft-Hartley fund administration and ERISA business-associate pathways.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HIPAA Journal: Vendor Data Breaches Announced by Six HIPAA-Regulated Entities
- Mazzola Mardon, P.C. Homepage
- MILA Managed Healthcare Trust Fund
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.