Active breach tracker Sandusky, Michigan Disclosed July 24, 2025

McKenzie Memorial Hospital Data Breach 2025: 58,839 Affected at Rural Michigan Critical-Access Hospital. What To Do.

McKenzie Memorial Hospital (McKenzie Health System) in Sandusky, Michigan disclosed a 2025 network intrusion that exposed names, Social Security numbers, driver's license numbers, financial account information, and clinical data. Filed with HHS OCR on July 24, 2025 for 58,839 affected individuals. Here is what was exposed, what the hospital is offering, and what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Apr 14, 2025

Unauthorized third party accesses McKenzie Health System network

Apr 15, 2025

Unusual network activity identified; environment secured and outside cybersecurity experts engaged

Jun 19, 2025

Forensic investigation concludes; data review identifies affected individuals and data elements

Jul 24, 2025

Filed with HHS Office for Civil Rights (58,839 affected; Hacking/IT Incident, Network Server); simultaneously notified Maine AG (54,016 total affected, 6 Maine residents); individual notification letters begin mailing

Jul 24, 2025

Strauss Borrelli PLLC announces class-action investigation

Jul 28, 2025

DataBreaches.net publishes 'Two Data Breaches in Three Years' coverage tying this incident to the 2022 AvosLocker ransomware attack at McKenzie Health

Jul 29, 2025

Edelson Lechtzin LLP publicly announces class-action investigation

Aug 4, 2025

Pittman, Dutton, Hellums, Bradley & Mann, P.C. announces class-action investigation

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license / state ID number

02

Health records

Don't expire and can't be reissued

Medical record number Diagnosis Medication information Treatment cost details

03

Contact & insurance

Phishing + targeted scams

Full name Address Phone number Email address Financial account information Employee bank account number Patient account number Health insurance information Dates of service

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Pittman, Dutton, Hellums, Bradley & Mann, P.C. (publicly investigating) Edelson Lechtzin LLP (publicly investigating) Strauss Borrelli PLLC (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

McKenzie Memorial Hospital, operated by McKenzie Health System, is a rural critical-access hospital in Sandusky, Michigan, serving Sanilac County with roughly 200 staff. Between April 14 and April 15, 2025, an unauthorized third party accessed the hospital’s network. McKenzie detected the activity on April 15, completed its forensic review on June 19, and filed with the HHS Office for Civil Rights on July 24, 2025, reporting 58,839 affected individuals in a Hacking/IT Incident at a Network Server. The exposed data set was unusually broad for a hospital of this size: names, Social Security numbers, driver’s license numbers, financial and employee bank account information, plus diagnoses, medical record numbers, and treatment cost details. This is the hospital’s second major breach in three years. A 2022 ransomware incident claimed by the AvosLocker group exposed information for tens of thousands of additional patients (later updated on the HHS portal to roughly 51,040), making this a critical-access facility that has now lost two distinct waves of patient data inside a 38-month window.

Timeline

  • April 14, 2025. An unauthorized third party gains access to McKenzie Health System’s network.
  • April 15, 2025. McKenzie identifies unusual network activity, secures the environment, and engages outside cybersecurity experts to investigate.
  • June 19, 2025. The forensic investigation concludes. Review identifies the specific individuals and data elements involved.
  • July 24, 2025. McKenzie files the incident with HHS OCR: 58,839 affected, Hacking/IT Incident, Network Server. McKenzie’s external counsel simultaneously notifies the Maine Attorney General’s Office, reporting 54,016 total affected individuals and 6 Maine residents. Individual notification letters begin going out the same week; the letters direct affected individuals to enroll in 12 months of TransUnion credit monitoring and identity theft protection. Strauss Borrelli PLLC publicly announces a class-action investigation.
  • July 28, 2025. DataBreaches.net publishes coverage placing this breach in the context of the 2022 AvosLocker ransomware incident at McKenzie Health.
  • July 29, 2025. Edelson Lechtzin LLP announces a class-action investigation.
  • August 4, 2025. Pittman, Dutton, Hellums, Bradley & Mann, P.C. announces its own investigation.

What was exposed

Per the hospital’s notice and follow-on press coverage, the data set varies by individual but can include any combination of:

  • Full name, address, phone number, email address
  • Date of birth
  • Social Security number
  • Driver’s license or state ID number
  • Financial account information
  • Employee bank account number (current and former staff)
  • Patient account number and medical record number
  • Health insurance information
  • Diagnosis, medication information, and dates of service
  • Treatment cost details

The Maine AG filing adds medication information to the confirmed data elements, a category not foregrounded in the hospital’s substitute notice but consistent with the clinical scope described.

McKenzie has not publicly identified a ransomware group as responsible for the 2025 incident, and the breach has not surfaced on any tracked dark-web leak site. SuspectFile’s analysis notes three possible explanations for the silence: the attacker never made an extortion demand; McKenzie paid a demand quietly; or the attacker has simply not yet published the data. None of these can be ruled out based on public evidence. The combination of identifiers, financial data, and clinical data on a single record makes this a higher-risk profile than a notice-only filing. Patients should treat their data as fully compromised, not theoretically exposed.

What the entity is offering

  • Twelve months of complimentary credit monitoring and identity theft protection services through TransUnion for affected individuals (enrollment code in the notification letter). The Maine AG filing confirms TransUnion as the named vendor.
  • Guidance in the letter on placing fraud alerts and credit freezes with the three nationwide credit bureaus.
  • A dedicated response line for questions about the incident, listed in each individual’s notification letter.
  • The hospital states it is reviewing and strengthening network security policies and procedures.

Class-action posture

Three plaintiff firms have publicly announced investigations and are soliciting affected individuals:

  • Strauss Borrelli PLLC (announced July 24, 2025)
  • Edelson Lechtzin LLP (announced July 29, 2025)
  • Pittman, Dutton, Hellums, Bradley & Mann, P.C. (announced August 4, 2025)

No consolidated class complaint has been publicly confirmed in the Eastern District of Michigan at the time of writing. The 2022 McKenzie Health ransomware incident did not result in a publicized class-action settlement, but the existence of a second major breach in three years at the same entity materially strengthens negligence and reasonable-security arguments. Public filings will be added here as they are docketed.

What to do

  1. Place free credit freezes at Equifax, Experian, and TransUnion. With SSN, driver’s license number, and bank account information exposed together, freezing is the single highest-leverage step.
  2. Enroll in the TransUnion credit monitoring offered in your notification letter. It is free, lasts 12 months, and the enrollment code is in your letter.
  3. File IRS Form 14039 (Identity Theft Affidavit) to obtain an IP PIN and block fraudulent tax filings using your SSN.
  4. Replace your Michigan driver’s license or state ID number through the Michigan Department of State if the letter confirms it was involved.
  5. Monitor your bank account closely for unauthorized ACH transfers. If you were a McKenzie employee whose bank account was on file for payroll, ask your bank to flag the account.
  6. Watch for targeted phishing. Because diagnosis, treatment cost, and insurance data were involved, scammers can craft outreach that references your specific care. Be wary of unsolicited calls, emails, or letters that name your conditions or providers.
  7. Stop the ongoing flow of your medical data. HealthConsent files HIPAA restriction requests so the diagnosis and treatment data exposed in this breach is not continuously re-shared by downstream entities.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.