McKenzie Memorial Hospital Data Breach 2025: 58,839 Affected at Rural Michigan Critical-Access Hospital. What To Do.
McKenzie Memorial Hospital (McKenzie Health System) in Sandusky, Michigan disclosed a 2025 network intrusion that exposed names, Social Security numbers, driver's license numbers, financial account information, and clinical data. Filed with HHS OCR on July 24, 2025 for 58,839 affected individuals. Here is what was exposed, what the hospital is offering, and what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Apr 14, 2025
Unauthorized third party accesses McKenzie Health System network
Apr 15, 2025
Unusual network activity identified; environment secured and outside cybersecurity experts engaged
Jun 19, 2025
Forensic investigation concludes; data review identifies affected individuals and data elements
Jul 24, 2025
Filed with HHS Office for Civil Rights (58,839 affected; Hacking/IT Incident, Network Server); simultaneously notified Maine AG (54,016 total affected, 6 Maine residents); individual notification letters begin mailing
Jul 24, 2025
Strauss Borrelli PLLC announces class-action investigation
Jul 28, 2025
DataBreaches.net publishes 'Two Data Breaches in Three Years' coverage tying this incident to the 2022 AvosLocker ransomware attack at McKenzie Health
Jul 29, 2025
Edelson Lechtzin LLP publicly announces class-action investigation
Aug 4, 2025
Pittman, Dutton, Hellums, Bradley & Mann, P.C. announces class-action investigation
Apr 14, 2025
Unauthorized third party accesses McKenzie Health System network
Apr 15, 2025
Unusual network activity identified; environment secured and outside cybersecurity experts engaged
Jun 19, 2025
Forensic investigation concludes; data review identifies affected individuals and data elements
Jul 24, 2025
Filed with HHS Office for Civil Rights (58,839 affected; Hacking/IT Incident, Network Server); simultaneously notified Maine AG (54,016 total affected, 6 Maine residents); individual notification letters begin mailing
Jul 24, 2025
Strauss Borrelli PLLC announces class-action investigation
Jul 28, 2025
DataBreaches.net publishes 'Two Data Breaches in Three Years' coverage tying this incident to the 2022 AvosLocker ransomware attack at McKenzie Health
Jul 29, 2025
Edelson Lechtzin LLP publicly announces class-action investigation
Aug 4, 2025
Pittman, Dutton, Hellums, Bradley & Mann, P.C. announces class-action investigation
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
McKenzie Memorial Hospital, operated by McKenzie Health System, is a rural critical-access hospital in Sandusky, Michigan, serving Sanilac County with roughly 200 staff. Between April 14 and April 15, 2025, an unauthorized third party accessed the hospital’s network. McKenzie detected the activity on April 15, completed its forensic review on June 19, and filed with the HHS Office for Civil Rights on July 24, 2025, reporting 58,839 affected individuals in a Hacking/IT Incident at a Network Server. The exposed data set was unusually broad for a hospital of this size: names, Social Security numbers, driver’s license numbers, financial and employee bank account information, plus diagnoses, medical record numbers, and treatment cost details. This is the hospital’s second major breach in three years. A 2022 ransomware incident claimed by the AvosLocker group exposed information for tens of thousands of additional patients (later updated on the HHS portal to roughly 51,040), making this a critical-access facility that has now lost two distinct waves of patient data inside a 38-month window.
Timeline
- April 14, 2025. An unauthorized third party gains access to McKenzie Health System’s network.
- April 15, 2025. McKenzie identifies unusual network activity, secures the environment, and engages outside cybersecurity experts to investigate.
- June 19, 2025. The forensic investigation concludes. Review identifies the specific individuals and data elements involved.
- July 24, 2025. McKenzie files the incident with HHS OCR: 58,839 affected, Hacking/IT Incident, Network Server. McKenzie’s external counsel simultaneously notifies the Maine Attorney General’s Office, reporting 54,016 total affected individuals and 6 Maine residents. Individual notification letters begin going out the same week; the letters direct affected individuals to enroll in 12 months of TransUnion credit monitoring and identity theft protection. Strauss Borrelli PLLC publicly announces a class-action investigation.
- July 28, 2025. DataBreaches.net publishes coverage placing this breach in the context of the 2022 AvosLocker ransomware incident at McKenzie Health.
- July 29, 2025. Edelson Lechtzin LLP announces a class-action investigation.
- August 4, 2025. Pittman, Dutton, Hellums, Bradley & Mann, P.C. announces its own investigation.
What was exposed
Per the hospital’s notice and follow-on press coverage, the data set varies by individual but can include any combination of:
- Full name, address, phone number, email address
- Date of birth
- Social Security number
- Driver’s license or state ID number
- Financial account information
- Employee bank account number (current and former staff)
- Patient account number and medical record number
- Health insurance information
- Diagnosis, medication information, and dates of service
- Treatment cost details
The Maine AG filing adds medication information to the confirmed data elements, a category not foregrounded in the hospital’s substitute notice but consistent with the clinical scope described.
McKenzie has not publicly identified a ransomware group as responsible for the 2025 incident, and the breach has not surfaced on any tracked dark-web leak site. SuspectFile’s analysis notes three possible explanations for the silence: the attacker never made an extortion demand; McKenzie paid a demand quietly; or the attacker has simply not yet published the data. None of these can be ruled out based on public evidence. The combination of identifiers, financial data, and clinical data on a single record makes this a higher-risk profile than a notice-only filing. Patients should treat their data as fully compromised, not theoretically exposed.
What the entity is offering
- Twelve months of complimentary credit monitoring and identity theft protection services through TransUnion for affected individuals (enrollment code in the notification letter). The Maine AG filing confirms TransUnion as the named vendor.
- Guidance in the letter on placing fraud alerts and credit freezes with the three nationwide credit bureaus.
- A dedicated response line for questions about the incident, listed in each individual’s notification letter.
- The hospital states it is reviewing and strengthening network security policies and procedures.
Class-action posture
Three plaintiff firms have publicly announced investigations and are soliciting affected individuals:
- Strauss Borrelli PLLC (announced July 24, 2025)
- Edelson Lechtzin LLP (announced July 29, 2025)
- Pittman, Dutton, Hellums, Bradley & Mann, P.C. (announced August 4, 2025)
No consolidated class complaint has been publicly confirmed in the Eastern District of Michigan at the time of writing. The 2022 McKenzie Health ransomware incident did not result in a publicized class-action settlement, but the existence of a second major breach in three years at the same entity materially strengthens negligence and reasonable-security arguments. Public filings will be added here as they are docketed.
What to do
- Place free credit freezes at Equifax, Experian, and TransUnion. With SSN, driver’s license number, and bank account information exposed together, freezing is the single highest-leverage step.
- Enroll in the TransUnion credit monitoring offered in your notification letter. It is free, lasts 12 months, and the enrollment code is in your letter.
- File IRS Form 14039 (Identity Theft Affidavit) to obtain an IP PIN and block fraudulent tax filings using your SSN.
- Replace your Michigan driver’s license or state ID number through the Michigan Department of State if the letter confirms it was involved.
- Monitor your bank account closely for unauthorized ACH transfers. If you were a McKenzie employee whose bank account was on file for payroll, ask your bank to flag the account.
- Watch for targeted phishing. Because diagnosis, treatment cost, and insurance data were involved, scammers can craft outreach that references your specific care. Be wary of unsolicited calls, emails, or letters that name your conditions or providers.
- Stop the ongoing flow of your medical data. HealthConsent files HIPAA restriction requests so the diagnosis and treatment data exposed in this breach is not continuously re-shared by downstream entities.
Sources
- HHS Office for Civil Rights Breach Portal. Federal regulatory record (filed July 24, 2025; 58,839 affected; Hacking/IT Incident; Network Server).
- McKenzie Health System: Notice of Data Security Incident. Entity substitute notice.
- HIPAA Journal coverage. Trade press summary with the 58,839 figure and 12-month credit-monitoring offer.
- DataBreaches.net: Two Data Breaches in Three Years. Context tying this incident to the 2022 AvosLocker ransomware breach.
- Cybernews coverage. Independent reporting on the breach scope.
- ClassAction.org investigation page.
- Edelson Lechtzin LLP data-breach alert (PR Newswire).
- Pittman, Dutton, Hellums, Bradley & Mann investigation page.
- Strauss Borrelli PLLC investigation page.
- Rural Health Information Hub case study (2022 incident context).
- Maine AG breach filing. State regulatory record confirming 54,016 total affected individuals, 6 Maine residents, TransUnion as the named credit monitoring vendor, and medication information as a confirmed data element.
- SuspectFile: Two Data Breaches in Three Years. Independent threat-intelligence analysis examining the 2022 AvosLocker attack alongside the 2025 incident and the three plausible explanations for the absence of a dark-web posting.
- HIPAA Times: McKenzie Health System reports data breach affecting over 58K. Independent trade-press summary.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- McKenzie Health System: Notice of Data Security Incident
- HIPAA Journal: McKenzie Memorial Hospital Announces Data Breach Affecting Almost 59,000 Patients
- DataBreaches.net: Two Data Breaches in Three Years: McKenzie Health
- Cybernews: Michigan hospital hack exposes over 54K patients
- ClassAction.org: McKenzie Memorial Hospital Data Breach Lawsuit Investigation
- Edelson Lechtzin LLP: Data Breach Alert (PR Newswire)
- Pittman, Dutton, Hellums, Bradley & Mann: McKenzie Health System Data Breach
- Strauss Borrelli PLLC: McKenzie Health System Data Breach Investigation
- Rural Health Information Hub: McKenzie Health System cyberattack case study (2022 context)
- Maine AG Breach Filing: McKenzie Health System (54,016 affected; 6 Maine residents; TransUnion monitoring)
- SuspectFile: Two Data Breaches in Three Years — The McKenzie Health System Case
- HIPAA Times: McKenzie Health System reports data breach affecting over 58K
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.