Active breach tracker Dublin, GA Disclosed December 19, 2025

Medical Center, LLP (Dublin Medical Center) Data Breach 2025: 32,090 Georgia Primary-Care Patients Exposed. SSN + Full Clinical Record in Scope. What To Do

Medical Center, LLP d/b/a Dublin Medical Center, a primary-care family-medicine practice in Dublin, Georgia, detected suspicious network activity on October 17, 2025 and filed a hacking/IT incident with HHS OCR on December 19, 2025 affecting 32,090 patients. Unauthorized access began October 7, 2025. Names, Social Security numbers, driver's license numbers, full medical records, radiology imaging, lab reports, medical consent forms, and health insurance information exfiltrated. Class-action filed in Laurens County Superior Court. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Oct 7, 2025

Unauthorized third party gains access to network

Oct 17, 2025

Suspicious activity detected on Dublin Medical Center network

Dec 9, 2025

Class-action complaint filed: Patisaul v. Medical Center, LLP (Laurens County Superior Court, 25-CG-0986-JG)

Dec 17, 2025

Individual notification letters mailed to affected patients

Dec 19, 2025

Filed with HHS Office for Civil Rights as 'Medical Center, LLP' — 32,090 affected

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number

02

Health records

Don't expire and can't be reissued

Diagnosis and treatment information Prescriptions Radiology imaging and reports Lab reports

03

Contact & insurance

Phishing + targeted scams

Full name Address / contact information Patient identification number Patient status Provider name Dates of service Medical history Medical consent forms Health insurance information Account numbers Claim numbers

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Plaintiff counsel of record in Patisaul v. Medical Center, LLP (Laurens County Superior Court, Case No. 25-CG-0986-JG, filed December 9, 2025) Federman & Sherwood (publicly investigating) Lynch Carpenter LLP (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Medical Center, LLP, doing business as Dublin Medical Center, is a primary-care family-medicine practice in Dublin, Georgia (Laurens County, central Georgia) that confirmed a hacking/IT incident exposing the full clinical records of 32,090 patients, with notification letters mailed on December 17, 2025 and the breach filed with HHS OCR on December 19, 2025.

Timeline

  • October 7, 2025 — An unauthorized third party gained access to Dublin Medical Center’s network.
  • October 17, 2025 — The practice detected suspicious activity on its computer network and began an investigation.
  • December 9, 2025 — A putative class-action complaint, Tammy Patisaul v. Medical Center, LLP d/b/a Dublin Medical Center, was filed in the Superior Court of Laurens County, Georgia (Case No. 25-CG-0986-JG).
  • December 17, 2025 — Individual notification letters began being mailed to affected patients.
  • December 19, 2025 — The incident was reported to the HHS Office for Civil Rights under the name “Medical Center, LLP” as a hacking/IT incident on a network server, affecting 32,090 individuals.

What was exposed

Per the substitute notice and HIPAA Journal’s reporting, the data types varied by individual and included names in combination with some or all of the following:

  • Contact information (address, phone)
  • Date of birth
  • Social Security number
  • Driver’s license number
  • Account numbers and claim numbers
  • Patient identification number
  • Patient status, provider name, dates of service
  • Diagnosis and treatment information
  • Prescriptions
  • Medical history
  • Radiology imaging and reports
  • Medical consent forms
  • Lab reports
  • Health insurance information

The combination of full Social Security number, driver’s license number, and complete clinical detail (including imaging and consent forms) places this breach in the high-severity tier for downstream identity theft, medical identity theft, and insurance fraud.

What entity is offering

Dublin Medical Center’s public response, as reported by HIPAA Journal and ClaimDepot, has been notably limited:

  • A toll-free response line (888-367-0574, per HIPAA Journal; 888-367-4574 per ClaimDepot — affected patients should rely on the number printed in their individual notification letter).
  • Recommendations to “remain vigilant” by reviewing account statements, ordering free annual credit reports, and reviewing explanation-of-benefits statements.
  • Recommendations to consider a fraud alert or security freeze on credit files through the major consumer reporting agencies.

Public reporting does not confirm that Dublin Medical Center is providing complimentary credit monitoring or identity-theft insurance to affected patients. That is a notable omission given Social Security numbers and driver’s license numbers are in scope. Affected individuals should consult their specific notification letter for any enrollment offer.

Class-action posture

A putative class-action complaint was filed in the Superior Court of Laurens County, Georgia on December 9, 2025, eight days before the practice mailed notification letters, under the caption Tammy Patisaul v. Medical Center, LLP d/b/a Dublin Medical Center, Case No. 25-CG-0986-JG. The case is docketed in the Laurens County state court system and tracked publicly on Trellis.law.

In parallel, two national plaintiff firms have publicly announced investigations of potential claims:

  • Federman & Sherwood (Oklahoma City), announced January 22, 2026.
  • Lynch Carpenter LLP, announced January 14, 2026 via GlobeNewswire press release.

Both firms are evaluating whether the practice implemented reasonable data-security safeguards prior to the intrusion.

What to do

  1. Place free credit freezes at Equifax, Experian, and TransUnion. Full SSN and driver’s license are in scope. A freeze, not a fraud alert, is the appropriate response.
  2. File IRS Form 14039 (Identity Theft Affidavit) to block fraudulent tax-return filings tied to your SSN.
  3. Replace your driver’s license if you receive any evidence it has been used fraudulently. Georgia DDS will issue a new number on request when identity theft is documented.
  4. Review every Explanation of Benefits statement for the next 24 months for unfamiliar provider claims. Medical identity theft is the primary downstream harm when full clinical records (imaging, prescriptions, diagnoses) are exfiltrated.
  5. Request a copy of your medical record from Dublin Medical Center and any provider it has shared records with, so you have a baseline to dispute fraudulent additions.
  6. Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests across providers, insurers, HIEs, and prescription networks so a breached practice’s exposure does not propagate.

Sources

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.