Minnesota Epilepsy Group Data Breach 2025: 38,401 Affected · Network Server Hack · EEG Summaries & Neuropsychology Reports Exposed. What To Do.
Minnesota Epilepsy Group (Roseville, MN), the largest level-4 epilepsy center in the Midwest, discovered a network intrusion on February 27, 2025 and filed with HHS OCR on April 28, 2025 reporting 38,401 affected individuals. Exposed data may include names, addresses, dates of birth, medical record numbers, EEG summaries, neuropsychology reports, medication records, and health insurance information. The cloud-based EHR was not compromised. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Feb 27, 2025
Minnesota Epilepsy Group becomes aware of a cybersecurity incident affecting systems within its network environments; some operations disrupted
Apr 25, 2025
Substitute Notice of Data Security Incident dated and posted; toll-free response line 855-260-0830 opened
Apr 28, 2025
HHS OCR breach report filed: 38,401 affected, Hacking/IT Incident, Network Server
Feb 27, 2025
Minnesota Epilepsy Group becomes aware of a cybersecurity incident affecting systems within its network environments; some operations disrupted
Apr 25, 2025
Substitute Notice of Data Security Incident dated and posted; toll-free response line 855-260-0830 opened
Apr 28, 2025
HHS OCR breach report filed: 38,401 affected, Hacking/IT Incident, Network Server
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Minnesota Epilepsy Group, a Roseville-based practice that operates as a National Association of Epilepsy Centers level-4 epilepsy center and is the largest comprehensive adult and pediatric epilepsy program in the Midwest, disclosed a network intrusion that exposed clinical neurology records for 38,401 individuals. The intrusion was detected February 27, 2025; the entity issued a substitute notice on April 25, 2025; the HHS OCR filing on April 28, 2025 classified the event as a Hacking/IT Incident at a Network Server. Minnesota Epilepsy Group states it has no evidence its cloud-based electronic health record was compromised in this incident — the exposure was on other systems within its network.
Timeline
- February 27, 2025 — Minnesota Epilepsy Group becomes aware of a cybersecurity incident affecting certain systems within its network environments. Some operations are disrupted. The entity engages third-party cybersecurity experts.
- April 25, 2025 — Substitute Notice of Data Security Incident is dated and posted. A dedicated toll-free response line (855-260-0830, Monday through Friday, 9:00am–9:00pm Eastern) is stood up.
- April 28, 2025 — Federal breach report filed with the HHS Office for Civil Rights: 38,401 affected, Hacking/IT Incident, Network Server.
The ~60-day gap from detection (Feb 27) to OCR filing (Apr 28) is consistent with the HIPAA Breach Notification Rule clock.
What was exposed
Per the entity’s substitute notice, information on the impacted systems may include:
- Full name
- Address
- Date of birth
- Medical record number
- EEG summaries
- Neuropsychology reports
- Medication records
- Health insurance information
The notice explicitly states there is no evidence the cloud-based EHR was compromised. The OCR portal categorizes the location of the breached PHI as Network Server. The notice does not assert that Social Security numbers or financial account numbers were involved — read your individual notification letter carefully for the specific elements tied to your record.
What Minnesota Epilepsy Group is offering
The April 25, 2025 substitute notice does not offer complimentary credit-monitoring or identity-theft protection. The entity instead directs affected individuals to:
- A dedicated toll-free response line: 855-260-0830 (Monday through Friday, 9:00am–9:00pm Eastern).
- Self-service consumer protections — free fraud alerts and free security freezes at Equifax, Experian, and TransUnion (full contact details and addresses are provided in the notice).
- Review of explanation-of-benefits statements from health insurers and follow-up on any unrecognized items.
- The free annual credit report at annualcreditreport.com (1-877-322-8228).
The notice frames the disclosure as protective rather than as confirmation of misuse: “we have no indication that there has been any fraud as a result of this incident.”
Sensitive-population considerations (neurology patients)
Records held by a level-4 epilepsy center are unusually consequential:
- EEG summaries and seizure histories can carry employment, occupational-licensure (commercial driving, aviation, firearms), and insurance-underwriting implications when surfaced out of context.
- Neuropsychology reports contain cognitive testing scores, executive-function findings, and diagnostic impressions that — like CNLD-type pediatric records — can follow a patient through school placement, college admissions, and adult employment.
- Medication records for anti-epileptic drugs (AEDs) can expose pregnancy planning concerns (valproate, topiramate), psychiatric comorbidities, and treatment-resistance status.
- A meaningful share of MEG’s panel is pediatric, raising synthetic-identity-theft concerns that compound the clinical sensitivity.
These categories are not “credit-monitoring solvable” — once an EEG narrative or neuropsychology report is in an attacker’s archive, no monitoring product unwinds the exposure. The right of HIPAA restriction on future re-disclosure becomes the operative remedy.
Class-action posture
Shamis & Gentile P.A. has publicly announced a class-action investigation. As of the date of this page, no federal class-action complaint has been located in public dockets, and the OCR investigation status is open. No settlement has been reported.
What to do
- Call the response line: 855-260-0830 (Monday–Friday, 9am–9pm Eastern) and confirm whether your record was on the impacted systems and what — if anything — beyond the substitute notice is being offered to you specifically.
- Place free credit freezes at Equifax (888-298-0045), Experian (888-397-3742), and TransUnion (888-909-8872). Freezes are the highest-leverage protection and are not offered by MEG, so you have to initiate them.
- Review your EOB statements from your health insurer and flag any provider, date of service, or procedure code you do not recognize.
- If you are a pediatric patient or parent of one, freeze your child’s credit at all three bureaus (manual outreach with proof of guardianship is required).
- Stop the ongoing flow of your neurology data. HealthConsent files HIPAA restriction requests so the EEG narratives, neuropsychology reports, and medication records exposed in this breach are not continuously re-shared downstream of the original incident.
Sources
- Minnesota Epilepsy Group — Notice of Data Security Incident (April 25, 2025) — primary entity disclosure; basis for dates, exposed-data list, response-line number, and the “cloud EHR not compromised” statement.
- HHS Office for Civil Rights Breach Portal — federal regulatory record (38,401 affected, Hacking/IT Incident, Network Server, filed 2025-04-28).
- HIPAA Journal — HIPAA Breach News — trade-press confirmation of the February 27, 2025 detection date and April 25, 2025 notice date.
- ClaimDepot — Minnesota Epilepsy Group Data Breach Lawsuit Investigation — secondary aggregation of the entity notice; basis for confirming exposed-data categories.
- Shamis & Gentile P.A. — Class Action Investigations — plaintiff-firm announcement of investigation.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Minnesota Epilepsy Group — Notice of Data Security Incident (entity notice, April 25, 2025)
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Minnesota Epilepsy Group cybersecurity incident coverage
- ClaimDepot — Minnesota Epilepsy Group Data Breach Lawsuit Investigation
- Shamis & Gentile P.A. — Class Action Investigations
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.