Active breach tracker Minnesota Disclosed April 28, 2025

Minnesota Epilepsy Group Data Breach 2025: 38,401 Affected · Network Server Hack · EEG Summaries & Neuropsychology Reports Exposed. What To Do.

Minnesota Epilepsy Group (Roseville, MN), the largest level-4 epilepsy center in the Midwest, discovered a network intrusion on February 27, 2025 and filed with HHS OCR on April 28, 2025 reporting 38,401 affected individuals. Exposed data may include names, addresses, dates of birth, medical record numbers, EEG summaries, neuropsychology reports, medication records, and health insurance information. The cloud-based EHR was not compromised. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Feb 27, 2025

Minnesota Epilepsy Group becomes aware of a cybersecurity incident affecting systems within its network environments; some operations disrupted

Apr 25, 2025

Substitute Notice of Data Security Incident dated and posted; toll-free response line 855-260-0830 opened

Apr 28, 2025

HHS OCR breach report filed: 38,401 affected, Hacking/IT Incident, Network Server

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth

02

Health records

Don't expire and can't be reissued

Medical record number Medication records

03

Contact & insurance

Phishing + targeted scams

Full name Address EEG summaries Neuropsychology reports Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Shamis & Gentile P.A. (investigation announced)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Minnesota Epilepsy Group, a Roseville-based practice that operates as a National Association of Epilepsy Centers level-4 epilepsy center and is the largest comprehensive adult and pediatric epilepsy program in the Midwest, disclosed a network intrusion that exposed clinical neurology records for 38,401 individuals. The intrusion was detected February 27, 2025; the entity issued a substitute notice on April 25, 2025; the HHS OCR filing on April 28, 2025 classified the event as a Hacking/IT Incident at a Network Server. Minnesota Epilepsy Group states it has no evidence its cloud-based electronic health record was compromised in this incident — the exposure was on other systems within its network.

Timeline

  • February 27, 2025 — Minnesota Epilepsy Group becomes aware of a cybersecurity incident affecting certain systems within its network environments. Some operations are disrupted. The entity engages third-party cybersecurity experts.
  • April 25, 2025 — Substitute Notice of Data Security Incident is dated and posted. A dedicated toll-free response line (855-260-0830, Monday through Friday, 9:00am–9:00pm Eastern) is stood up.
  • April 28, 2025 — Federal breach report filed with the HHS Office for Civil Rights: 38,401 affected, Hacking/IT Incident, Network Server.

The ~60-day gap from detection (Feb 27) to OCR filing (Apr 28) is consistent with the HIPAA Breach Notification Rule clock.

What was exposed

Per the entity’s substitute notice, information on the impacted systems may include:

  • Full name
  • Address
  • Date of birth
  • Medical record number
  • EEG summaries
  • Neuropsychology reports
  • Medication records
  • Health insurance information

The notice explicitly states there is no evidence the cloud-based EHR was compromised. The OCR portal categorizes the location of the breached PHI as Network Server. The notice does not assert that Social Security numbers or financial account numbers were involved — read your individual notification letter carefully for the specific elements tied to your record.

What Minnesota Epilepsy Group is offering

The April 25, 2025 substitute notice does not offer complimentary credit-monitoring or identity-theft protection. The entity instead directs affected individuals to:

  • A dedicated toll-free response line: 855-260-0830 (Monday through Friday, 9:00am–9:00pm Eastern).
  • Self-service consumer protections — free fraud alerts and free security freezes at Equifax, Experian, and TransUnion (full contact details and addresses are provided in the notice).
  • Review of explanation-of-benefits statements from health insurers and follow-up on any unrecognized items.
  • The free annual credit report at annualcreditreport.com (1-877-322-8228).

The notice frames the disclosure as protective rather than as confirmation of misuse: “we have no indication that there has been any fraud as a result of this incident.”

Sensitive-population considerations (neurology patients)

Records held by a level-4 epilepsy center are unusually consequential:

  • EEG summaries and seizure histories can carry employment, occupational-licensure (commercial driving, aviation, firearms), and insurance-underwriting implications when surfaced out of context.
  • Neuropsychology reports contain cognitive testing scores, executive-function findings, and diagnostic impressions that — like CNLD-type pediatric records — can follow a patient through school placement, college admissions, and adult employment.
  • Medication records for anti-epileptic drugs (AEDs) can expose pregnancy planning concerns (valproate, topiramate), psychiatric comorbidities, and treatment-resistance status.
  • A meaningful share of MEG’s panel is pediatric, raising synthetic-identity-theft concerns that compound the clinical sensitivity.

These categories are not “credit-monitoring solvable” — once an EEG narrative or neuropsychology report is in an attacker’s archive, no monitoring product unwinds the exposure. The right of HIPAA restriction on future re-disclosure becomes the operative remedy.

Class-action posture

Shamis & Gentile P.A. has publicly announced a class-action investigation. As of the date of this page, no federal class-action complaint has been located in public dockets, and the OCR investigation status is open. No settlement has been reported.

What to do

  1. Call the response line: 855-260-0830 (Monday–Friday, 9am–9pm Eastern) and confirm whether your record was on the impacted systems and what — if anything — beyond the substitute notice is being offered to you specifically.
  2. Place free credit freezes at Equifax (888-298-0045), Experian (888-397-3742), and TransUnion (888-909-8872). Freezes are the highest-leverage protection and are not offered by MEG, so you have to initiate them.
  3. Review your EOB statements from your health insurer and flag any provider, date of service, or procedure code you do not recognize.
  4. If you are a pediatric patient or parent of one, freeze your child’s credit at all three bureaus (manual outreach with proof of guardianship is required).
  5. Stop the ongoing flow of your neurology data. HealthConsent files HIPAA restriction requests so the EEG narratives, neuropsychology reports, and medication records exposed in this breach are not continuously re-shared downstream of the original incident.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.