Active breach tracker Boca Raton, Florida Disclosed October 17, 2025

Modernizing Medicine (ModMed) Data Breach 2025: 198,795 Podiatry Patients Exposed in July Network-Server Intrusion. What To Do.

Modernizing Medicine, Inc. (ModMed) — a Boca Raton specialty-EHR business associate — disclosed a July 9-10, 2025 intrusion of servers tied to its podiatry vertical, exposing names, SSNs, and clinical detail for 198,795 individuals downstream of its provider customers. Notifications mailed October 17, 2025; some data offered for sale on a dark-web forum. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jul 9, 2025

Unauthorized actor accesses ModMed servers; files copied

Jul 21, 2025

ModMed identifies suspicious activity on its servers

Jul 29, 2025

Investigation confirms unauthorized access and data exfiltration

Sep 19, 2025

ModMed notifies its affected podiatry-practice customers

Oct 17, 2025

Patient notification letters mailed; breach submitted to HHS OCR and state AGs (MA, MT)

Oct 20, 2025

Vermont AG filing submitted

Oct 24, 2025

DataBreaches.net reports ~1,500-record sample listed for sale on a dark-web forum

Jan 13, 2026

HHS OCR portal entry posts 198,795 affected after government-shutdown backlog clears

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

02

Health records

Don't expire and can't be reissued

Medical record number Billing and diagnostic codes Prescription / medication information Diagnosis and treatment information

03

Contact & insurance

Phishing + targeted scams

Full name Address Phone number Email address Health insurance information Patient account number Dates of service Provider and practice name

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Strauss Borrelli PLLC (investigation) Federman & Sherwood (investigation) Cafferty Clobes Meriwether & Sprengel LLP (investigation) McShane & Brady LLC (investigation) Shamis & Gentile P.A. (investigation)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Modernizing Medicine, Inc. — better known as ModMed — is a Boca Raton specialty-EHR vendor and a HIPAA business associate. Between July 9 and July 10, 2025 an unauthorized actor accessed servers tied to ModMed’s podiatry vertical and copied files containing personal and protected health information for 198,795 individuals downstream of ModMed’s provider customers.

What happened

ModMed provides cloud-based, specialty-specific electronic health record software to medical practices across the United States, serving specialties including podiatry, dermatology, ophthalmology, orthopedics, and several others. As a business associate, ModMed processes and stores patient data on behalf of the provider practices that license its software.

On July 21, 2025, ModMed identified suspicious activity on certain computer servers used by its podiatry practice clients. The company engaged a leading forensic firm and contacted law enforcement immediately. By July 29, 2025, the investigation confirmed that an unauthorized third party had accessed those servers and copied data during a window of July 9 to July 10, 2025. ModMed then conducted a comprehensive data review to identify the affected practices and patients.

ModMed notified its affected podiatry-practice customers on September 19, 2025. Patient notification letters were mailed on October 17, 2025, the same date ModMed submitted the breach to HHS OCR and to the Massachusetts and Montana attorneys general. The Vermont AG filing followed on October 20, 2025. The federal portal entry was delayed by the government shutdown and posted publicly in January 2026 at 198,795 affected — including 737 Massachusetts residents and 22 Montana residents.

On October 24, 2025, DataBreaches.net reported that a sample of roughly 1,500 ModMed podiatry-patient records had been offered for sale on a dark-web forum by an actor using the moniker “phanes.” The listing was subsequently removed. The seller’s relationship to the July intrusion was not independently confirmed, and no ransomware group has claimed credit for the incident.

What was stolen

Per the official notification letter ModMed filed with state regulators, exposed information may include:

  • Full name, date of birth, address, phone number, email address
  • Social Security number
  • Health insurance information
  • Medical record number, patient account number, dates of service
  • Provider and practice name
  • Billing and diagnostic codes
  • Prescription and medication information
  • Diagnosis and treatment information

The official letter explicitly states that bank and financial account information, credit card information, driver’s license number, government ID card, and full medical records were not involved in this incident. Not all data elements were exposed for every affected individual.

The combination of Social Security numbers with clinical detail and insurance information still represents a high-severity exposure for affected individuals.

Who’s notifying you (business associate — notice comes via your provider)

ModMed is a business associate, not your direct provider. Your relationship is with the podiatry practice (the covered entity) that uses ModMed’s software. ModMed identified affected practices in September 2025 and mailed notification letters to patients on those practices’ behalf. The return address and signatory on your letter may read “Modernizing Medicine,” “ModMed,” or your podiatrist’s office. All three are valid and reference the same incident.

Downstream provider customers

ModMed serves a wide range of specialties (allergy, dermatology, gastroenterology, OBGYN, ophthalmology, orthopedics, otolaryngology, pain management, plastic surgery, podiatry, urology). Public reporting consistently states that this breach was confined to servers supporting ModMed’s podiatry customers. Specific affected podiatry practices have not been publicly listed.

If you are a patient of a non-podiatry specialty practice that uses ModMed, the public record so far does not place you in this incident.

What Modernizing Medicine is offering

ModMed offered complimentary credit monitoring and identity theft protection services through IDX to affected individuals. Per the official notification letter:

  • Enrollment phone: 1-833-353-4513
  • Enrollment deadline: January 17, 2026 (this deadline has passed; contact IDX directly to ask about late enrollment)
  • Duration: 1 or 2 years depending on the individual notice (the letter template notes the duration was personalized per recipient)

The IDX monitoring enrollment deadline has passed for most recipients. If you did not enroll in time, proceed directly to credit freezes (see “What to do” below) as your primary protection.

Class actions

As of June 2026, five plaintiff firms have opened investigations, including Strauss Borrelli PLLC, Federman & Sherwood, Cafferty Clobes Meriwether & Sprengel LLP, McShane & Brady LLC, and Shamis & Gentile P.A. No consolidated complaint in the Southern District of Florida (ModMed’s home venue) has been publicly identified in sources reviewed for this page. Status: OCR open; class-action investigations underway.

What to do

  1. Freeze your credit with Equifax, Experian, and TransUnion. With Social Security numbers in scope, a freeze is the single highest-leverage defensive step. Freezes are free and do not affect your credit score.
  2. Contact IDX if you missed the enrollment deadline. The official enrollment deadline was January 17, 2026. Call 1-833-353-4513 to ask whether late enrollment is still available.
  3. File IRS Form 14039 (Identity Theft Affidavit) if you suspect your SSN is being used fraudulently. You can also request an IRS Identity Protection PIN at irs.gov/ippin.
  4. Review insurance Explanation of Benefits statements for unfamiliar claims. Exposed billing and diagnostic codes mean someone could attempt to use your insurance identity.
  5. Keep your notification letter. If a class action consolidates and a settlement notice goes out later, you will need the letter to document standing.
  6. Stop the ongoing flow of your podiatry records. HealthConsent files HIPAA restriction requests so the foot and ankle care history, diagnostic codes, and treatment details exposed in this breach are not continuously re-shared with insurers, data brokers, and downstream providers who had no role in your care.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.