Morton Drug Company Data Breach 2025: 40,051 Affected · Akira Ransomware Claim · Wisconsin LTC Pharmacy
Morton Drug Company, an independent long-term care pharmacy in Wisconsin (operating as Morton LTC), filed a HIPAA breach notification with HHS OCR on November 10, 2025, reporting 40,051 affected individuals after an August 20, 2025 network intrusion. The Akira ransomware group later claimed responsibility on its leak site, asserting it exfiltrated roughly 22 GB of data. Exposed information included names, addresses, prescription details, and Social Security numbers for some individuals.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Aug 20, 2025
Morton Drug Company detected unauthorized activity affecting its IT systems, engaged third-party cybersecurity specialists, and notified law enforcement.
Oct 21, 2025
The third-party forensic investigation concluded, identifying the categories of patient information involved in the incident.
Nov 7, 2025
Morton Drug Company posted its substitute notice of data security incident.
Nov 10, 2025
The breach was filed with HHS OCR as a Hacking/IT Incident at a Network Server affecting 40,051 individuals.
Nov 28, 2025
The Akira ransomware group publicly listed Morton LTC on its dark-web leak portal, claiming to have stolen approximately 22 GB of prescription, patient, insurance, and employee data.
Dec 4, 2025
Consumer-facing reporting expanded; multiple plaintiffs' firms publicly announced investigations into potential class claims.
Aug 20, 2025
Morton Drug Company detected unauthorized activity affecting its IT systems, engaged third-party cybersecurity specialists, and notified law enforcement.
Oct 21, 2025
The third-party forensic investigation concluded, identifying the categories of patient information involved in the incident.
Nov 7, 2025
Morton Drug Company posted its substitute notice of data security incident.
Nov 10, 2025
The breach was filed with HHS OCR as a Hacking/IT Incident at a Network Server affecting 40,051 individuals.
Nov 28, 2025
The Akira ransomware group publicly listed Morton LTC on its dark-web leak portal, claiming to have stolen approximately 22 GB of prescription, patient, insurance, and employee data.
Dec 4, 2025
Consumer-facing reporting expanded; multiple plaintiffs' firms publicly announced investigations into potential class claims.
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Morton Drug Company, an independent long-term care pharmacy in Wisconsin that operates as Morton LTC and dispenses to assisted-living and skilled-nursing facilities, filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on November 10, 2025, reporting 40,051 affected individuals in a Hacking/IT Incident at a Network Server. The intrusion was detected on August 20, 2025, and the Akira ransomware group later claimed responsibility on its dark-web leak portal, asserting it had exfiltrated approximately 22 GB of prescription, patient, insurance, and employee data.
Timeline
- 2025-08-20 — detected: Morton Drug Company identified suspicious activity affecting its IT environment, engaged third-party cybersecurity specialists to investigate and contain the incident, and notified law enforcement.
- 2025-10-21 — other: The forensic investigation concluded, identifying the categories of personal and protected health information involved.
- 2025-11-07 — notified: Morton Drug Company posted its substitute notice of data security incident.
- 2025-11-10 — filed: The breach was filed with HHS OCR as a Hacking/IT Incident at a Network Server affecting 40,051 individuals.
- 2025-11-28 — other: The Akira ransomware group publicly listed Morton LTC on its leak site, claiming to have stolen approximately 22 GB of prescription records, patient information, insurance details, employee records, and business documents.
- 2025-12-04 — other: Consumer-facing reporting expanded; multiple plaintiffs’ firms publicly announced investigations into potential class claims on behalf of affected individuals.
What was exposed
Per Morton Drug Company’s substitute notice and subsequent reporting, the information involved varied by individual and may include pharmacy-record categories:
- Names
- Addresses
- Prescription information (medication names, dosages, fill history)
- Social Security numbers (for a subset of affected individuals)
Akira’s separate leak-site posting additionally claimed exposure of insurance and billing details, employee records, and confidential business documents. Morton Drug Company has not publicly verified those specific claims. Because the affected system was a network server at a long-term care pharmacy, the data set is largely focused on prescription histories and the personal identifiers needed to dispense and bill them.
What the entity is offering
Morton Drug Company’s substitute notice states the company is notifying affected individuals and recommends recipients remain vigilant against identity theft and fraud by reviewing account statements and credit reports. The publicly available notice does not, as of this writing, set out the specific complimentary credit-monitoring or identity-protection terms. Recipients should consult the individual notification letter mailed to the address on file for the duration of any free monitoring offer and the enrollment code.
Class-action posture
No class action has been filed against Morton Drug Company as of this writing. Several plaintiffs’ firms — including Federman & Sherwood, Strauss Borrelli PLLC, Barnow and Associates, and Lynch Carpenter — have publicly announced investigations into potential class claims arising from the incident. ClassAction.org separately notes that its working attorneys have concluded their initial investigation without filing. Pharmacy breaches involving Social Security numbers and prescription histories have historically attracted federal class litigation in the months following notification.
What to do
- Freeze your credit at the three nationwide consumer reporting agencies. With Social Security numbers in scope for some individuals, a freeze is the single highest-leverage protective step.
- Watch for the Morton Drug Company notification letter at the address on file with the pharmacy. The letter lists the specific data elements exposed for you and any complimentary credit-monitoring or identity-protection enrollment instructions.
- Be alert to medical-identity-theft signals. Review explanation-of-benefits statements from your health plan and Medicare summary notices for prescriptions or services you did not receive. Flag pharmacy benefit denials that cite “duplicate fills” you did not request.
- If you are a long-term care resident or family member, ask the facility’s administrator whether your loved one’s pharmacy records were dispensed through Morton Drug Company / Morton LTC and request the substitute notice in writing.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record (40,051 affected; filed 2025-11-10; Hacking/IT Incident; Network Server).
- HIPAA Journal — Data Breaches Announced by Morton Drug Company & Physicians to Children & Adolescents — discovery and investigation dates, data elements, affected count.
- ClassAction.org — Morton Drug Company Data Breach Impacts 40K — timeline, December consumer-notice publication, class-action investigation status.
- HIPAA Times — Morton Drug Company Reports Data Breach Affecting 40,000 Individuals — independent corroboration of detection date, investigation, and notification.
- BotCrawl — Morton LTC Data Breach Exposes 22GB of Records — Akira ransomware-group attribution, dark-web leak-portal posting (2025-11-28), 22 GB exfiltration claim.
- teiss — Morton Drug Company Discloses Cybersecurity Breach Impacting 40,000 Patients — independent trade-press reporting on the disclosure.
- Federman & Sherwood — Morton Drug Company Data Breach Investigation — plaintiffs’ firm public investigation announcement.
- Strauss Borrelli PLLC — Morton Drug Company Data Breach Investigation — second plaintiffs’ firm investigation announcement.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Data Breaches Announced by Morton Drug Company & Physicians to Children & Adolescents
- ClassAction.org — Morton Drug Company Data Breach Impacts 40K
- HIPAA Times — Morton Drug Company Reports Data Breach Affecting 40,000 Individuals
- BotCrawl — Morton LTC Data Breach Exposes 22GB of Records (Akira leak-site posting)
- teiss — Morton Drug Company Discloses Cybersecurity Breach Impacting 40,000 Patients
- Federman & Sherwood — Morton Drug Company Data Breach Investigation
- Strauss Borrelli PLLC — Morton Drug Company Data Breach Investigation
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.