Onsite Mammography (Onsite Women's Health) Data Breach 2025: 357,265 Affected by Phishing-Driven Email Compromise · $2.525M Class Action Settlement Pending Final Approval
Onsite Mammography, the Westfield, Massachusetts mobile breast-imaging provider operating as Onsite Women's Health, notified 357,265 individuals on April 9, 2025 of an email account compromise traced to a phishing attack in early October 2024. Exposed data included Social Security numbers, dates of birth, driver's license numbers, financial account data, and detailed mammography and other health records. A $2,525,000 class action settlement received preliminary approval April 13, 2026; claims are due August 11, 2026. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Oct 2, 2024
Unauthorized actor accesses a single employee email account after a phishing email
Oct 4, 2024
Unusual activity detected in the employee email account; account secured and forensics engaged
Feb 21, 2025
Third-party forensic review concludes that health-related information was exposed
Apr 9, 2025
Individual notification letters mailed to affected patients
Apr 21, 2025
HHS OCR breach report submitted; state AG notifications filed (ME, TX, MA, SC, NH, VT)
Apr 22, 2025
Public disclosure; plaintiff-firm investigations announced by Federman & Sherwood, Strauss Borrelli, Migliaccio & Rathod, Lynch Carpenter, and others
Mar 6, 2026
Settlement agreement signed; Clarkson et al. v. Onsite Mammography LLC, Case No. 3:25-cv-11123-MGM, U.S. District Court for the District of Massachusetts
Apr 13, 2026
Judge Mastroianni grants preliminary approval of $2,525,000 settlement; Almeida Law Group, Edelson Lechtzin LLP, and Pittman Dutton appointed class counsel
Aug 11, 2026
Claim filing deadline for settlement class members (online or mail)
Sep 9, 2026
Final approval hearing scheduled, U.S. District Court for the District of Massachusetts (Springfield), 12:00 PM ET
Oct 2, 2024
Unauthorized actor accesses a single employee email account after a phishing email
Oct 4, 2024
Unusual activity detected in the employee email account; account secured and forensics engaged
Feb 21, 2025
Third-party forensic review concludes that health-related information was exposed
Apr 9, 2025
Individual notification letters mailed to affected patients
Apr 21, 2025
HHS OCR breach report submitted; state AG notifications filed (ME, TX, MA, SC, NH, VT)
Apr 22, 2025
Public disclosure; plaintiff-firm investigations announced by Federman & Sherwood, Strauss Borrelli, Migliaccio & Rathod, Lynch Carpenter, and others
Mar 6, 2026
Settlement agreement signed; Clarkson et al. v. Onsite Mammography LLC, Case No. 3:25-cv-11123-MGM, U.S. District Court for the District of Massachusetts
Apr 13, 2026
Judge Mastroianni grants preliminary approval of $2,525,000 settlement; Almeida Law Group, Edelson Lechtzin LLP, and Pittman Dutton appointed class counsel
Aug 11, 2026
Claim filing deadline for settlement class members (online or mail)
Sep 9, 2026
Final approval hearing scheduled, U.S. District Court for the District of Massachusetts (Springfield), 12:00 PM ET
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Onsite Mammography, the Westfield, Massachusetts breast-imaging provider operating publicly as Onsite Women’s Health, notified 357,265 individuals that a phishing email compromised a single employee mailbox in early October 2024 and exposed Social Security numbers, government IDs, financial account data, and detailed mammography and other clinical records. The entity reported the incident to HHS OCR on April 21, 2025 and to attorneys general in Maine, Texas, Massachusetts, South Carolina, New Hampshire, and Vermont. A $2,525,000 class action settlement received preliminary approval on April 13, 2026. The claim filing deadline is August 11, 2026. Final court approval is scheduled for September 9, 2026.
Onsite operates mobile imaging units that travel to employer sites and partner clinics across 150+ locations, so the affected population skews heavily toward working women screened through their employer’s wellness benefit rather than walk-in patients of a single hospital.
Timeline
- October 2, 2024 — Initial access. An unauthorized actor accessed a single employee email account after the employee opened a phishing email.
- October 4, 2024 — Detection. Onsite identified unusual activity in the mailbox, secured the account, and engaged third-party digital forensics.
- February 21, 2025 — Forensic review concludes. Investigators confirm that health-related information in the mailbox was exposed during the access window.
- April 9, 2025 — Notification letters mailed to affected individuals with offers of 12 months of complimentary credit monitoring and identity protection.
- April 21, 2025 — Regulatory filings. Onsite reports the breach to HHS OCR and to state attorneys general in ME, TX, MA, SC, NH, and VT. State-level filings confirm 32 residents affected in Maine and 89 in Massachusetts.
- April 22, 2025 — Public disclosure and plaintiff-firm investigations announced by Federman & Sherwood, Strauss Borrelli, Migliaccio & Rathod, Lynch Carpenter, Levi & Korsinsky, Cafferty Clobes, and others.
- March 6, 2026 — Settlement agreement signed in Clarkson et al. v. Onsite Mammography LLC, Case No. 3:25-cv-11123-MGM, U.S. District Court for the District of Massachusetts.
- April 13, 2026 — Preliminary approval granted by Judge Mastroianni. Almeida Law Group LLC, Edelson Lechtzin LLP, and Pittman Dutton Hellums Bradley & Mann P.C. appointed as class counsel. Settlement administrator: Eisner Advisory Group LLC.
- August 11, 2026 — Claim filing deadline. Class members must submit claims online at onsitesettlement.com or by mail to the settlement administrator (P.O. Box 3868, Baton Rouge, LA 70821).
- September 9, 2026 — Final approval hearing at 12:00 PM ET.
What was exposed
Per the notice letters and state AG filings, exposed elements vary by individual but include:
- Full name and date of birth
- Social Security number
- Driver’s license or state ID number
- Financial account, credit, or debit card number
- Diagnosis and treatment information, including mammography and other breast-imaging results
- Other health-related information and insurance/payment details
Mammography records carry distinct sensitivity beyond a typical PHI exposure. A breach notice tied to a mammography provider can confirm, to anyone who sees it, that an individual is in active breast cancer screening. The accompanying clinical records can disclose BI-RADS scores, biopsy history, prior diagnoses, and follow-up imaging cadence. That combination is enough to support targeted phishing, insurance fraud against specific oncology billing codes, and emotionally manipulative scams aimed at women in or near a cancer workup.
Sensitive-population considerations
Onsite’s service model concentrates the population in ways that compound the harm:
- Workplace screening. Many affected individuals were screened on-site at their employer through a benefits program. A coworker, manager, or HR-adjacent staffer who learns of the breach can reasonably infer who on the team was in screening that month.
- Working-age women. The cohort skews heavily working-age female, a demographic already disproportionately targeted by romance and “wellness” scams. Pairing a real name, DOB, SSN, and a verified breast-health context gives a scammer unusually high social-engineering leverage.
- Geographic spread. Although Onsite is Massachusetts-based, mobile units serve patients in multiple states, which is why six state AGs received notice and why the affected count is national rather than regional.
What the entity is offering
- 12 months of complimentary credit monitoring and identity-theft protection for all notified individuals.
- A dedicated call center reference in the notice letter.
- Onsite states it has implemented “additional security measures” but has not publicly detailed MFA posture, mailbox retention policy, or DLP changes.
Twelve months is the floor most state laws expect when SSNs are exposed. It is not commensurate with the lifetime exposure of an SSN plus a verified cancer-screening record. Affected individuals should not rely on the offer expiring as a signal that the risk has expired.
Class-action posture
Multiple plaintiff firms opened investigations within 48 hours of disclosure. Those include Federman & Sherwood, Strauss Borrelli PLLC, Wilshire Law Firm, Chimicles Schwartz Kriner & Donaldson-Smith LLP, Migliaccio & Rathod LLP, Lynch Carpenter LLP, Levi & Korsinsky LLP, and Cafferty Clobes Meriwether & Sprengel LLP.
The matters were consolidated as Clarkson, et al. v. Onsite Mammography, LLC, d/b/a Onsite Women’s Health, Case No. 3:25-cv-11123-MGM (D. Mass.). On March 6, 2026, the parties signed a class action settlement agreement. On April 13, 2026, Judge Mastroianni granted preliminary approval of the $2,525,000 settlement and appointed Elena A. Belov (Almeida Law Group LLC), Marc H. Edelson (Edelson Lechtzin LLP), and Jonathan S. Mann (Pittman Dutton Hellums Bradley & Mann P.C.) as class counsel.
What settlement class members can claim:
- Up to $5,000 for documented out-of-pocket losses stemming from the breach (receipts, bank statements, or other proof required)
- A pro rata cash payment from the remaining settlement fund
- Three years of CyEx Medical Shield Complete credit and medical/health data monitoring, including three-bureau monitoring and $1 million in identity theft insurance — available regardless of whether you enrolled in Onsite’s initial 12-month offer
Critical deadlines:
| Action | Deadline |
|---|---|
| Submit a claim | August 11, 2026 |
| Opt out or object | July 13, 2026 |
| Final approval hearing | September 9, 2026 at 12:00 PM ET |
File claims at onsitesettlement.com using the claim ID on your notice letter, or mail to: Onsite Settlement Administrator, P.O. Box 3868, Baton Rouge, LA 70821. Settlement administration is handled by Eisner Advisory Group LLC. Final approval has not yet been granted; distributions will not begin until after the September 9, 2026 hearing and resolution of any appeals.
What to do
-
File a settlement claim by August 11, 2026. If you received a notice letter from Onsite, you are very likely a settlement class member. Submit online at onsitesettlement.pnclassaction.com using the claim ID printed on your notice letter, or visit onsitesettlement.com for case details. You may also mail a completed claim form to: Onsite Settlement Administrator, P.O. Box 3868, Baton Rouge, LA 70821. You can claim up to $5,000 for documented losses plus a pro rata cash payment and three years of credit and medical data monitoring.
-
Freeze your credit at all three nationwide bureaus (Equifax, Experian, TransUnion). It is free and the single highest-leverage step against new-account fraud using your SSN. A freeze does not affect your existing accounts.
-
Enroll in the 12-month credit monitoring Onsite is offering if you have not already done so. Enrolling also documents your status as a notified class member for the settlement.
-
File IRS Form 14039 (Identity Theft Affidavit) if you believe your SSN may have been misused. Request an Identity Protection PIN from the IRS at irs.gov/ippin for future tax year filings.
-
Be skeptical of unsolicited contact referencing your breast health or screening history. Scammers calibrate cold outreach to whatever has just leaked. Anyone phoning or emailing to “verify” your mammography records, imaging appointments, or insurance coverage after this breach should be treated as a phishing attempt until proven otherwise. Onsite will not call to activate your credit monitoring — that is done only through the settlement website.
-
Watch your insurance Explanation of Benefits statements for unfamiliar oncology billing codes or duplicate claims. Identity thieves with both SSNs and verified cancer-screening records have a precise profile for targeted medical billing fraud.
-
Request a copy of your imaging records from Onsite if you want to verify what they hold on you. You have a right under HIPAA to receive a copy within 30 days of request.
-
Stop the ongoing flow of your breast-health and imaging data. HealthConsent files HIPAA restriction requests so the mammography records, clinical history, and health insurance information exposed in this breach are not continuously re-shared across imaging networks, referral platforms, and health information exchanges.
Sources
- HHS OCR Breach Portal — federal regulatory record.
- HIPAA Journal — Onsite Mammography Email Breach Affects 357,000 Patients
- SecurityWeek — Data Breach at Onsite Mammography Impacts 350,000
- Vermont Attorney General — 2025-04-21 Onsite Mammography Notice to Consumers
- ClassAction.org — Onsite Mammography Lawsuit Investigation (settlement)
- Federman & Sherwood — Onsite Mammography Investigation
- Strauss Borrelli PLLC — Onsite Women’s Health Investigation
- Bitdefender HotForSecurity — Phished Email at Mammography Service Exposes 350,000 Records
- Maine Attorney General — Onsite Mammography notice filing (32 ME residents affected)
- HIPAA Journal — Onsite Women’s Health $2.5M Data Breach Settlement
- Top Class Actions — $2.52M Onsite Mammography Data Breach Settlement
- Official Claim Submission Portal — onsitesettlement.pnclassaction.com
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS OCR Breach Portal
- HIPAA Journal — Onsite Mammography Email Breach Affects 357,000 Patients
- SecurityWeek — Data Breach at Onsite Mammography Impacts 350,000
- Vermont Attorney General — 2025-04-21 Onsite Mammography Notice to Consumers
- ClassAction.org — Onsite Mammography Lawsuit Investigation (settlement)
- Federman & Sherwood — Onsite Mammography Investigation
- Strauss Borrelli PLLC — Onsite Women's Health Investigation
- Bitdefender HotForSecurity — Phished Email at Mammography Service Exposes 350,000 Records
- Official Settlement Website — Clarkson et al. v. Onsite Mammography LLC (onsitesettlement.com)
- Official Settlement Website FAQ — Claim process, deadlines, class counsel contact
- ClassAction.org — $2.52M Onsite Mammography Settlement News (preliminary approval)
- ClaimDepot — Onsite Mammography $2.53M Settlement (claim deadline Aug 11, 2026)
- Almeida Law Group — Preliminary Approval Granted in Onsite Mammography Settlement
- Migliaccio & Rathod LLP — Onsite Mammography Data Breach Investigation
- Preliminary Approval Order — Case 3:25-cv-11123-MGM Document 39 Filed 04/13/26
- Maine Attorney General — Onsite Mammography notice filing (32 ME residents affected)
- HIPAA Journal — Onsite Women's Health $2.5M Data Breach Settlement
- Top Class Actions — $2.52M Onsite Mammography Data Breach Class Action Settlement
- Official Claim Submission Portal — onsitesettlement.pnclassaction.com
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.