Pediatric Home Service Data Breach 2025: 41,792 Medically Complex Children Exposed (Names, SSNs, Medical Records, Insurance). Settlement Pending. What To Do
Pediatric Home Respiratory Services, LLC d/b/a Pediatric Home Service (Roseville, MN) disclosed a November 1-7, 2024 network intrusion that exposed names, addresses, dates of birth, Social Security numbers, medical information, and health insurance data for 41,792 individuals - most of them medically complex pediatric home-care patients. Filed with HHS OCR on January 6, 2025. Two-year Experian IdentityWorks Credit 3B offered. Consolidated class action (In re Pediatric Home Respiratory Services Litigation, Ramsey County District Court, No. 62-cv-25-2838) received preliminary approval January 6, 2026; final fairness hearing May 8, 2026. Cash payments up to $1,500 with documentation, or $50 flat. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Nov 1, 2024
Unauthorized third party accesses PHS network (per company forensic timeline)
Nov 7, 2024
Unauthorized access detected; PHS contains intrusion and engages forensic firm
Jan 6, 2025
HIPAA breach notification filed with HHS Office for Civil Rights (41,792 affected, Hacking/IT Incident, Network Server)
Jan 7, 2025
Notification filed with Massachusetts Attorney General (sample letter posted in MA breach log)
Jan 8, 2025
Notification filed with Texas Attorney General (364 Texas residents); individual letters begin mailing
Apr 14, 2025
Class action complaints filed in Ramsey County District Court, later consolidated as In re Pediatric Home Respiratory Services Litigation, No. 62-cv-25-2838
Jan 6, 2026
Preliminary approval of class settlement; PHSDataSettlement.com goes live
Apr 8, 2026
Settlement opt-out and objection deadline
Apr 23, 2026
Settlement claim filing deadline
May 8, 2026
Final fairness hearing scheduled
Nov 1, 2024
Unauthorized third party accesses PHS network (per company forensic timeline)
Nov 7, 2024
Unauthorized access detected; PHS contains intrusion and engages forensic firm
Jan 6, 2025
HIPAA breach notification filed with HHS Office for Civil Rights (41,792 affected, Hacking/IT Incident, Network Server)
Jan 7, 2025
Notification filed with Massachusetts Attorney General (sample letter posted in MA breach log)
Jan 8, 2025
Notification filed with Texas Attorney General (364 Texas residents); individual letters begin mailing
Apr 14, 2025
Class action complaints filed in Ramsey County District Court, later consolidated as In re Pediatric Home Respiratory Services Litigation, No. 62-cv-25-2838
Jan 6, 2026
Preliminary approval of class settlement; PHSDataSettlement.com goes live
Apr 8, 2026
Settlement opt-out and objection deadline
Apr 23, 2026
Settlement claim filing deadline
May 8, 2026
Final fairness hearing scheduled
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Pediatric Home Respiratory Services, LLC, doing business as Pediatric Home Service (PHS), is a Roseville, Minnesota home-care provider founded in 1990 that specializes in keeping medically complex children — kids on ventilators, feeding pumps, infusion therapy, oxygen, and other in-home medical equipment — at home with their families instead of in long-stay institutional care. PHS operates 45+ locations and employs more than 1,000 clinicians and support staff.
Between November 1 and November 7, 2024, an unauthorized third party gained access to the PHS network. PHS detected the intrusion on November 7, contained it, engaged outside forensic counsel, and notified law enforcement. After a multi-week document review, PHS filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on January 6, 2025, reporting 41,792 affected individuals and categorizing the event as a Hacking/IT Incident at a Network Server. State attorney general filings followed on January 7 (Massachusetts) and January 8 (Texas, with 364 Texas residents identified). Individual notification letters began mailing the same week.
Per court filings in the consolidated class action, the affected population reads as approximately 43,634 individuals — the lower 41,792 number is the figure PHS submitted to HHS OCR.
Timeline
- Nov 1, 2024 — Unauthorized access begins (per PHS forensic timeline).
- Nov 7, 2024 — Intrusion detected; PHS contains and engages forensic firm.
- Jan 6, 2025 — HHS OCR breach filing (41,792 affected, Hacking/IT Incident, Network Server).
- Jan 7-8, 2025 — Massachusetts and Texas AG notifications; individual letters begin mailing; two-year Experian IdentityWorks Credit 3B activation codes included.
- Apr 14, 2025 — Class action complaints filed in Ramsey County District Court (later consolidated as In re Pediatric Home Respiratory Services, LLC d/b/a Pediatric Home Service Litigation, No. 62-cv-25-2838).
- Jan 6, 2026 — Preliminary settlement approval; PHSDataSettlement.com goes live.
- Apr 8, 2026 — Opt-out and objection deadline.
- Apr 23, 2026 — Claim filing deadline.
- May 8, 2026 — Final fairness hearing.
What was exposed
Per the PHS notification letter and the Texas and Massachusetts AG filings, the exposed data set across affected individuals included:
- Full name
- Address
- Date of birth
- Social Security number
- Medical information (treatment, equipment, condition data)
- Health insurance information (carrier, member ID, group, claims data)
- Government identification numbers (subset of records, per state AG filings)
- Financial account information (subset of records, per state AG filings)
The specific elements exposed for any given individual varied; the notification letter mailed to each affected person lists what was in scope for that person.
Why this one carries above-average risk: pediatric exposure and minor identity theft
PHS exists because of children — children who depend on ventilators, gastrostomy feedings, home oxygen, infusion lines, and continuous nursing visits. The breached dataset is dominated by minors with documented complex medical conditions, and the Social Security numbers of those minors were in scope.
A child’s SSN sits unused on credit files for 15-18 years before the child applies for a first job, student loan, or apartment. That long-dormant window is exactly why child SSNs trade on identity-theft markets at a premium: a fraudster can open accounts, run them to default, and walk away years before the legitimate owner is old enough to notice. By the time a teenager applies for a first car loan and gets denied, the synthetic-identity damage is years deep and labor-intensive to unwind.
Beyond financial fraud, the medical information itself carries lifelong consequences for this specific patient population. Diagnosis codes and equipment lists (vent dependence, trach status, neuromuscular disease, seizure protocols, complex congenital conditions) are not transient — they follow these children into adult insurance underwriting, future employment background checks, and personal disclosure decisions that should belong to the family alone.
What Pediatric Home Service is offering
PHS is offering each notified individual a complimentary two-year membership to Experian IdentityWorks Credit 3B, which includes three-bureau credit monitoring, identity-theft insurance, and identity-restoration support. The activation code is printed in each individual notification letter. For minor children, parents must enroll the child — Experian’s child-focused product is the right SKU to request; ask the Experian enrollment line whether to use IdentityWorks Credit 3B or to switch into a minor-specific monitoring track at no extra cost.
Class action and settlement (preliminarily approved)
Multiple class actions were filed in Minnesota’s Ramsey County District Court beginning April 14, 2025 and were consolidated as In re Pediatric Home Respiratory Services, LLC d/b/a Pediatric Home Service Litigation, Case No. 62-cv-25-2838. The court granted preliminary settlement approval on January 6, 2026. Final fairness hearing is set for May 8, 2026.
Settlement benefits, per the notice posted at PHSDataSettlement.com:
- Cash Payment A: up to $1,500 with documented proof of out-of-pocket losses (identity-theft remediation costs, fraudulent charges, credit-monitoring purchases, ID replacement fees, postage, attested lost time at a fixed hourly rate).
- Cash Payment B: $50 flat with no documentation required (election alternative to Payment A).
- One additional year of credit monitoring through a choice of CyEx products: Medical Shield Complete, Identity Defense Total, or Minor Defense Pro (the minor-focused option is the right choice for affected children).
Key deadlines for affected individuals:
- April 8, 2026 — opt out or object.
- April 23, 2026 — file a claim.
- May 8, 2026 — final fairness hearing.
If you received a PHS notification letter and want either the $50 flat payment or the documented-loss payment, you must file a claim at PHSDataSettlement.com before the April 23, 2026 deadline. Doing nothing forfeits the cash payment but leaves you bound by the settlement release.
What to do
- Read your specific notification letter. It lists exactly which data elements were in scope for you (or for your child) and includes the Experian IdentityWorks activation code.
- Enroll in the two-year Experian IdentityWorks Credit 3B. For an affected child, enroll the child directly — do not use a parent’s credit profile. Ask Experian whether to switch into a minor-specific monitoring product.
- Place free credit freezes on the child’s credit file at Equifax, Experian, and TransUnion. Minors normally have no credit file at all, so the freeze process is different from an adult freeze — it requires creating a file first specifically so it can be locked. All three bureaus have a dedicated minor-freeze process; do not skip this.
- File IRS Form 14039 (Identity Theft Affidavit) for the affected child if you see any IRS notice about an unexpected return or wage report. Children should not have tax filings.
- Submit a settlement claim at PHSDataSettlement.com before April 23, 2026 — either the $50 flat payment or, if you have documented losses, up to $1,500 with receipts. Elect the Minor Defense Pro monitoring track for affected children.
- Watch the child’s credit and SSN for years, not months. Minor-identity-theft damage typically surfaces at age 16-18 when the child first applies for a job or loan. Calendar a check at every birthday from 14 onward.
- Stop the ongoing flow of this child’s records. Beyond the breach itself, complex pediatric home-care data continues to be shared routinely with DME suppliers, specialty pharmacies, infusion networks, and PBMs. HealthConsent files HIPAA restriction requests so this child’s already-exposed information is not continuously re-shared downstream.
Sources on this page
- HHS Office for Civil Rights Breach Portal — federal regulatory record (41,792 affected; Hacking/IT Incident; Network Server; reported January 6, 2025).
- HIPAA Journal: Granite Wellness Centers & Pediatric Home Service Settle Class Action Data Breach Lawsuits — settlement preliminary approval, court, case caption, May 8 2026 fairness hearing.
- ClassAction.org: Pediatric Home Services Settlement Ends Litigation Over November 2024 Data Breach — case number 62-cv-25-2838, $1,500 / $50 payment structure, claim deadlines, Minor Defense Pro option.
- ClassAction.org: Pediatric Home Service Data Breach Lawsuit Investigation — lawsuit investigation summary.
- Strauss Borrelli PLLC: Pediatric Home Service Data Breach Investigation — class-action firm investigation, breach dates, exposed data.
- Markovits, Stock & DeMarco: Class Action Lawsuit Investigation — affected count, exposed data, company background.
- Federman & Sherwood: Pediatric Home Service Investigation — January 9, 2025 public disclosure date, Texas AG filing.
- Migliaccio & Rathod LLP: Pediatric Home Respiratory Services Data Breach Investigation — independent class-action firm corroboration of dates and data elements.
- SLFLA: Pediatric Home Respiratory Services Data Breach — What You Need to Know — class-action litigation summary.
- ClaimDepot: Pediatric Home Service Data Breach Affects 41,792 People — detailed exposed-data list, two-year Experian IdentityWorks Credit 3B credit-monitoring confirmation, state AG filing dates.
- Mass.gov: Data Breach Notification Letters January 2025 — Massachusetts AG breach log entry and sample letter (filing 2025-29).
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal: Granite Wellness Centers & Pediatric Home Service Settle Class Action Data Breach Lawsuits
- ClassAction.org: Pediatric Home Services Settlement Ends Litigation Over November 2024 Data Breach
- ClassAction.org: Pediatric Home Service Data Breach Lawsuit Investigation
- Strauss Borrelli PLLC: Pediatric Home Service Data Breach Investigation
- Markovits, Stock & DeMarco: Class Action Lawsuit Investigation
- Federman & Sherwood: Pediatric Home Service Investigation
- Migliaccio & Rathod LLP: Data Breach Investigation
- SLFLA: What You Need to Know
- ClaimDepot: Pediatric Home Service Data Breach Affects 41,792 People
- Mass.gov: Pediatric Home Respiratory Services notification letter (January 2025 breach log)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.