Active breach tracker FL Disclosed April 25, 2025

Pediatric Otolaryngology Head & Neck Surgery Associates Data Breach 2025: 43,446 Pediatric Patients Exposed in Florida Network Intrusion. What To Do

Pediatric Otolaryngology Head & Neck Surgery Associates, P.A. (operating as Pediatric Ear, Nose & Throat Specialists in St. Petersburg, FL) confirmed unauthorized network access between February 19 and February 24, 2025. Names, Social Security numbers, driver's license data, financial account information, and pediatric medical records for 43,446 individuals were exposed. Multiple plaintiff firms have opened class-action investigations.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Feb 19, 2025

Unauthorized access to POHNS network begins

Feb 24, 2025

Unusual activity identified within the computer network; forensic response initiated

Apr 25, 2025

POHNS posts substitute notice on its website announcing the incident

Apr 25, 2025

Disclosed publicly

Aug 18, 2025

HIPAA breach notification filed with HHS Office for Civil Rights — 43,446 individuals, Network Server

Sep 9, 2025

Plaintiff law firms publicly open class-action investigations

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers Driver's license or state ID numbers

02

Health records

Don't expire and can't be reissued

Medical diagnosis and treatment information Prescription information and dates of service Provider names and patient ID / medical record numbers Treatment cost information

03

Contact & insurance

Phishing + targeted scams

Names Mailing addresses, email addresses, and phone numbers Dates of birth Financial account information Taxpayer ID numbers Digital signatures Medicare / Medicaid numbers and health insurance information Health insurance claim numbers and policy numbers

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Federman & Sherwood (investigating) Strauss Borrelli PLLC (investigating) Levi & Korsinsky LLP / MyDataBreachAttorney.com (investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Pediatric Otolaryngology Head & Neck Surgery Associates, P.A. (“POHNS”), operating as Pediatric Ear, Nose & Throat Specialists, runs six Tampa-Bay-area locations serving children and adolescents with ear, nose, throat, head, and neck conditions. Clinics are located in Brandon, Clearwater, Odessa, St. Petersburg, Sarasota, and Tampa, staffed by six pediatric otolaryngologists. The practice’s patient population is almost entirely minors, with the corresponding financial and identity data of their parents and guardians also on file.

An unauthorized actor accessed POHNS’s network between February 19 and February 24, 2025. Unusual activity was identified on February 24; third-party forensic investigators were engaged immediately. The practice posted a substitute notice on its website on April 25, 2025 and mailed individual notification letters at that time. POHNS filed its HIPAA breach notification with the HHS Office for Civil Rights on August 18, 2025, reporting 43,446 affected individuals, coded as a Hacking/IT Incident at a Network Server.

In late August and early September 2025, POHNS posted publicly on Facebook that “technical difficulties” were affecting computer systems and phone lines, with follow-up posts on September 2 and 9 confirming continued limited computer access and a phone outage. That pattern is consistent with ransomware-style disruption, but no threat actor has publicly claimed the attack and POHNS has not formally attributed the incident. The operational disruption characterization remains inferential.

Timeline

  • February 19, 2025 — Unauthorized third party begins accessing POHNS’s network.
  • February 24, 2025 — Unusual activity is identified within the practice’s computer systems; the access window is closed and third-party forensics are engaged.
  • April 25, 2025 — POHNS posts its substitute notice publicly and begins individual notification mailings.
  • August 18, 2025 — Formal HIPAA breach notification filed with the HHS Office for Civil Rights, listing 43,446 affected individuals, Hacking/IT Incident, Network Server.
  • August 26, 2025 — POHNS posts on Facebook that “technical difficulties” are affecting computer systems and phone lines, consistent with public reporting of a ransomware-style disruption.
  • September 2 and September 9, 2025 — Follow-up posts confirm continued limited computer access and ongoing phone outage.
  • September 2025 — Federman & Sherwood, Strauss Borrelli PLLC, and other plaintiff firms publicly open class-action investigations.

What was stolen

The data elements confirmed exposed vary by individual but include:

  • Name, mailing and email address, phone number, date of birth
  • Social Security number
  • Driver’s license or state-issued ID number
  • Financial account information and taxpayer ID number
  • Digital signature
  • Medical diagnoses, treatment information, prescription information, and dates of service
  • Provider name, patient ID number, and medical record number
  • Medicare / Medicaid number, health insurance information, insurance claim and policy numbers
  • Treatment cost information

No ransomware group has publicly claimed responsibility in the sources reviewed, and POHNS has not formally attributed the incident. The operational disruption to scheduling and phone systems that the practice described publicly in late August and September 2025 is consistent with a ransomware deployment, but that characterization remains inferential.

Sensitive population: pediatric patients

This breach is materially different from a typical adult-population incident because POHNS is a pediatric specialty practice. The 43,446 individuals whose data was exposed are predominantly minor children, plus the parents and guardians whose financial and identity data appears in the same records. Minor identity theft has two characteristics that make it especially damaging:

  • It is rarely detected for years. Children do not apply for credit, so fraudulent accounts opened in a minor’s name can accrue debt, collections, and tax liabilities without anyone noticing until the child applies for a first job, a student loan, or a driver’s license.
  • A clean credit file is a high-value target. A child’s Social Security number paired with a real name and date of birth is a complete “synthetic identity” starter kit on criminal markets.

For these reasons, the strongest single protective step for affected children is a credit freeze placed by the parent or guardian at each of the three nationwide consumer reporting agencies. Under federal law (the Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018), security freezes for minors are free, and parents or legal guardians may place a freeze on a child’s behalf by providing proof of identity and guardianship.

To place a minor’s credit freeze:

  • Equifax — submit by mail using the Minor Freeze Request Form, or call 1-888-298-0045.
  • Experian — submit by mail using the Minor Add a Security Freeze request, with copies of the parent’s and child’s government IDs and a birth certificate.
  • TransUnion — submit by mail using the Child Identity Theft Inquiry form, with the same proof of identity and guardianship.

A separate freeze should also be placed on each adult parent or guardian whose financial or taxpayer information appears in POHNS’s records.

What POHNS is offering

POHNS is offering complimentary credit monitoring and identity protection services to notified individuals; enrollment instructions are included in the individual notification letter. The notice also lists a dedicated call center at 1-833-998-8167, Monday–Friday 8 a.m. to 8 p.m. Eastern, excluding U.S. holidays. The duration of monitoring and the specific provider have not been independently verified in the sources reviewed and should be confirmed in your individual notification letter.

Class actions

No consolidated class-action case caption or docket number has been publicly reported in the sources reviewed. Three plaintiff-side law firms have publicly opened investigations: Federman & Sherwood (announced September 12, 2025), Strauss Borrelli PLLC (announced September 9, 2025), and Levi & Korsinsky LLP, operating through its consumer advocacy platform MyDataBreachAttorney.com. ClassAction.org, which initially listed an open investigation published September 9, 2025, subsequently marked that investigation “complete” as of November 11, 2025 — which means attorneys finished intake, not that a suit was filed or resolved.

POHNS reported the incident to the HHS Office for Civil Rights (filing dated August 18, 2025) and, per the substitute notice, to state attorneys general in California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington. The OCR portal entry remains open.

What to do

  1. Freeze the credit of every affected child at Equifax, Experian, and TransUnion using the minor-freeze procedure in the section above. Do this even if you also enroll in the offered monitoring; a freeze actually blocks new accounts, monitoring only alerts you after the fact.
  2. Freeze your own credit if you are a parent or guardian named in POHNS’s records.
  3. Enroll in the complimentary credit monitoring offered in your notification letter. The enrollment code is single-use; keep the letter.
  4. Pull your child’s credit report annually at annualcreditreport.com. A minor under 18 should generally have no credit file; the existence of one is itself a red flag.
  5. Watch for medical identity theft. Because diagnosis, prescription, and insurance information was exposed, review every Explanation of Benefits and contact your insurer if you see services your child did not receive.
  6. Be alert to targeted phishing. Threat actors holding a child’s name, parent’s name, address, date of birth, and pediatric-treatment context can craft very convincing follow-on lures. Treat unexpected calls or emails referencing your child’s POHNS visits with skepticism, and call the practice back at a number you look up independently.
  7. Stop the ongoing flow of your child’s ENT and pediatric health data. HealthConsent files HIPAA restriction requests so the diagnosis, prescription, and insurance information exposed in this breach is not continuously re-shared across health information exchanges and downstream data buyers.

Continue reading

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.