Pediatric Otolaryngology Head & Neck Surgery Associates Data Breach 2025: 43,446 Pediatric Patients Exposed in Florida Network Intrusion. What To Do
Pediatric Otolaryngology Head & Neck Surgery Associates, P.A. (operating as Pediatric Ear, Nose & Throat Specialists in St. Petersburg, FL) confirmed unauthorized network access between February 19 and February 24, 2025. Names, Social Security numbers, driver's license data, financial account information, and pediatric medical records for 43,446 individuals were exposed. Multiple plaintiff firms have opened class-action investigations.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Feb 19, 2025
Unauthorized access to POHNS network begins
Feb 24, 2025
Unusual activity identified within the computer network; forensic response initiated
Apr 25, 2025
POHNS posts substitute notice on its website announcing the incident
Apr 25, 2025
Disclosed publicly
Aug 18, 2025
HIPAA breach notification filed with HHS Office for Civil Rights — 43,446 individuals, Network Server
Sep 9, 2025
Plaintiff law firms publicly open class-action investigations
Feb 19, 2025
Unauthorized access to POHNS network begins
Feb 24, 2025
Unusual activity identified within the computer network; forensic response initiated
Apr 25, 2025
POHNS posts substitute notice on its website announcing the incident
Apr 25, 2025
Disclosed publicly
Aug 18, 2025
HIPAA breach notification filed with HHS Office for Civil Rights — 43,446 individuals, Network Server
Sep 9, 2025
Plaintiff law firms publicly open class-action investigations
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Pediatric Otolaryngology Head & Neck Surgery Associates, P.A. (“POHNS”), operating as Pediatric Ear, Nose & Throat Specialists, runs six Tampa-Bay-area locations serving children and adolescents with ear, nose, throat, head, and neck conditions. Clinics are located in Brandon, Clearwater, Odessa, St. Petersburg, Sarasota, and Tampa, staffed by six pediatric otolaryngologists. The practice’s patient population is almost entirely minors, with the corresponding financial and identity data of their parents and guardians also on file.
An unauthorized actor accessed POHNS’s network between February 19 and February 24, 2025. Unusual activity was identified on February 24; third-party forensic investigators were engaged immediately. The practice posted a substitute notice on its website on April 25, 2025 and mailed individual notification letters at that time. POHNS filed its HIPAA breach notification with the HHS Office for Civil Rights on August 18, 2025, reporting 43,446 affected individuals, coded as a Hacking/IT Incident at a Network Server.
In late August and early September 2025, POHNS posted publicly on Facebook that “technical difficulties” were affecting computer systems and phone lines, with follow-up posts on September 2 and 9 confirming continued limited computer access and a phone outage. That pattern is consistent with ransomware-style disruption, but no threat actor has publicly claimed the attack and POHNS has not formally attributed the incident. The operational disruption characterization remains inferential.
Timeline
- February 19, 2025 — Unauthorized third party begins accessing POHNS’s network.
- February 24, 2025 — Unusual activity is identified within the practice’s computer systems; the access window is closed and third-party forensics are engaged.
- April 25, 2025 — POHNS posts its substitute notice publicly and begins individual notification mailings.
- August 18, 2025 — Formal HIPAA breach notification filed with the HHS Office for Civil Rights, listing 43,446 affected individuals, Hacking/IT Incident, Network Server.
- August 26, 2025 — POHNS posts on Facebook that “technical difficulties” are affecting computer systems and phone lines, consistent with public reporting of a ransomware-style disruption.
- September 2 and September 9, 2025 — Follow-up posts confirm continued limited computer access and ongoing phone outage.
- September 2025 — Federman & Sherwood, Strauss Borrelli PLLC, and other plaintiff firms publicly open class-action investigations.
What was stolen
The data elements confirmed exposed vary by individual but include:
- Name, mailing and email address, phone number, date of birth
- Social Security number
- Driver’s license or state-issued ID number
- Financial account information and taxpayer ID number
- Digital signature
- Medical diagnoses, treatment information, prescription information, and dates of service
- Provider name, patient ID number, and medical record number
- Medicare / Medicaid number, health insurance information, insurance claim and policy numbers
- Treatment cost information
No ransomware group has publicly claimed responsibility in the sources reviewed, and POHNS has not formally attributed the incident. The operational disruption to scheduling and phone systems that the practice described publicly in late August and September 2025 is consistent with a ransomware deployment, but that characterization remains inferential.
Sensitive population: pediatric patients
This breach is materially different from a typical adult-population incident because POHNS is a pediatric specialty practice. The 43,446 individuals whose data was exposed are predominantly minor children, plus the parents and guardians whose financial and identity data appears in the same records. Minor identity theft has two characteristics that make it especially damaging:
- It is rarely detected for years. Children do not apply for credit, so fraudulent accounts opened in a minor’s name can accrue debt, collections, and tax liabilities without anyone noticing until the child applies for a first job, a student loan, or a driver’s license.
- A clean credit file is a high-value target. A child’s Social Security number paired with a real name and date of birth is a complete “synthetic identity” starter kit on criminal markets.
For these reasons, the strongest single protective step for affected children is a credit freeze placed by the parent or guardian at each of the three nationwide consumer reporting agencies. Under federal law (the Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018), security freezes for minors are free, and parents or legal guardians may place a freeze on a child’s behalf by providing proof of identity and guardianship.
To place a minor’s credit freeze:
- Equifax — submit by mail using the Minor Freeze Request Form, or call 1-888-298-0045.
- Experian — submit by mail using the Minor Add a Security Freeze request, with copies of the parent’s and child’s government IDs and a birth certificate.
- TransUnion — submit by mail using the Child Identity Theft Inquiry form, with the same proof of identity and guardianship.
A separate freeze should also be placed on each adult parent or guardian whose financial or taxpayer information appears in POHNS’s records.
What POHNS is offering
POHNS is offering complimentary credit monitoring and identity protection services to notified individuals; enrollment instructions are included in the individual notification letter. The notice also lists a dedicated call center at 1-833-998-8167, Monday–Friday 8 a.m. to 8 p.m. Eastern, excluding U.S. holidays. The duration of monitoring and the specific provider have not been independently verified in the sources reviewed and should be confirmed in your individual notification letter.
Class actions
No consolidated class-action case caption or docket number has been publicly reported in the sources reviewed. Three plaintiff-side law firms have publicly opened investigations: Federman & Sherwood (announced September 12, 2025), Strauss Borrelli PLLC (announced September 9, 2025), and Levi & Korsinsky LLP, operating through its consumer advocacy platform MyDataBreachAttorney.com. ClassAction.org, which initially listed an open investigation published September 9, 2025, subsequently marked that investigation “complete” as of November 11, 2025 — which means attorneys finished intake, not that a suit was filed or resolved.
POHNS reported the incident to the HHS Office for Civil Rights (filing dated August 18, 2025) and, per the substitute notice, to state attorneys general in California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington. The OCR portal entry remains open.
What to do
- Freeze the credit of every affected child at Equifax, Experian, and TransUnion using the minor-freeze procedure in the section above. Do this even if you also enroll in the offered monitoring; a freeze actually blocks new accounts, monitoring only alerts you after the fact.
- Freeze your own credit if you are a parent or guardian named in POHNS’s records.
- Enroll in the complimentary credit monitoring offered in your notification letter. The enrollment code is single-use; keep the letter.
- Pull your child’s credit report annually at annualcreditreport.com. A minor under 18 should generally have no credit file; the existence of one is itself a red flag.
- Watch for medical identity theft. Because diagnosis, prescription, and insurance information was exposed, review every Explanation of Benefits and contact your insurer if you see services your child did not receive.
- Be alert to targeted phishing. Threat actors holding a child’s name, parent’s name, address, date of birth, and pediatric-treatment context can craft very convincing follow-on lures. Treat unexpected calls or emails referencing your child’s POHNS visits with skepticism, and call the practice back at a number you look up independently.
- Stop the ongoing flow of your child’s ENT and pediatric health data. HealthConsent files HIPAA restriction requests so the diagnosis, prescription, and insurance information exposed in this breach is not continuously re-shared across health information exchanges and downstream data buyers.
Continue reading
- Your HIPAA Rights — how to file restriction requests, access your records, and limit re-disclosure
- All tracked healthcare data breaches — find other incidents affecting your providers
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record of the August 18, 2025 filing.
- HIPAA Journal — Florida Pediatric ENT Specialists Confirm Data Breach Affecting 44,000 Individuals — incident timeline, exposed data elements, response measures.
- ClassAction.org — Pediatric Otolaryngology Head & Neck Surgery Data Breach Lawsuit — affected count, exposed data, investigation status.
- Federman & Sherwood — POHNS Data Breach Investigation — plaintiff-side investigation announcement.
- Strauss Borrelli PLLC — Pediatric Ear, Nose & Throat Specialists Data Breach Investigation — confirms St. Petersburg, FL headquarters and operating name.
- ClaimDepot — Pediatric ENT Data Breach Affects 43,446 Patients — call-center number, state AG filings list.
- POHNS substitute notice (mirror) — text of the entity’s substitute notice.
- HIPAA Times — Florida Pediatric ENT Breach Exposes Data of 43,446 Patients — September 19, 2025 trade-press report; incident summary and patient guidance.
- Levi & Korsinsky / MyDataBreachAttorney — POHNS Data Breach Investigation — third plaintiff-side firm investigation; confirms affected data categories.
- Pediatric Ear, Nose & Throat Specialists — Practice Locations — entity’s own website confirming six Tampa-Bay-area clinic locations and physician roster.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Florida Pediatric ENT Specialists Confirm Data Breach Affecting 44,000 Individuals
- ClassAction.org — Pediatric Otolaryngology Head & Neck Surgery Data Breach Lawsuit
- Federman & Sherwood — POHNS Data Breach Investigation
- Strauss Borrelli PLLC — Pediatric Ear, Nose & Throat Specialists Data Breach Investigation
- ClaimDepot — Pediatric ENT Data Breach Affects 43,446 Patients
- POHNS substitute notice (mirror)
- HIPAA Times — Florida Pediatric ENT Breach Exposes Data of 43,446 Patients
- Levi & Korsinsky / MyDataBreachAttorney — POHNS Data Breach Investigation
- Pediatric Ear, Nose & Throat Specialists — Practice Locations (pediatric-ent.com)
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.