PGA Development, Inc. (Pittsburgh Gastroenterology Associates) Data Breach 2025: 23,899 Affected · Sinobi Ransomware Claim · Class Actions Consolidated in Allegheny County
PGA Development, Inc., the corporate operator of Pittsburgh Gastroenterology Associates (PGA) and South Hills Endoscopy Center in Pennsylvania, filed a HIPAA breach notification with the HHS Office for Civil Rights on September 10, 2025, reporting 23,899 affected individuals in a Hacking/IT Incident at a network server. PGA detected a network disruption on August 12, 2025; the Sinobi ransomware group later claimed responsibility on August 20, 2025 and posted PGA on its dark-web leak site. PGA's notice describes exposure of names, dates of birth, phone numbers, email addresses, health insurance information, and diagnosis/condition data; the practice states Social Security numbers, financial information, and its electronic medical record system were not involved. At least five proposed class actions have been filed and are expected to be consolidated in the Allegheny County Court of Common Pleas.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Aug 12, 2025
Incident detected by the entity
Aug 20, 2025
Related event
Aug 28, 2025
Related event
Sep 10, 2025
Breach reported to HHS Office for Civil Rights
Sep 10, 2025
Individual notification letters issued
Sep 15, 2025
Class-action litigation activity
Aug 12, 2025
Incident detected by the entity
Aug 20, 2025
Related event
Aug 28, 2025
Related event
Sep 10, 2025
Breach reported to HHS Office for Civil Rights
Sep 10, 2025
Individual notification letters issued
Sep 15, 2025
Class-action litigation activity
Data exposed
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
PGA Development, Inc. — the corporate entity behind Pittsburgh Gastroenterology Associates (“PGA”) and the affiliated South Hills Endoscopy Center — filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on September 10, 2025, reporting 23,899 affected individuals in a Hacking/IT Incident at a Network Server. PGA detected a network disruption on August 12, 2025; the Sinobi ransomware group subsequently claimed responsibility and posted PGA on its dark-web leak site on August 20, 2025, asserting it had exfiltrated approximately 198 GB of files. PGA’s individual notification letters describe exposure of patient demographic and clinical data while stating that Social Security numbers, financial information, and the practice’s electronic medical record system were not involved.
Timeline
label: "Class-action litigation activity"
- 2025-08-12 — detected: PGA identified a network disruption and engaged outside cybersecurity specialists. label: “Related event” date: 2025-09-10
- 2025-08-20 — other: The Sinobi ransomware group claimed responsibility and listed PGA on its dark-web leak site, alleging exfiltration of approximately 198 GB of data. label: “Related event” date: 2025-09-10
- 2025-08-28 — other: Forensic review of the impacted data concluded; PGA determined an unauthorized third party may have acquired certain individual health information. label: “Related event” date: 2025-09-10
- 2025-09-10 — filed: PGA Development, Inc. filed the breach with HHS OCR, reporting 23,899 affected individuals (Hacking/IT Incident; Network Server). label: “Related event” date: 2025-09-10
- 2025-09 — notified: PGA mailed written notification letters to affected current and former patients. label: “Related event” date: 2025-09-10
- 2025-09 — class-action: Multiple proposed class actions were filed in the Allegheny County Court of Common Pleas; seven plaintiffs’ firms appeared, and the cases are expected to be consolidated.
What was exposed
Per PGA’s breach notice and contemporaneous reporting, the categories of information that may have been compromised include:
label: “Related event” date: 2025-09-10
- First and last names label: “Related event” date: 2025-09-10
- Dates of birth label: “Related event” date: 2025-09-10
- Phone numbers label: “Related event” date: 2025-09-10
- Email addresses label: “Related event” date: 2025-09-10
- Health insurance information label: “Related event” date: 2025-09-10
- Diagnosis and condition information label: “Related event” date: 2025-09-10
- Treatment and procedure information
PGA states that the specific data elements affected differed for each individual. The practice has also stated that Social Security numbers and financial-account information were not involved and that there was no unauthorized access to its electronic medical record (EMR) system. The Sinobi group’s claim of 198 GB of exfiltrated data has not been independently verified.
What the entity is offering
PGA secured the network environment, retained outside cybersecurity counsel and forensic experts, and mailed individual notification letters describing the categories of data involved. PGA states it has “no reason to believe that any individual’s information has been misused as a result of this event.” Publicly available reporting on PGA’s notice does not describe a complimentary credit-monitoring or identity-protection enrollment offer extended to all affected individuals; recipients should read their individual letter carefully for any code-based monitoring enrollment, the toll-free support number, and the call-center hours.
Class-action posture
At least five proposed class actions were filed against PGA following the breach, with seven plaintiffs’ law firms appearing. The actions are pending in the Court of Common Pleas of Allegheny County, Pennsylvania, and are expected to be consolidated; the court has begun the process of selecting lead and liaison counsel. The complaints generally allege that PGA failed to implement reasonable cybersecurity safeguards, failed to adequately supervise its IT and data-security agents and vendors, and failed to provide timely and complete breach notification. Plaintiffs assert claims for negligence, breach of implied contract, breach of fiduciary duty, and violation of Pennsylvania consumer-protection law, and seek damages, restitution, credit monitoring, and injunctive relief requiring improved security controls.
What to do if you may be affected
label: “Related event” date: 2025-09-10
- Watch for the PGA notification letter at the address on file with the practice. The letter identifies the specific data elements exposed for you and the toll-free number for PGA’s incident call center. label: “Related event” date: 2025-09-10
- Place a credit freeze at all three nationwide credit bureaus. Although PGA states SSNs and financial information were not involved, a freeze is free and remains the highest-leverage protective step against identity theft. label: “Related event” date: 2025-09-10
- Be alert to medical-identity-theft signals. Review explanation-of-benefits statements from your health insurer for services you did not receive — with diagnosis, insurance, and contact information in scope, medical identity theft and targeted phishing are the realistic risks here. label: “Related event” date: 2025-09-10
- Be cautious about unsolicited outreach referencing your gastroenterology care, appointments, or insurance — voice, SMS, or email — that asks you to verify personal information or click a link. When in doubt, call PGA’s office directly using the number on a prior statement or the practice website. label: “Related event” date: 2025-09-10
- Track the class-action docket. If you are notified that you are a class member in the consolidated Allegheny County litigation, read the long-form notice for claim and exclusion deadlines before deciding whether to participate.
Sources
label: “Related event” date: 2025-09-10
-
HHS Office for Civil Rights Breach Portal — federal regulatory record (PGA Development, Inc.; PA; Healthcare Provider; 23,899 affected; filed 2025-09-10; Hacking/IT Incident; Network Server). label: “Related event” date: 2025-09-10
-
HIPAA Journal — Tri Century Eye Care & Pittsburgh Gastroenterology Associates Announce Data Breaches — confirms Sinobi attribution, 198 GB leak-site posting, investigation conclusion date, and data elements involved. label: “Related event” date: 2025-09-10
-
Paubox — Ransomware attack hits Pittsburgh Gastroenterology Associates — confirms August 12, 2025 detection date, August 20, 2025 Sinobi leak-site post, and the data elements in PGA’s notice. label: “Related event” date: 2025-09-10
-
Legal Newsline / Pennsylvania Record — Lawyers picked to lead data breach case against Pitt. company — consolidation in Allegheny County and lead-counsel selection. label: “Related event” date: 2025-09-10
-
Legal Newsline / Pennsylvania Record — Lawyers circle after ransomware attack on Pitt. company — count of class actions and firms involved. label: “Related event” date: 2025-09-10
-
Barnow and Associates, P.C. — Pittsburgh Gastroenterology Associates Cybersecurity Investigation — independent plaintiffs’-side investigation and practice background (founded 2005, locations in Pittsburgh and Monongahela). label: “Related event” date: 2025-09-10
-
Pennsylvania Office of Attorney General — Report a Data Breach — Pennsylvania’s breach-notification filing portal, applicable to PA-based covered entities. label: “Related event” date: 2025-09-10
-
Pittsburgh Gastroenterology Associates — Practice Website — entity website confirming PGA and South Hills Endoscopy Center as the operating practice names.
label: “Related event” date: 2025-09-10
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — Tri Century Eye Care & Pittsburgh Gastroenterology Associates Announce Data Breaches
- Paubox — Ransomware attack hits Pittsburgh Gastroenterology Associates
- Legal Newsline / Pennsylvania Record — Lawyers picked to lead data breach case against Pitt. company
- Legal Newsline / Pennsylvania Record — Lawyers circle after ransomware attack on Pitt. company
- Barnow and Associates, P.C. — Pittsburgh Gastroenterology Associates Cybersecurity Investigation
- Pennsylvania Office of Attorney General — Report a Data Breach (filing portal)
- Pittsburgh Gastroenterology Associates — Practice Website
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.