Active breach tracker Pittsburgh, Pennsylvania Disclosed September 10, 2025

PGA Development, Inc. (Pittsburgh Gastroenterology Associates) Data Breach 2025: 23,899 Affected · Sinobi Ransomware Claim · Class Actions Consolidated in Allegheny County

PGA Development, Inc., the corporate operator of Pittsburgh Gastroenterology Associates (PGA) and South Hills Endoscopy Center in Pennsylvania, filed a HIPAA breach notification with the HHS Office for Civil Rights on September 10, 2025, reporting 23,899 affected individuals in a Hacking/IT Incident at a network server. PGA detected a network disruption on August 12, 2025; the Sinobi ransomware group later claimed responsibility on August 20, 2025 and posted PGA on its dark-web leak site. PGA's notice describes exposure of names, dates of birth, phone numbers, email addresses, health insurance information, and diagnosis/condition data; the practice states Social Security numbers, financial information, and its electronic medical record system were not involved. At least five proposed class actions have been filed and are expected to be consolidated in the Allegheny County Court of Common Pleas.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Aug 12, 2025

Incident detected by the entity

Aug 20, 2025

Related event

Aug 28, 2025

Related event

Sep 10, 2025

Breach reported to HHS Office for Civil Rights

Sep 10, 2025

Individual notification letters issued

Sep 15, 2025

Class-action litigation activity

Data exposed

02

Health records

Don't expire and can't be reissued

Diagnosis / condition information Treatment and procedure information

03

Contact & insurance

Phishing + targeted scams

First and last names Dates of birth Phone numbers Email addresses Health insurance information
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

PGA Development, Inc. — the corporate entity behind Pittsburgh Gastroenterology Associates (“PGA”) and the affiliated South Hills Endoscopy Center — filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on September 10, 2025, reporting 23,899 affected individuals in a Hacking/IT Incident at a Network Server. PGA detected a network disruption on August 12, 2025; the Sinobi ransomware group subsequently claimed responsibility and posted PGA on its dark-web leak site on August 20, 2025, asserting it had exfiltrated approximately 198 GB of files. PGA’s individual notification letters describe exposure of patient demographic and clinical data while stating that Social Security numbers, financial information, and the practice’s electronic medical record system were not involved.

Timeline

label: "Class-action litigation activity"
  • 2025-08-12 — detected: PGA identified a network disruption and engaged outside cybersecurity specialists. label: “Related event” date: 2025-09-10
  • 2025-08-20 — other: The Sinobi ransomware group claimed responsibility and listed PGA on its dark-web leak site, alleging exfiltration of approximately 198 GB of data. label: “Related event” date: 2025-09-10
  • 2025-08-28 — other: Forensic review of the impacted data concluded; PGA determined an unauthorized third party may have acquired certain individual health information. label: “Related event” date: 2025-09-10
  • 2025-09-10 — filed: PGA Development, Inc. filed the breach with HHS OCR, reporting 23,899 affected individuals (Hacking/IT Incident; Network Server). label: “Related event” date: 2025-09-10
  • 2025-09 — notified: PGA mailed written notification letters to affected current and former patients. label: “Related event” date: 2025-09-10
  • 2025-09 — class-action: Multiple proposed class actions were filed in the Allegheny County Court of Common Pleas; seven plaintiffs’ firms appeared, and the cases are expected to be consolidated.

What was exposed

Per PGA’s breach notice and contemporaneous reporting, the categories of information that may have been compromised include:

label: “Related event” date: 2025-09-10

  • First and last names label: “Related event” date: 2025-09-10
  • Dates of birth label: “Related event” date: 2025-09-10
  • Phone numbers label: “Related event” date: 2025-09-10
  • Email addresses label: “Related event” date: 2025-09-10
  • Health insurance information label: “Related event” date: 2025-09-10
  • Diagnosis and condition information label: “Related event” date: 2025-09-10
  • Treatment and procedure information

PGA states that the specific data elements affected differed for each individual. The practice has also stated that Social Security numbers and financial-account information were not involved and that there was no unauthorized access to its electronic medical record (EMR) system. The Sinobi group’s claim of 198 GB of exfiltrated data has not been independently verified.

What the entity is offering

PGA secured the network environment, retained outside cybersecurity counsel and forensic experts, and mailed individual notification letters describing the categories of data involved. PGA states it has “no reason to believe that any individual’s information has been misused as a result of this event.” Publicly available reporting on PGA’s notice does not describe a complimentary credit-monitoring or identity-protection enrollment offer extended to all affected individuals; recipients should read their individual letter carefully for any code-based monitoring enrollment, the toll-free support number, and the call-center hours.

Class-action posture

At least five proposed class actions were filed against PGA following the breach, with seven plaintiffs’ law firms appearing. The actions are pending in the Court of Common Pleas of Allegheny County, Pennsylvania, and are expected to be consolidated; the court has begun the process of selecting lead and liaison counsel. The complaints generally allege that PGA failed to implement reasonable cybersecurity safeguards, failed to adequately supervise its IT and data-security agents and vendors, and failed to provide timely and complete breach notification. Plaintiffs assert claims for negligence, breach of implied contract, breach of fiduciary duty, and violation of Pennsylvania consumer-protection law, and seek damages, restitution, credit monitoring, and injunctive relief requiring improved security controls.

What to do if you may be affected

label: “Related event” date: 2025-09-10

  • Watch for the PGA notification letter at the address on file with the practice. The letter identifies the specific data elements exposed for you and the toll-free number for PGA’s incident call center. label: “Related event” date: 2025-09-10
  • Place a credit freeze at all three nationwide credit bureaus. Although PGA states SSNs and financial information were not involved, a freeze is free and remains the highest-leverage protective step against identity theft. label: “Related event” date: 2025-09-10
  • Be alert to medical-identity-theft signals. Review explanation-of-benefits statements from your health insurer for services you did not receive — with diagnosis, insurance, and contact information in scope, medical identity theft and targeted phishing are the realistic risks here. label: “Related event” date: 2025-09-10
  • Be cautious about unsolicited outreach referencing your gastroenterology care, appointments, or insurance — voice, SMS, or email — that asks you to verify personal information or click a link. When in doubt, call PGA’s office directly using the number on a prior statement or the practice website. label: “Related event” date: 2025-09-10
  • Track the class-action docket. If you are notified that you are a class member in the consolidated Allegheny County litigation, read the long-form notice for claim and exclusion deadlines before deciding whether to participate.

Sources

label: “Related event” date: 2025-09-10

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.