Philadelphia Corporation for Aging (PCA) Data Breach 2025: 410,491 Seniors and Caregivers Exposed in Network Server Intrusion. Class-Action Investigations Open. What To Do.
Philadelphia's Area Agency on Aging reported a HIPAA breach on Sep 23, 2025 covering 410,491 individuals after a June 11–July 25, 2025 network intrusion. SSNs, addresses, medical diagnosis records, and state ID information were exposed. Notice letters mailed Nov 4, 2025 with 12 months of TransUnion Cyberscout monitoring. Multiple class-action firms investigating.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jun 11, 2025
Earliest confirmed date of unauthorized access to PCA network (per PCA's own March 2026 website notice)
Jul 25, 2025
PCA detects unusual network activity; access window closes
Sep 23, 2025
PCA submits breach to HHS OCR (410,491 affected; Network Server)
Nov 4, 2025
Individual notification letters mailed; filings with ME, MA, NH attorneys general
Nov 6, 2025
Filing submitted to Vermont Attorney General; initial class-action investigations begin
Feb 26, 2026
PCA completes full forensic review of impacted data set
Mar 3, 2026
Complaint filed in Court of Common Pleas of Philadelphia County by plaintiff Carl Dunbar on behalf of employees; reported by Law360
Mar 13, 2026
PCA posts public website notice on pcacares.org; second filing with Vermont AG and NH AG
Mar 20, 2026
Lynch Carpenter issues second investigation notice following entity disclosure
Jun 11, 2025
Earliest confirmed date of unauthorized access to PCA network (per PCA's own March 2026 website notice)
Jul 25, 2025
PCA detects unusual network activity; access window closes
Sep 23, 2025
PCA submits breach to HHS OCR (410,491 affected; Network Server)
Nov 4, 2025
Individual notification letters mailed; filings with ME, MA, NH attorneys general
Nov 6, 2025
Filing submitted to Vermont Attorney General; initial class-action investigations begin
Feb 26, 2026
PCA completes full forensic review of impacted data set
Mar 3, 2026
Complaint filed in Court of Common Pleas of Philadelphia County by plaintiff Carl Dunbar on behalf of employees; reported by Law360
Mar 13, 2026
PCA posts public website notice on pcacares.org; second filing with Vermont AG and NH AG
Mar 20, 2026
Lynch Carpenter issues second investigation notice following entity disclosure
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Philadelphia Corporation for Aging (PCA) is the federally designated Area Agency on Aging for the City of Philadelphia. It coordinates Meals on Wheels, in-home care assessments, senior community centers, and adult-protective-services intake for older Philadelphians. On September 23, 2025, PCA filed a HIPAA breach with the U.S. Department of Health and Human Services Office for Civil Rights reporting 410,491 affected individuals in a Hacking/IT Incident located at a Network Server. The affected population is largely seniors and the caregivers in their files — a population for which identity theft is harder to detect and harder to unwind.
PCA did not publish a public website notice until March 13, 2026, after completing a second, fuller forensic review of the impacted data. That notice, posted on pcacares.org and filed simultaneously with the Vermont Attorney General, revised the known access window and confirmed additional categories of exposed data beyond what appeared in the initial November 2025 notification letters.
Timeline
- June 11, 2025 — earliest confirmed date an unauthorized third party had access to PCA’s network environment. This date comes from PCA’s own March 2026 website notice; the initial OCR filing had used July 10 as the access start date.
- July 25, 2025 — PCA detects unusual activity. The intrusion window closes. PCA begins containment and engages outside cybersecurity counsel and third-party forensic specialists.
- September 23, 2025 — PCA files with HHS OCR. 410,491 individuals; Network Server location code; classified as Hacking/IT Incident.
- November 4, 2025 — PCA mails initial individual notification letters and files breach notices with the Maine, Massachusetts, and New Hampshire attorneys general. (Maine: 3 residents; Massachusetts: 32 residents; New Hampshire: 10 residents.)
- November 6, 2025 — Filing submitted to the Vermont Attorney General. Plaintiff-firm investigations open the same week. KYW Newsradio covers the breach locally.
- February 26, 2026 — PCA completes its full forensic review of the impacted data set, identifying the complete population of affected individuals and the full set of data elements involved.
- March 3, 2026 — A class-action complaint is filed in the Court of Common Pleas of Philadelphia County by plaintiff Carl Dunbar, representing current and former employees. The complaint alleges negligent data security and a four-month notification delay. (Reported by Law360.)
- March 13, 2026 — PCA posts a public Notice of Data Privacy Event on pcacares.org and files a second notice with the Vermont Attorney General and a concurrent notice with the New Hampshire AG. The notice extends the known access window back to June 11 and confirms address and state identification information as additional exposed data categories. Multi-state AG filings confirmed across at least 14 states and the SEC.
- March 20, 2026 — Lynch Carpenter issues a second investigation notice following the entity’s public disclosure.
What was exposed
Per PCA’s own March 13, 2026 website notice and the consumer notification letters mailed beginning November 4, 2025, the data potentially involved per individual may include any combination of:
- Full name
- Address
- Date of birth
- Social Security number
- State identification information (driver’s license or state ID number)
- Credit card number
- Financial account information
- Health insurance information
- Medical diagnosis and treatment information (care-coordination notes, service-eligibility records, and clinical detail — typical for an Area Agency on Aging)
Your specific notification letter lists the exact data elements involved in your record. Not every affected individual has the full set. PCA’s website notice explicitly states that data elements vary by individual.
Sensitive-population considerations
PCA’s caseload skews older. Identity theft against seniors is materially different from identity theft against working-age adults, and these differences matter when you decide what to do next:
- Slower detection. Many older adults do not check credit reports monthly or use real-time bank alerts. Fraud can run for a year before anyone notices.
- Medicare and Social Security exposure. A stolen SSN plus DOB is enough to attempt fraudulent Social Security benefit redirection, Medicare claim fraud, and Medicare Advantage plan enrollment switching.
- Tax-refund fraud against fixed-income filers. Seniors who file early in the season for Social Security and pension income are common targets for fraudulent returns filed in their name.
- Caregiver and power-of-attorney pathways. If you hold financial or healthcare POA for an affected senior, the protective steps below are yours to take on their behalf. Bring documentation when calling banks, the IRS, and the credit bureaus.
- Care-coordination metadata. “Medical information” at an Area Agency on Aging typically means service eligibility, in-home assessments, and protective-services intake — sensitive context that does not appear on a typical hospital breach.
Class-action posture
A complaint was filed in the Court of Common Pleas of Philadelphia County around March 3, 2026, by plaintiff Carl Dunbar on behalf of current and former employees, alleging PCA failed to implement reasonable cybersecurity safeguards and did not disclose the root cause of the breach. The filing was reported by Law360. The employee-focused complaint centers on the four-month notification gap between the July 2025 discovery and the November 2025 notification letters.
In addition, multiple plaintiff firms have open investigations covering clients, patients, and program participants — the broader affected population beyond employees:
- Chimicles Schwartz Kriner & Donaldson-Smith LLP
- Lynch Carpenter LLP (active as of March 20, 2026)
- Federman & Sherwood
- Levi & Korsinsky, LLP
- Strauss Borrelli PLLC
- Shub Johns & Holbrook LLP
The multi-state scope of PCA’s AG filings — confirmed across at least 14 states including California, Iowa, Montana, Nebraska, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington, as well as the SEC — suggests a large and geographically dispersed affected population. If a consolidated complaint is filed and a settlement class is later certified, you will not need to retain any of these firms individually to receive a settlement payment. Class members are notified by the court-approved settlement administrator.
What to do
- Read your notification letter (mailed beginning Nov 4, 2025) and enroll in the 12 months of complimentary TransUnion Cyberscout monitoring that PCA is offering. The activation code in the letter expires; act before it does.
- Place a free credit freeze at all three bureaus: Equifax, Experian, and TransUnion. Ten minutes per bureau. This is the single most protective step against new-account fraud for a stolen SSN.
- File IRS Form 14039 (Identity Theft Affidavit) with the IRS, especially if the affected individual files early in the season for Social Security or pension income. This places an indicator on the tax account that helps the IRS flag a fraudulent return filed in their name.
- Request an IRS Identity Protection PIN for the next tax year at irs.gov/getanippin. The IP PIN blocks fraudulent e-filed returns.
- Call the Social Security Administration at 1-800-269-0271 (SSA Office of the Inspector General fraud line) if you see unexpected SSA correspondence, a benefit redirect, or a Medicare summary notice listing services that were never received.
- Watch the Medicare Summary Notice that arrives quarterly. Flag any provider, equipment supplier, or home-health service the senior did not actually receive. Report to 1-800-MEDICARE.
- Set bank and credit card alerts for every transaction. For a senior on a fixed monthly deposit cycle, real-time alerts catch anomalies fast.
- If you hold power of attorney, document each step taken on the senior’s behalf and keep a binder with copies of the PCA notice, freeze confirmations, Form 14039 receipt, and IP PIN issuance.
- Call PCA’s dedicated assistance line at 1-833-647-0358 (Monday–Friday, 8 a.m.–8 p.m. ET) with questions about the notice itself.
- Stop the ongoing flow of your protected health information. HealthConsent files HIPAA Section 164.522 restriction requests against the data-sharing pathways that put records in network shares like the one breached at PCA.
Sources
- PCA — Notice of Data Privacy Event (March 13, 2026) — PCA’s own published website notice. Authoritative on PHI categories, corrected access window (June 11–July 25, 2025), and February 26, 2026 review completion date.
- Office of the Vermont Attorney General — PCA Notice (March 13, 2026) — second Vermont AG filing concurrent with entity’s website notice.
- Office of the Vermont Attorney General — PCA Data Breach Notice to Consumers (Nov 4, 2025) — initial state AG notice; confirms November 4 notification date.
- Lynch Carpenter LLP — Second Investigation Notice (Globe Newswire, March 20, 2026) — confirms continued class-action activity following entity disclosure.
- Chimicles Schwartz Kriner & Donaldson-Smith LLP — Class Action Investigation — confirms incident dates and class-action intake.
- Lynch Carpenter LLP — Investigation Notice (Globe Newswire, Nov 6, 2025) — initial investigation notice; confirms public disclosure date.
- Strauss Borrelli PLLC — PCA Data Breach Investigation — plaintiff-firm intake confirming the same timeline.
- ClaimDepot — PCA Data Breach: AG filings and monitoring details — confirms TransUnion Cyberscout 12-month offer, the 1-833-647-0358 support line, and multi-state AG filing scope.
- New Hampshire AG — PCA Breach Notice (March 13, 2026) — NH DOJ filing concurrent with PCA’s website notice; confirms notification details.
- Law360 — Philadelphia Nonprofit Sued Over Employee Info Hack (March 3, 2026) — reports the filed complaint in Court of Common Pleas of Philadelphia County by plaintiff Carl Dunbar.
- MacElree Harvey — Employment Law Update March 2026 — corroborates the Dunbar complaint, citing the four-month notification gap and negligence allegations.
- Philadelphia Corporation for Aging — Homepage (pcacares.org) — confirms entity identity and Area Agency on Aging role.
- HHS Office for Civil Rights Breach Portal — the federal regulatory record (search “Philadelphia Corporation for Aging”).
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- PCA — Notice of Data Privacy Event (March 13, 2026) — entity's own published notice
- Office of the Vermont Attorney General — PCA Data Breach Notice to Consumers (March 13, 2026)
- Office of the Vermont Attorney General — PCA Data Breach Notice to Consumers (Nov 4, 2025)
- Chimicles Schwartz Kriner & Donaldson-Smith LLP — Class Action Investigation
- Lynch Carpenter LLP — Second Investigation Notice (Globe Newswire, March 20, 2026)
- Lynch Carpenter LLP — Investigation Notice (Globe Newswire, Nov 6, 2025)
- Strauss Borrelli PLLC — PCA Data Breach Investigation
- ClaimDepot — PCA Data Breach: AG filings and monitoring details
- Philadelphia Corporation for Aging — Homepage (pcacares.org)
- New Hampshire AG — PCA Breach Notice (March 13, 2026)
- Law360 — Philadelphia Nonprofit Sued Over Employee Info Hack (March 3, 2026)
- MacElree Harvey — Employment Law Update March 2026 (covers Dunbar complaint)
- HHS Office for Civil Rights Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.