Active breach tracker Arizona Disclosed February 6, 2025

Primary Health-SMMPP, L.C. Data Breach 2025: 67,567 Affected · Hacking/IT Incident · Arizona Business Associate. SSNs and Rx Records Exposed. Class-Action Probes Open.

Primary Health-SMMPP, L.C., an Arizona-based HIPAA business associate that helped distribute rapid COVID test kits to schools and organizations, detected unusual activity on a network server on December 13, 2024. Forensic review wrapped on January 7, 2025; HHS OCR was notified on February 6, 2025 for 67,567 individuals. Exposed data includes names, dates of birth, Rx numbers, prescription information, dates of service, and Social Security numbers.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Dec 13, 2024

Unusual activity detected on Primary Health-SMMPP network server; forensics engaged

Dec 13, 2024

Attacker gained access

Jan 7, 2025

Forensic review concludes; unauthorized access to (and possible copying of) stored data confirmed

Feb 6, 2025

Filed with HHS OCR — 67,567 affected (Hacking/IT Incident, Network Server, Business Associate)

Feb 6, 2025

Sister entity U.S. HEALTHWORKS-SMMPP, L.C. files separately for 10,673 (same incident)

Mar 1, 2025

Levi & Korsinsky, LLP publicly announces class-action investigation

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

02

Health records

Don't expire and can't be reissued

Prescription information

03

Contact & insurance

Phishing + targeted scams

Full name Rx number Dates of service

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Levi & Korsinsky, LLP (publicly investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Primary Health-SMMPP, L.C. is an Arizona-based HIPAA business associate that, alongside its sister entity U.S. HEALTHWORKS-SMMPP, L.C., provided healthcare-related services including the distribution of rapid COVID test kits to schools and organizations in Arizona and other states. On December 13, 2024, Primary Health-SMMPP identified unusual activity on a network server it operates. A third-party digital forensics firm investigated, and on January 7, 2025 confirmed that an unauthorized third party had breached the entity’s defenses and may have viewed or copied data stored on the server. On February 6, 2025, Primary Health-SMMPP filed with the HHS Office for Civil Rights, reporting 67,567 affected individuals in a Hacking/IT Incident at a Network Server. On the same date, sister entity U.S. HEALTHWORKS-SMMPP filed separately for 10,673 individuals tied to the same incident, bringing combined exposure to 78,240 people.

Timeline

  • December 13, 2024. Unusual activity detected on a Primary Health-SMMPP network server. A third-party digital forensics firm is engaged.
  • January 7, 2025. Forensic review concludes. The investigation confirms that an unauthorized third party accessed the server and may have viewed or copied stored data.
  • February 6, 2025. Primary Health-SMMPP, L.C. files with HHS OCR for 67,567 affected individuals (Hacking/IT Incident, Network Server, Business Associate).
  • February 6, 2025. Sister entity U.S. HEALTHWORKS-SMMPP, L.C. files separately with HHS OCR for 10,673 individuals tied to the same incident.
  • Early March 2025. Levi & Korsinsky, LLP publicly announces it is investigating class-action claims on behalf of affected individuals.

Exposed data

Public reporting from the entities’ notifications and HIPAA Journal identifies the following data elements as compromised:

  • Full name
  • Date of birth
  • Rx number
  • Prescription (Rx) information
  • Dates of service
  • Social Security number

The combination of Social Security number plus prescription information is unusually sensitive. SSNs enable identity theft and synthetic-identity fraud, and prescription data is both stigma-relevant (mental health, HIV, substance-use, fertility, oncology medications) and useful for highly targeted pharmacy-themed phishing.

Who is notifying you (Business Associate posture)

Primary Health-SMMPP is a HIPAA business associate, not a healthcare provider you visited directly. Business associates handle protected health information on behalf of covered entities (clinics, employers, schools that received COVID test kits, pharmacies, public-health programs). When a business associate is breached, it must notify the covered entities it served, and those covered entities (or the business associate itself, by agreement) must in turn notify affected individuals.

That means your notification letter may arrive from Primary Health-SMMPP, from U.S. HEALTHWORKS-SMMPP, or from the school, employer, clinic, or program that arranged your rapid COVID testing. The letter should identify the specific data elements involved in your record and any complimentary credit monitoring or identity-theft protection being offered. Public reporting confirms complimentary credit monitoring and identity-theft protection of between 12 and 24 months is being offered to those notified. The sister entity U.S. HEALTHWORKS-SMMPP’s disclosure specifically describes Single Bureau Credit Monitoring, a Single Bureau Credit Report, Single Bureau Credit Score, and proactive fraud assistance for 24 months from the date of enrollment.

Class-action activity

Plaintiffs’ firms began publicly investigating claims within weeks of the February 2025 OCR filing. Levi & Korsinsky, LLP has issued multiple press releases through AccessWire syndication inviting affected individuals to contact the firm regarding a potential class action. As of this writing, no consolidated, named class-action complaint has been confirmed in public dockets specific to this incident. Investigations of this size and data-sensitivity routinely convert into filed complaints within several months.

If you receive a notification letter, save it. A dated letter naming the breach and the specific data elements involved is what plaintiffs’ firms need to evaluate (and what you need if you later choose to opt in to a class or file a complaint with the Arizona Attorney General).

What to do if you may be affected

  1. Place free credit freezes at all three nationwide credit bureaus (Equifax, Experian, TransUnion). Freezes are the single highest-leverage step against SSN-based identity theft, take about ten minutes per bureau, and are free in every state.
  2. Enroll in the complimentary credit monitoring offered in your notification letter as soon as it arrives. Coverage runs 12 to 24 months depending on the letter.
  3. File IRS Form 14039 (Identity Theft Affidavit) if you have not already, and request an IRS Identity Protection PIN at irs.gov/ippin. SSN exposure is the highest-risk category here.
  4. Watch for pharmacy-themed phishing. Because Rx numbers and prescription details were exposed, attackers can craft uniquely convincing phone, text, and email scams referencing real medications and pharmacies. Verify any pharmacy contact by calling the number on your physical prescription bottle, not a number in an inbound message.
  5. Save your notification letter. It is the document plaintiffs’ firms need to evaluate a class-action claim, and it is what an Arizona resident needs if filing a complaint with the Arizona Attorney General under the state’s breach-notification statute.
  6. Stop the downstream re-sharing of your prescription history. HealthConsent files HIPAA restriction requests so the Rx and diagnostic data exposed in breaches like this is not continuously re-shared by downstream entities, pharmacy benefit managers, and data brokers.

Sources

This page draws on HHS OCR portal data, HIPAA Journal (per-incident and monthly report), calHIPAA, three independent Levi & Korsinsky syndicated press releases, and the ClaimDepot disclosure for sister entity U.S. HEALTHWORKS-SMMPP. Every factual claim about Primary Health-SMMPP is cross-referenced by at least two sources; credit monitoring details for the sister entity are noted as such.

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.