Primary Health-SMMPP, L.C. Data Breach 2025: 67,567 Affected · Hacking/IT Incident · Arizona Business Associate. SSNs and Rx Records Exposed. Class-Action Probes Open.
Primary Health-SMMPP, L.C., an Arizona-based HIPAA business associate that helped distribute rapid COVID test kits to schools and organizations, detected unusual activity on a network server on December 13, 2024. Forensic review wrapped on January 7, 2025; HHS OCR was notified on February 6, 2025 for 67,567 individuals. Exposed data includes names, dates of birth, Rx numbers, prescription information, dates of service, and Social Security numbers.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Dec 13, 2024
Unusual activity detected on Primary Health-SMMPP network server; forensics engaged
Dec 13, 2024
Attacker gained access
Jan 7, 2025
Forensic review concludes; unauthorized access to (and possible copying of) stored data confirmed
Feb 6, 2025
Filed with HHS OCR — 67,567 affected (Hacking/IT Incident, Network Server, Business Associate)
Feb 6, 2025
Sister entity U.S. HEALTHWORKS-SMMPP, L.C. files separately for 10,673 (same incident)
Mar 1, 2025
Levi & Korsinsky, LLP publicly announces class-action investigation
Dec 13, 2024
Unusual activity detected on Primary Health-SMMPP network server; forensics engaged
Dec 13, 2024
Attacker gained access
Jan 7, 2025
Forensic review concludes; unauthorized access to (and possible copying of) stored data confirmed
Feb 6, 2025
Filed with HHS OCR — 67,567 affected (Hacking/IT Incident, Network Server, Business Associate)
Feb 6, 2025
Sister entity U.S. HEALTHWORKS-SMMPP, L.C. files separately for 10,673 (same incident)
Mar 1, 2025
Levi & Korsinsky, LLP publicly announces class-action investigation
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Primary Health-SMMPP, L.C. is an Arizona-based HIPAA business associate that, alongside its sister entity U.S. HEALTHWORKS-SMMPP, L.C., provided healthcare-related services including the distribution of rapid COVID test kits to schools and organizations in Arizona and other states. On December 13, 2024, Primary Health-SMMPP identified unusual activity on a network server it operates. A third-party digital forensics firm investigated, and on January 7, 2025 confirmed that an unauthorized third party had breached the entity’s defenses and may have viewed or copied data stored on the server. On February 6, 2025, Primary Health-SMMPP filed with the HHS Office for Civil Rights, reporting 67,567 affected individuals in a Hacking/IT Incident at a Network Server. On the same date, sister entity U.S. HEALTHWORKS-SMMPP filed separately for 10,673 individuals tied to the same incident, bringing combined exposure to 78,240 people.
Timeline
- December 13, 2024. Unusual activity detected on a Primary Health-SMMPP network server. A third-party digital forensics firm is engaged.
- January 7, 2025. Forensic review concludes. The investigation confirms that an unauthorized third party accessed the server and may have viewed or copied stored data.
- February 6, 2025. Primary Health-SMMPP, L.C. files with HHS OCR for 67,567 affected individuals (Hacking/IT Incident, Network Server, Business Associate).
- February 6, 2025. Sister entity U.S. HEALTHWORKS-SMMPP, L.C. files separately with HHS OCR for 10,673 individuals tied to the same incident.
- Early March 2025. Levi & Korsinsky, LLP publicly announces it is investigating class-action claims on behalf of affected individuals.
Exposed data
Public reporting from the entities’ notifications and HIPAA Journal identifies the following data elements as compromised:
- Full name
- Date of birth
- Rx number
- Prescription (Rx) information
- Dates of service
- Social Security number
The combination of Social Security number plus prescription information is unusually sensitive. SSNs enable identity theft and synthetic-identity fraud, and prescription data is both stigma-relevant (mental health, HIV, substance-use, fertility, oncology medications) and useful for highly targeted pharmacy-themed phishing.
Who is notifying you (Business Associate posture)
Primary Health-SMMPP is a HIPAA business associate, not a healthcare provider you visited directly. Business associates handle protected health information on behalf of covered entities (clinics, employers, schools that received COVID test kits, pharmacies, public-health programs). When a business associate is breached, it must notify the covered entities it served, and those covered entities (or the business associate itself, by agreement) must in turn notify affected individuals.
That means your notification letter may arrive from Primary Health-SMMPP, from U.S. HEALTHWORKS-SMMPP, or from the school, employer, clinic, or program that arranged your rapid COVID testing. The letter should identify the specific data elements involved in your record and any complimentary credit monitoring or identity-theft protection being offered. Public reporting confirms complimentary credit monitoring and identity-theft protection of between 12 and 24 months is being offered to those notified. The sister entity U.S. HEALTHWORKS-SMMPP’s disclosure specifically describes Single Bureau Credit Monitoring, a Single Bureau Credit Report, Single Bureau Credit Score, and proactive fraud assistance for 24 months from the date of enrollment.
Class-action activity
Plaintiffs’ firms began publicly investigating claims within weeks of the February 2025 OCR filing. Levi & Korsinsky, LLP has issued multiple press releases through AccessWire syndication inviting affected individuals to contact the firm regarding a potential class action. As of this writing, no consolidated, named class-action complaint has been confirmed in public dockets specific to this incident. Investigations of this size and data-sensitivity routinely convert into filed complaints within several months.
If you receive a notification letter, save it. A dated letter naming the breach and the specific data elements involved is what plaintiffs’ firms need to evaluate (and what you need if you later choose to opt in to a class or file a complaint with the Arizona Attorney General).
What to do if you may be affected
- Place free credit freezes at all three nationwide credit bureaus (Equifax, Experian, TransUnion). Freezes are the single highest-leverage step against SSN-based identity theft, take about ten minutes per bureau, and are free in every state.
- Enroll in the complimentary credit monitoring offered in your notification letter as soon as it arrives. Coverage runs 12 to 24 months depending on the letter.
- File IRS Form 14039 (Identity Theft Affidavit) if you have not already, and request an IRS Identity Protection PIN at irs.gov/ippin. SSN exposure is the highest-risk category here.
- Watch for pharmacy-themed phishing. Because Rx numbers and prescription details were exposed, attackers can craft uniquely convincing phone, text, and email scams referencing real medications and pharmacies. Verify any pharmacy contact by calling the number on your physical prescription bottle, not a number in an inbound message.
- Save your notification letter. It is the document plaintiffs’ firms need to evaluate a class-action claim, and it is what an Arizona resident needs if filing a complaint with the Arizona Attorney General under the state’s breach-notification statute.
- Stop the downstream re-sharing of your prescription history. HealthConsent files HIPAA restriction requests so the Rx and diagnostic data exposed in breaches like this is not continuously re-shared by downstream entities, pharmacy benefit managers, and data brokers.
Sources
- HHS Office for Civil Rights Breach Portal — the federal regulatory record (search Primary Health-SMMPP, L.C., February 6, 2025, 67,567 individuals; Hacking/IT Incident at Network Server; Business Associate).
- HIPAA Journal: Cyberattack on Arizona Business Associates Affects 78,000 Individuals — trade-press synthesis covering the December 13, 2024 detection, January 7, 2025 forensic conclusion, exposed data elements, and the 12 to 24 months of complimentary credit monitoring.
- calHIPAA: Healthcare Data Breach Report for February 2025 — month-in-review confirming Primary Health-SMMPP as one of the largest hacking incidents reported to OCR in February 2025 at 67,567 individuals.
- Levi & Korsinsky, LLP Investigates Primary Health-SMMPP LLC Data Breach (PIX11/AccessWire) — class-action investigation announcement.
- Levi & Korsinsky, LLP Investigates Primary Health-SMMPP LLC Data Breach (Fox2Now/AccessWire) — syndicated copy of the same announcement.
- Primary Health-SMMPP LLC Data Breach Under Investigation (Fox8/AccessWire) — later-dated syndicated update.
- HIPAA Journal: February 2025 Healthcare Data Breach Report — monthly round-up listing Primary Health-SMMPP as the 5th largest hacking incident reported to OCR in February 2025 at 67,567 individuals.
- ClaimDepot: U.S. HealthWorks-SMMPP Data Breach — sister entity disclosure (same incident); confirms the credit monitoring offer as Single Bureau Credit Monitoring, Single Bureau Credit Report and Score, plus proactive fraud assistance for 24 months from enrollment.
- Arizona Attorney General: Data-Breach Notification FAQ — state guidance for Arizona residents on rights and complaint filing.
This page draws on HHS OCR portal data, HIPAA Journal (per-incident and monthly report), calHIPAA, three independent Levi & Korsinsky syndicated press releases, and the ClaimDepot disclosure for sister entity U.S. HEALTHWORKS-SMMPP. Every factual claim about Primary Health-SMMPP is cross-referenced by at least two sources; credit monitoring details for the sister entity are noted as such.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal: Cyberattack on Arizona Business Associates Affects 78,000 Individuals
- calHIPAA: Healthcare Data Breach Report for February 2025
- Levi & Korsinsky Investigates Primary Health-SMMPP LLC Data Breach (PIX11/AccessWire)
- Levi & Korsinsky Investigates Primary Health-SMMPP LLC Data Breach (Fox2Now/AccessWire)
- Primary Health-SMMPP LLC Data Breach Under Investigation (Fox8/AccessWire)
- HIPAA Journal: February 2025 Healthcare Data Breach Report (lists Primary Health-SMMPP as 5th largest hacking incident at 67,567)
- ClaimDepot: U.S. HealthWorks-SMMPP Data Breach (sister entity, same incident — confirms 24-month Single Bureau credit monitoring)
- Arizona Attorney General: Data-Breach Notification FAQ
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.