Active breach tracker Fort Myers / Naples, FL Disclosed May 30, 2025

Providia Home Care, LLC dba Preferred Care Home Health Services Data Breach 2025: 38,401 Home-Health Patients Exposed (FL). What To Do.

Providia Home Care, LLC dba Preferred Care Home Health Services (Fort Myers/Naples, FL) discovered unauthorized access to an employee email account on January 25, 2025, filed with HHS OCR on May 30, 2025 (38,401 affected), and completed its review on December 31, 2025. Names, SSNs, driver's license numbers, financial account and credit/debit card numbers, diagnoses, prescriptions, and health insurance data were potentially exposed. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Jan 25, 2025

Providia learns of unauthorized access to an employee email account

Jan 25, 2025

Investigation begins with external cybersecurity professionals

May 30, 2025

HIPAA breach notification filed with HHS OCR (38,401 affected, classified as Hacking/IT Incident at Network Server)

Dec 31, 2025

Manual review of impacted data completed; affected individuals and data elements identified

Jan 1, 2026

U.S. mail notification to potentially impacted individuals begins (where mailing address on file)

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number

02

Health records

Don't expire and can't be reissued

Medical diagnosis or treatment Prescription information Lab results

03

Contact & insurance

Phishing + targeted scams

Full name Address Financial account information Credit and/or debit card numbers Health insurance information Medical claim information Medical condition Provider name Other medical information
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Providia Home Care, LLC dba Preferred Care Home Health Services, a Fort Myers and Naples, Florida home-health provider serving roughly 57,000 patients across 18 Southwest and Southeast Florida counties, discovered unauthorized access to an employee email account on January 25, 2025. The company filed its HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on May 30, 2025, reporting 38,401 affected individuals. After nearly eleven months of manual review, on December 31, 2025 Providia identified the specific individuals and data elements involved and began mailing notification letters to those with a mailing address on file.

Timeline

  • January 25, 2025 — Providia learns an unauthorized individual may have gained access to a single employee email account. External cybersecurity professionals are engaged the same day.
  • May 30, 2025 — Providia files with HHS OCR. The portal entry classifies the event as a Hacking/IT Incident at a Network Server affecting 38,401 individuals. (The entity’s own substitute notice describes the vector as a single employee email account; the OCR location field reflects how the entity categorized the systems involved.)
  • December 31, 2025 — Manual data review concludes. Providia identifies the population of impacted individuals and the specific elements potentially exposed for each.
  • Early 2026 — Individual notification letters go out via U.S. mail to potentially affected patients, employees, and other individuals for whom Providia has an address on file. A toll-free response line is opened at 833-701-9884 (Mon-Fri, 8 a.m. to 8 p.m. EST).

What was exposed

Per Providia’s substitute notice, the potentially impacted data may include one or more of the following per individual:

  • Full name, address, date of birth
  • Social Security number
  • Driver’s license number
  • Financial account information
  • Credit and/or debit card numbers
  • Health insurance information
  • Medical claim information
  • Medical diagnosis or treatment, medical condition
  • Provider name, prescription information, lab results
  • Other medical information

This is the full residential identity-theft kit plus a complete clinical chart in a single record. SSN, driver’s license, financial account, and card data together support both new-account fraud and account takeover. The clinical fields — diagnoses, prescriptions, lab results — support medical identity theft and, in elderly populations, targeted scams using real medication and condition details to establish credibility.

Why this population is especially sensitive

Home health is, by definition, a service for people who cannot easily leave their homes — overwhelmingly elderly, recently discharged, or living with chronic illness. Preferred Care Home Health Services advertises Medicare home health, skilled nursing, physical therapy, and hospice across Southwest and Southeast Florida, two regions with large retiree populations.

That demographic profile changes the risk calculus:

  • Higher baseline susceptibility to phone-based fraud. Scammers who hold a real diagnosis, provider name, and current prescription list can credibly impersonate the home-health agency, an insurer, or Medicare.
  • Caregivers and adult children handle the mail. Notification letters mailed to a patient may be opened by a family member or aide. That can be helpful — but only if the family already knows the patient was a Preferred Care client.
  • Cognitive impairment. A meaningful share of home-health and hospice patients have dementia, post-stroke deficits, or terminal-stage cognitive changes. Many cannot self-monitor a credit report.
  • Hospice and decedent records. Records of deceased patients are still attractive to fraudsters (estate fraud, “ghosting” of SSNs) and are generally not covered by living-victim identity monitoring programs.

If you are a family member, durable power of attorney, or executor for a Preferred Care patient, the practical burden of monitoring this breach falls on you.

What Providia is offering

Providia is providing complimentary identity theft protection services to individuals whose Social Security numbers may have been impacted. The substitute notice does not name the monitoring vendor or specify the duration; those details should appear in the individual notification letter and the enrollment instructions that accompany it. Individuals whose SSN was not implicated but whose financial account number, card number, or clinical data was exposed are not offered enrolled monitoring in the public notice.

The entity’s notice also recommends reviewing financial account statements and explanation-of-benefits statements from health insurers for unrecognized activity, and lists fraud-alert, security-freeze, and free-credit-report procedures with all three nationwide bureaus.

Class actions

As of mid-May 2026, no consumer class action against Providia Home Care, LLC or Preferred Care Home Health Services has been publicly indexed in mainstream breach-litigation trackers (HIPAA Journal, DataBreaches.net, ClassAction.org) tied to this incident. Plaintiffs’ firms commonly file shortly after individual notification letters land — which, in this case, began in early 2026 once the December 31, 2025 review completed. We will update this page when filings appear on the docket.

What to do if you may be affected

  1. Watch your mail. Providia is sending letters via U.S. mail to those with an address on file. Open mail addressed to elderly relatives who were Preferred Care patients — they may not recognize the letter or may discard it.
  2. Enroll in any complimentary monitoring offered. If your letter includes an enrollment code for identity protection (offered to SSN-affected individuals), use it. The window to enroll is typically limited.
  3. Place free credit freezes at Equifax, Experian, and TransUnion. A freeze blocks new-account fraud and is the single highest-leverage step for anyone whose SSN was in this incident. It is free and reversible.
  4. Review insurance Explanation of Benefits statements for unfamiliar providers, dates of service, prescriptions, or claims. Medical identity theft frequently shows up here before it shows up on a credit report.
  5. Check financial account and card statements for unauthorized charges. If your card number was in the exposed dataset, request a replacement card.
  6. For family members and caregivers of an affected home-health or hospice patient: monitor on their behalf. If the patient is deceased, notify the Social Security Administration (if not already done), place a credit freeze on the decedent’s file, and watch for estate-related fraud.
  7. Call the response line at 833-701-9884 (Mon-Fri, 8 a.m.-8 p.m. EST) if you are unsure whether you are affected.
  8. Stop the ongoing flow of your home-health data. HealthConsent files HIPAA restriction requests so that the diagnosis, prescription, and treatment data exposed here is not continuously re-shared with new third parties downstream.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.