Restorix Health Data Breach 2025: 38,553 Wound Care Patients Exposed in Email Compromise
Restorix Health, Inc., a Louisiana-based wound care business associate, disclosed a HIPAA breach to HHS OCR on February 14, 2025 affecting 38,553 patients. An employee email account was accessed May 7–29, 2024; exposed data includes SSNs, driver's license numbers, medical records, and health insurance details.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
May 7, 2024
Unauthorized actor begins accessing a Restorix Health employee email account.
May 30, 2024
Restorix detects the unauthorized access and begins forensic investigation.
Nov 27, 2024
Manual document review concludes; Restorix confirms protected health information was contained in the accessed mailbox.
Dec 18, 2024
Restorix notifies covered-entity partners (including East Jefferson General Hospital, Touro Infirmary, and New Orleans East Hospital).
Feb 14, 2025
Restorix files HIPAA breach notification with HHS Office for Civil Rights and begins mailing notices to 38,553 affected individuals.
May 7, 2024
Unauthorized actor begins accessing a Restorix Health employee email account.
May 30, 2024
Restorix detects the unauthorized access and begins forensic investigation.
Nov 27, 2024
Manual document review concludes; Restorix confirms protected health information was contained in the accessed mailbox.
Dec 18, 2024
Restorix notifies covered-entity partners (including East Jefferson General Hospital, Touro Infirmary, and New Orleans East Hospital).
Feb 14, 2025
Restorix files HIPAA breach notification with HHS Office for Civil Rights and begins mailing notices to 38,553 affected individuals.
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Restorix Health, Inc. — a Louisiana-based wound care management business associate headquartered in Metairie — filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on February 14, 2025, reporting 38,553 affected individuals. The breach stems from an unauthorized actor accessing a Restorix employee email account between May 7, 2024 and May 29, 2024. Because Restorix operates as a business associate to hospitals and post-acute providers, many of the patients in the accessed mailbox were treated at partner facilities and may not have known they had any data relationship with Restorix at all.
Timeline
- May 7–29, 2024 — Unauthorized actor accesses a single Restorix employee email account.
- May 30, 2024 — Restorix detects the intrusion and engages outside forensic counsel.
- November 27, 2024 — Manual document review of the mailbox concludes, confirming that protected health information of patients affiliated with Restorix’s healthcare partners was present in the messages and attachments that had been accessible.
- December 18, 2024 — Restorix notifies its hospital partners, including East Jefferson General Hospital, Touro Infirmary, and New Orleans East Hospital (all LCMC Health facilities).
- February 14, 2025 — Restorix files the breach with HHS OCR (38,553 individuals) and begins mailing individual notification letters.
What was exposed
The information exposed varied by individual, but per Restorix’s own substitute notice and the letters mailed to consumers, the accessed mailbox contained one or more of the following per person:
- Full name
- Date of birth
- Social Security number
- Driver’s license number, government ID number, or passport number
- Patient ID number
- Medical information including condition, treatment, diagnosis, dates of service, and prescriptions
- Health insurance information
- Professional certificate or license number (for clinician records caught in the mailbox)
This is a high-sensitivity combination. The pairing of Social Security number with full clinical and insurance detail is the textbook profile for medical identity theft and synthetic-identity fraud, not just routine credit-card replacement.
Who notifies you (and why it’s confusing)
Restorix is the business associate here. If you were treated at one of its partner hospitals — most prominently East Jefferson General Hospital, Touro Infirmary, or New Orleans East Hospital under LCMC Health — your record may have been in the breached mailbox even though your direct care relationship was with the hospital. Notification letters in this incident were sent by Restorix, not by the hospital, which is why the envelope may come from a company name you don’t recognize. The covered-entity hospitals were themselves notified by Restorix on December 18, 2024, roughly two months before patients heard anything.
Class-action status
As of this update, no consolidated class-action complaint has been filed against Restorix Health. Multiple plaintiffs’ firms — including Federman & Sherwood, Murphy Law Firm, Strauss Borrelli PLLC, and Cafferty Clobes Meriwether & Sprengel LLP — opened public investigations in late February and early March 2025 soliciting affected individuals. ClassAction.org has since reported that its attorney panel concluded its investigation without filing. HHS OCR’s enforcement review remains open; Louisiana state attorney general filings (required for SSN-exposing breaches affecting more than 1,000 residents under La. R.S. 51:3074) are typically not posted publicly but were due under the same notification timeline.
What to do if you may be affected
- Place a credit freeze with all three bureaus (Equifax, Experian, TransUnion). It’s free, takes about ten minutes per bureau, and is the highest-leverage step against new-account fraud built on an exposed SSN.
- Enroll in the credit-monitoring and identity-protection services offered in your Restorix notification letter. Restorix’s substitute notice references complimentary monitoring; activate it promptly because enrollment windows close.
- Request a copy of your medical record from any Restorix-affiliated treatment provider and review it for entries you don’t recognize. Medical identity theft commonly surfaces as fabricated visits or prescriptions on your file before it shows up on your credit report.
- Watch your health insurance Explanation of Benefits (EOB) statements for claims you didn’t authorize. Report any anomaly to your insurer’s fraud line immediately.
- File an IRS Identity Protection PIN request (Form 15227 or online via IRS.gov). The combination of SSN plus DOB exposed here is precisely what’s used in fraudulent tax-refund filings.
- Save the notification letter. It is the documentary record you’ll need if you later need to dispute fraudulent accounts, file with the FTC at IdentityTheft.gov, or join a future class action.
Sources on this page
- HHS Office for Civil Rights Breach Portal — federal regulatory record (38,553 affected, filed February 14, 2025).
- Restorix Health — Notice of Security Incident (PDF) — the entity’s own substitute notice.
- LCMC Health / New Orleans East Hospital — Restorix Notice of Data Security Breach — covered-entity partner notice confirming hospital relationships and December 18, 2024 partner-notification date.
- Console & Associates via JD Supra — RestorixHealth Sends Data Breach Letters Following Unauthorized Access to an Employee’s Email Account — independent legal write-up of the access window and exposed data elements.
- HIPAA Times — RestorixHealth Announces Data Breach Impacting 38k — trade press summary of the OCR filing and forensic timeline.
- ClassAction.org — Restorix Health Data Breach Lawsuit Investigation — current status of plaintiffs’ bar investigation (concluded without filing).
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Restorix Health — Notice of Security Incident
- LCMC Health / New Orleans East Hospital — Restorix Notice of Data Security Breach
- Console & Associates via JD Supra — RestorixHealth Sends Data Breach Letters
- HIPAA Times — RestorixHealth Announces Data Breach Impacting 38k
- ClassAction.org — Restorix Health Data Breach Lawsuit Investigation
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.