Space Coast Vascular Data Breach 2025: 18,819 Melbourne FL Vascular Patients Exposed in Hacking Incident. SSNs, Driver's Licenses, Medical Records Compromised. What To Do.
Space Coast Vascular, a Melbourne, Florida vascular and venous health diagnostic laboratory, confirmed a January 13, 2025 cyberattack on its network server. An August 7, 2025 investigation determined names, dates of birth, Social Security numbers, driver's license numbers, medical treatment information, health insurance information, and financial account information for 18,819 individuals were accessed. The breach was reported to HHS OCR on October 6, 2025. Multiple plaintiff firms are investigating.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Jan 13, 2025
Criminal cyberattack on Space Coast Vascular computer systems begins
Aug 7, 2025
Third-party forensic investigation determines patient PHI was exposed and may have been viewed or acquired
Oct 6, 2025
Breach reported to HHS Office for Civil Rights (18,819 affected, Network Server)
Oct 7, 2025
Strauss Borrelli PLLC announces breach investigation
Oct 9, 2025
Notification mailings to affected individuals begin; substitute notice posted
Oct 14, 2025
Lynch Carpenter, LLP publicly announces class-action investigation
Jan 13, 2025
Criminal cyberattack on Space Coast Vascular computer systems begins
Aug 7, 2025
Third-party forensic investigation determines patient PHI was exposed and may have been viewed or acquired
Oct 6, 2025
Breach reported to HHS Office for Civil Rights (18,819 affected, Network Server)
Oct 7, 2025
Strauss Borrelli PLLC announces breach investigation
Oct 9, 2025
Notification mailings to affected individuals begin; substitute notice posted
Oct 14, 2025
Lynch Carpenter, LLP publicly announces class-action investigation
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
Space Coast Vascular, a vascular and venous health diagnostic laboratory and treatment center in Melbourne, Florida, was hit by a criminal cyberattack on or around January 13, 2025. After a months-long forensic review, the practice determined on August 7, 2025 that patient protected health information had been exposed and may have been viewed or acquired by the threat actor. The incident was reported to the HHS Office for Civil Rights on October 6, 2025, listing 18,819 affected individuals under “Hacking/IT Incident” at “Network Server.” Notification letters to affected patients followed, and at least four plaintiff firms have publicly opened class-action investigations.
Timeline
- January 13, 2025 — A criminal cyberattack impacts Space Coast Vascular’s computer systems. The practice engages third-party cybersecurity experts to investigate.
- August 7, 2025 — The investigation concludes that patient PHI was exposed and may have been viewed or acquired by the threat actor.
- October 6, 2025 — The breach is reported to HHS OCR as a hacking incident affecting 18,819 individuals with PHI located on a network server.
- October 7, 2025 — Strauss Borrelli PLLC announces a breach investigation on behalf of affected patients.
- October 9, 2025 — Individual notification mailings begin; the practice posts a substitute notice and a description of the specific data elements involved.
- October 14, 2025 — Lynch Carpenter, LLP publicly announces it is investigating claims against Space Coast Vascular on behalf of affected individuals.
What was exposed
According to the entity’s notice and reporting by HIPAA Journal and multiple plaintiff firms, the data elements exposed vary by individual but may include:
- Full name
- Date of birth
- Social Security number
- Driver’s license or state-issued ID number
- Medical treatment information
- Health insurance information
- Financial account information
No specific ransomware group has publicly claimed responsibility, and no leak-site posting of Space Coast Vascular data has been independently reported in the sources reviewed. The OCR portal entry classifies the incident as “Hacking/IT Incident” at “Network Server.”
What Space Coast Vascular is offering
- At least 12 months of complimentary credit monitoring and related identity-protection services to notified individuals. Enrollment instructions are included in the individual notification letter.
- A list of the specific data elements impacted is being provided to each affected individual.
- The practice states it has implemented a series of cybersecurity improvements to reduce the risk of similar incidents in the future.
- At the time of notification, Space Coast Vascular reported no known misuse of patient data arising from the incident.
Class-action and regulatory posture
The HHS OCR portal entry remains open and under investigation. No state attorney general public-notice link has been independently identified at this time, though Florida law requires breach notice to the Department of Legal Affairs when 500 or more Florida residents are affected.
At least four plaintiff-side firms have publicly opened investigations into the breach:
- Strauss Borrelli PLLC (announced October 7, 2025)
- Lynch Carpenter, LLP (announced October 14, 2025; contact attorney Jerry Wells)
- Edelson Lechtzin / EKSM
- ClassAction.org-affiliated counsel
No consolidated complaint or case number has yet been independently verified in the sources reviewed.
What to do if you may be affected
- Enroll in the offered credit monitoring. Your notification letter contains a single-use enrollment code for at least 12 months of complimentary service. Use it.
- Place free credit freezes at Equifax, Experian, and TransUnion. Because Social Security numbers and driver’s license numbers were exposed, a security freeze is materially more protective than monitoring alone. It is free and reversible, and takes roughly ten minutes per bureau.
- File IRS Form 14039 if your letter confirms SSN exposure, to flag your tax account against fraudulent return filings.
- Watch for medical identity theft. Because treatment and insurance information was exposed, review every Explanation of Benefits and request a copy of your medical record from your insurer if you see services you did not receive.
- Be alert to targeted phishing and calls. Threat actors holding name, date of birth, address, and vascular-treatment context can craft highly convincing follow-on lures referencing Space Coast Vascular or your visits. Treat unexpected calls, texts, or emails with skepticism.
- Stop the ongoing flow of your medical data. HealthConsent files HIPAA restriction requests so the information exposed in this breach is not continuously re-shared by downstream entities.
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record (filing dated 2025-10-06, 18,819 affected, Hacking/IT Incident, Network Server).
- ClassAction.org — Space Coast Vascular Data Breach Impacts Personal, Health Info — entity description, exposed data elements, investigation status.
- Strauss Borrelli PLLC — Space Coast Vascular Data Breach Investigation — exposed data elements, breach notice language, October 7, 2025 investigation announcement.
- GlobeNewswire — Lynch Carpenter Investigates Claims in Space Coast Vascular Data Breach — class-action investigation announcement, exposed data elements, attorney contact.
- EKSM — Space Coast Vascular Announces Data Breach — August 7, 2025 discovery date, unauthorized access confirmation.
- The Florida Tribune — Lynch Carpenter Investigates Claims in Space Coast Vascular Data Breach — Florida press confirmation of the breach and class-action investigation.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- ClassAction.org — Space Coast Vascular Data Breach Impacts Personal, Health Info
- Strauss Borrelli PLLC — Space Coast Vascular Data Breach Investigation
- GlobeNewswire — Lynch Carpenter Investigates Claims in Space Coast Vascular Data Breach
- EKSM — Space Coast Vascular Announces Data Breach
- The Florida Tribune — Lynch Carpenter Investigates Claims in Space Coast Vascular Data Breach
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.