Active breach tracker Girard, OH Disclosed January 16, 2026

Patriot At Home / Supportive Home Health Data Breach 2026: 1,415 Ohio Home Health Patients Exposed via Email Compromise. What To Do

Superior Care Plus LLC (d/b/a Supportive Home Health LLC), affiliated with Patriot Outpatient LLC and operating publicly as Patriot At Home, a veteran-owned Ohio home health agency, disclosed a November 2025 employee email compromise exposing names, health insurance, treatment information, admission/discharge dates, and a limited subset's Social Security and Medicare numbers for 1,415 elderly home health patients. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Nov 17, 2025

Suspicious activity detected on employee email account

Nov 17, 2025

Attacker gained access

Jan 9, 2026

Forensic investigation concluded; unauthorized access to specific emails / files confirmed

Jan 16, 2026

HHS OCR notification; substitute notice posted; individual letters mailed

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security number (limited subset)

02

Health records

Don't expire and can't be reissued

Medical treatment information

03

Contact & insurance

Phishing + targeted scams

Full name City and ZIP Email address Health insurance policy number Policy name Admission / discharge dates Patient logs Referring facility Start-of-care date Referring PCP name Medicare number (limited subset)

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Shamis & Gentile P.A. (publicly investigating) The Lyon Firm (soliciting Ohio plaintiffs)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Superior Care Plus LLC, doing business as Supportive Home Health LLC, is affiliated with Patriot Outpatient LLC and operates publicly as Patriot At Home. It is a veteran-owned, CHAP-accredited, Medicare-certified home health agency headquartered in Girard, Ohio. Service footprint includes Greater Akron, Greater Cincinnati, and Mahoning, Trumbull, and Columbiana counties (Youngstown and Warren area). Services include skilled nursing, physical/occupational/speech therapy, social work, home health aide, hospice, and primary care.

The patient population is primarily elderly Medicare-certified individuals receiving in-home care.

On November 17, 2025, Patriot At Home detected suspicious activity on an employee email account. The forensic investigation concluded on January 9, 2026, confirming unauthorized access to specific emails and files. Patriot At Home filed with HHS OCR, posted a substitute notice, and mailed individual letters on January 16, 2026 — confirming 1,415 affected individuals.

The 60-day gap from detection to disclosure is right at HIPAA’s outer limit.

The vector is business email compromise — phishing-driven access to a single mailbox, with no ransomware indicators and no exfiltration tool identified in public disclosures.

What was stolen

Per the substitute notice:

  • First and last name, city and ZIP, email address
  • Health insurance policy number, policy name
  • Medical treatment information
  • Admission / discharge dates, patient logs
  • Referring facility, start-of-care date
  • Referring PCP name

A limited number of individuals also had Social Security number and/or Medicare number exposed.

Medicaid IDs and OASIS assessment data are not specifically called out in the public notice (they may fall under “medical treatment information” or “patient logs” but this is unconfirmed).

What Patriot At Home is offering

  • Password reset on the impacted account; third-party cybersecurity forensics engaged
  • Toll-free helpline: 1-888-572-7322 (Monday to Friday, 8:00 a.m. to 4:30 p.m. Eastern)
  • Individual mailed notification letters

Credit monitoring or identity theft protection is not mentioned in any public source reviewed, which is notable given the limited SSN and Medicare-number exposure. The full PDF notice may contain offer details that are not in the public summary — read your specific letter carefully.

What to do

  1. Read your specific notification letter to confirm whether your SSN or Medicare number was in the affected subset.
  2. If your SSN was in scope, place free credit freezes at Equifax, Experian, TransUnion.
  3. If your Medicare number was in scope, request a new Medicare Beneficiary Identifier (MBI) from Medicare (1-800-MEDICARE).
  4. File IRS Form 14039 if SSN exposed.
  5. Watch your Medicare Summary Notice for unfamiliar home-health claims.
  6. If you are a family member or guardian of a Patriot At Home patient, monitor their statements on their behalf.
  7. Stop the ongoing flow of your home-health and hospice data. HealthConsent files HIPAA restriction requests across home-health, hospice, and prescription networks.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.