Patriot At Home / Supportive Home Health Data Breach 2026: 1,415 Ohio Home Health Patients Exposed via Email Compromise. What To Do
Superior Care Plus LLC (d/b/a Supportive Home Health LLC), affiliated with Patriot Outpatient LLC and operating publicly as Patriot At Home, a veteran-owned Ohio home health agency, disclosed a November 2025 employee email compromise exposing names, health insurance, treatment information, admission/discharge dates, and a limited subset's Social Security and Medicare numbers for 1,415 elderly home health patients. Here is what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Nov 17, 2025
Suspicious activity detected on employee email account
Nov 17, 2025
Attacker gained access
Jan 9, 2026
Forensic investigation concluded; unauthorized access to specific emails / files confirmed
Jan 16, 2026
HHS OCR notification; substitute notice posted; individual letters mailed
Nov 17, 2025
Suspicious activity detected on employee email account
Nov 17, 2025
Attacker gained access
Jan 9, 2026
Forensic investigation concluded; unauthorized access to specific emails / files confirmed
Jan 16, 2026
HHS OCR notification; substitute notice posted; individual letters mailed
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Superior Care Plus LLC, doing business as Supportive Home Health LLC, is affiliated with Patriot Outpatient LLC and operates publicly as Patriot At Home. It is a veteran-owned, CHAP-accredited, Medicare-certified home health agency headquartered in Girard, Ohio. Service footprint includes Greater Akron, Greater Cincinnati, and Mahoning, Trumbull, and Columbiana counties (Youngstown and Warren area). Services include skilled nursing, physical/occupational/speech therapy, social work, home health aide, hospice, and primary care.
The patient population is primarily elderly Medicare-certified individuals receiving in-home care.
On November 17, 2025, Patriot At Home detected suspicious activity on an employee email account. The forensic investigation concluded on January 9, 2026, confirming unauthorized access to specific emails and files. Patriot At Home filed with HHS OCR, posted a substitute notice, and mailed individual letters on January 16, 2026 — confirming 1,415 affected individuals.
The 60-day gap from detection to disclosure is right at HIPAA’s outer limit.
The vector is business email compromise — phishing-driven access to a single mailbox, with no ransomware indicators and no exfiltration tool identified in public disclosures.
What was stolen
Per the substitute notice:
- First and last name, city and ZIP, email address
- Health insurance policy number, policy name
- Medical treatment information
- Admission / discharge dates, patient logs
- Referring facility, start-of-care date
- Referring PCP name
A limited number of individuals also had Social Security number and/or Medicare number exposed.
Medicaid IDs and OASIS assessment data are not specifically called out in the public notice (they may fall under “medical treatment information” or “patient logs” but this is unconfirmed).
What Patriot At Home is offering
- Password reset on the impacted account; third-party cybersecurity forensics engaged
- Toll-free helpline: 1-888-572-7322 (Monday to Friday, 8:00 a.m. to 4:30 p.m. Eastern)
- Individual mailed notification letters
Credit monitoring or identity theft protection is not mentioned in any public source reviewed, which is notable given the limited SSN and Medicare-number exposure. The full PDF notice may contain offer details that are not in the public summary — read your specific letter carefully.
What to do
- Read your specific notification letter to confirm whether your SSN or Medicare number was in the affected subset.
- If your SSN was in scope, place free credit freezes at Equifax, Experian, TransUnion.
- If your Medicare number was in scope, request a new Medicare Beneficiary Identifier (MBI) from Medicare (1-800-MEDICARE).
- File IRS Form 14039 if SSN exposed.
- Watch your Medicare Summary Notice for unfamiliar home-health claims.
- If you are a family member or guardian of a Patriot At Home patient, monitor their statements on their behalf.
- Stop the ongoing flow of your home-health and hospice data. HealthConsent files HIPAA restriction requests across home-health, hospice, and prescription networks.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Patriot At Home: Substitute Notice (PDF)
- Patriot At Home Agency News
- The Lyon Firm: Patriot Outpatient & Supportive Home Health Investigation
- ClaimDepot: Supportive Home Health Data Breach Investigation
- ClaimDepot: Supportive Home Health 2026
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.