Active breach tracker Maryland Disclosed March 13, 2026

True RCM Data Breach 2026: 1,247 Healthcare Patients Exposed via Maryland Revenue Cycle Vendor. Comprehensive Rehab Consultants Affected. What To Do

True RCM (a Rapid Care Transcription, Inc. subsidiary), a Maryland-based revenue cycle management vendor for healthcare providers, disclosed a November 2025 endpoint compromise exposing names, Social Security numbers, driver's licenses, admission dates, diagnoses, care provider names, and treatment facilities for 1,247 patients. Comprehensive Rehab Consultants LLC named as upstream covered entity. 24 months Cyberscout monitoring offered. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Nov 21, 2025

Unauthorized access occurred

Nov 24, 2025

True RCM detects intrusion (3-day dwell)

Jan 20, 2026

HHS OCR filing

Mar 13, 2026

Individual notification letters mailed

Mar 13, 2026

Disclosed publicly

Mar 19, 2026

Massachusetts OCABR filing (21 MA residents)

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Driver's license number

02

Health records

Don't expire and can't be reissued

Diagnosis information Treatment facilities

03

Contact & insurance

Phishing + targeted scams

Full name Home address State ID number Admission dates Care provider names
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

True RCM is a Maryland-based revenue cycle management (RCM) vendor — a HIPAA business associate to healthcare providers. True RCM operates as a brand or subsidiary of Rapid Care Transcription, Inc. (parent: Rapid Care Group, rapidcare.net / rapidcare.ai). The parent company has a 2,200+ global workforce in healthcare information management and offers medical transcription, medical billing, medical coding, revenue cycle management, and medical record review. The company holds ISO/IEC 27001:2013 ISMS accreditation and has been in business for 25+ years.

On November 21, 2025, an unauthorized actor accessed True RCM’s systems. The intrusion was detected on November 24, 2025 (3-day dwell time). True RCM filed with HHS OCR on January 20, 2026 — confirming 1,247 affected individuals. Individual notification letters were mailed on March 13, 2026, and a Massachusetts OCABR filing followed on March 19, 2026 (21 MA residents).

The “Desktop Computer” location code on the OCR portal strongly suggests a single endpoint compromise — most likely credential phishing to a remote desktop (RDP) session, or malware on a specific billing workstation, rather than mass server exfiltration.

No ransomware group has publicly claimed responsibility. No leak-site listing has been observed.

Affected covered entity

The notification letter names Comprehensive Rehab Consultants LLC as the upstream covered entity whose patient data was processed by True RCM. Only one client has been disclosed for this 1,247-person breach — additional clients may not have been publicly disclosed.

What was stolen

Per the entity’s notification letter:

  • Full name, home address, date of birth
  • Social Security number
  • Driver’s license number, state ID number
  • Admission dates
  • Diagnosis information
  • Care provider names
  • Treatment facilities

Explicitly excluded per the notice: claims data, credit card numbers, financial info.

What True RCM is offering

  • 24 months complimentary Cyberscout (TransUnion subsidiary) credit monitoring
  • Credit reports and credit scores
  • Same-day fraud alerts
  • 90-day enrollment window from letter date (June 11, 2026 cutoff)
  • Help line: 1-800-405-6108 (Monday to Friday, 8 a.m. to 8 p.m. Eastern; available 90 days)

The 24-month duration is at the strong end of industry response for breaches with this exposure profile.

What to do

  1. Enroll in the 24-month Cyberscout monitoring through the activation code in your letter. Don’t wait — the enrollment window closes June 11, 2026.
  2. Place free credit freezes at Equifax, Experian, TransUnion. Full SSN and driver’s license are in scope.
  3. File IRS Form 14039.
  4. Replace your driver’s license if you receive evidence of identity theft using it.
  5. If you received care at Comprehensive Rehab Consultants LLC, watch for separate communications and check your medical records for the specific data elements involved.
  6. Stop the ongoing flow of your healthcare data through billing vendors. HealthConsent files HIPAA restriction requests covering revenue cycle management and medical transcription pathways.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.