United Backcare PS dba Pacific Rehabilitation Centers Data Breach 2025: 18,900 Patients and Staff Exposed in December 2024 Ransomware Attack
United Backcare PS dba Pacific Rehabilitation Centers, a Washington return-to-work rehabilitation provider with clinics in Everett, Puyallup, and Moses Lake, reported a December 30, 2024 ransomware attack that encrypted servers holding patient, employee, and contractor information. The HIPAA breach filing on February 11, 2025 placed the affected population at 18,900 individuals, with Social Security numbers, banking details, passport numbers, diagnosis and treatment information, and electronic signatures among the exposed data.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Dec 30, 2024
Pacific Rehabilitation Centers employee discovers a ransomware notice on a workstation; IT immediately takes servers offline
Dec 30, 2024
Attacker gained access
Dec 31, 2024
Entity transitions to alternative systems within roughly 24 hours to maintain patient care; daily forensic-IT briefings begin
Feb 11, 2025
HIPAA breach notification filed with HHS Office for Civil Rights — 18,900 individuals, Hacking/IT Incident, Network Server
Mar 5, 2025
Plaintiff-side firms (Strauss Borrelli PLLC, Shamis & Gentile P.A., The Lyon Firm, ClassAction.org-affiliated counsel) open public investigations into potential class-action claims
Dec 30, 2024
Pacific Rehabilitation Centers employee discovers a ransomware notice on a workstation; IT immediately takes servers offline
Dec 30, 2024
Attacker gained access
Dec 31, 2024
Entity transitions to alternative systems within roughly 24 hours to maintain patient care; daily forensic-IT briefings begin
Feb 11, 2025
HIPAA breach notification filed with HHS Office for Civil Rights — 18,900 individuals, Hacking/IT Incident, Network Server
Mar 5, 2025
Plaintiff-side firms (Strauss Borrelli PLLC, Shamis & Gentile P.A., The Lyon Firm, ClassAction.org-affiliated counsel) open public investigations into potential class-action claims
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
United Backcare PS, doing business as Pacific Rehabilitation Centers, is a Bellevue-headquartered return-to-work rehabilitation provider with patient clinics in Everett, Puyallup, and Moses Lake, Washington. On the morning of December 30, 2024, an employee opened a workstation to find a ransomware note. The provider’s IT staff pulled the affected servers offline within hours, but the encrypted volumes held personal, financial, and medical information on roughly 18,900 patients, employees, and individual contractors. Pacific Rehabilitation Centers filed its formal HIPAA breach report with the HHS Office for Civil Rights on February 11, 2025, classifying the event as a Hacking/IT Incident at a Network Server. The OCR investigation remains open as of this writing, and no ransomware group has publicly claimed the attack or posted data from the entity on a known leak site.
The entity’s own notice acknowledges that data on its servers was encrypted by the attacker, but states that the forensic investigation has not — as of the public notice — confirmed whether information was accessed or exfiltrated. That carve-out is common in early ransomware disclosures and does not change the regulatory obligation to notify the population whose information was rendered unavailable.
Timeline
- December 30, 2024 — An employee discovers a ransomware notice on their workstation. IT immediately takes the affected servers offline and engages forensic IT support.
- December 31, 2024 — Pacific Rehabilitation Centers transitions to alternative systems within roughly 24 hours to keep clinic operations and patient scheduling running. Executive leadership begins meeting daily with forensic-IT personnel.
- February 11, 2025 — Entity files its HIPAA breach notification with HHS OCR: 18,900 affected, Hacking/IT Incident, Network Server.
- Early March 2025 — Plaintiff-side firms (Strauss Borrelli PLLC, Shamis & Gentile P.A., The Lyon Firm, and counsel affiliated with ClassAction.org) publicly open investigations into potential class-action claims arising from the breach.
- Ongoing (as of May 16, 2026) — OCR portal entry remains in open status. No named class-action complaint or settlement has been reported in the sources reviewed; the entity continues to direct affected individuals to its substitute notice and incident hotline.
What was exposed
According to the entity’s own substitute notice, the records held on the encrypted servers included personal information of patients, employees, and individual contractors. The data elements potentially involved are:
- Names, addresses, dates of birth, and email addresses
- Social Security numbers
- Driver’s license numbers, passport numbers, and citizenship status
- Diagnosis and treatment information
- Health plan numbers
- Banking information for direct deposit
- Dependent personal information
- Electronic signatures
The combination of Social Security numbers, government-ID information, banking details, and diagnosis records is on the more sensitive end of the healthcare-breach spectrum. Both identity-theft and medical-identity-theft risks are realistic, and the presence of dependent information means minors may also be in scope.
What the entity is offering
Pacific Rehabilitation Centers’ public notice does not advertise a complimentary credit-monitoring product. The entity instead directs affected individuals to the Federal Trade Commission’s standard guidance, including placing a free fraud alert or security freeze with the three nationwide consumer reporting agencies, and provides an Incident Hotline at 206-635-4401, open 9:00 a.m. to 1:00 p.m. Pacific Time. Individual notification letters may include offerings not reflected in the public substitute notice; affected individuals should read any letter they receive carefully.
The entity has also stated that it implemented additional security measures across all company devices and is accelerating a transition to an upgraded electronic medical record system.
Class-action and regulatory posture
The HHS OCR portal entry filed on February 11, 2025 remains open. Multiple plaintiff-side law firms have publicly opened investigations into potential class-action litigation, including Strauss Borrelli PLLC, Shamis & Gentile, P.A., and The Lyon Firm. ClassAction.org-affiliated counsel concluded its public investigation phase, and local press in the Columbia Basin region has reported that firms are actively seeking plaintiffs from the Moses Lake clinic in particular. No filed complaint with a case number has been identified in the sources reviewed for this page.
What to do if you may be affected
- Freeze your credit with Equifax, Experian, and TransUnion. Because Social Security numbers, driver’s license numbers, and passport numbers were on the affected servers, a security freeze is materially more protective than a fraud alert alone. It is free, takes about ten minutes per bureau, and is reversible.
- Read any notification letter carefully. Individual letters typically arrive in the weeks following an OCR filing. They will list the specific data elements involved for your record and any credit-monitoring or identity-protection services being offered. Do not discard the letter; the enrollment code is single-use.
- Watch for medical identity theft. Because diagnosis, treatment, and health-plan information was potentially exposed, review every Explanation of Benefits from your insurer and report services you did not receive.
- Watch your bank account. Direct-deposit banking information was on the affected servers. Enable transaction alerts, and consider asking your bank to add a verbal password to your account profile.
- Be skeptical of unsolicited contact. Threat actors with name, address, date of birth, and clinic-treatment context can craft convincing phishing emails and phone calls. Treat any unexpected message referencing Pacific Rehabilitation Centers, your treatment, or “verifying” your information with skepticism — and call back using a number you look up independently.
- Use the entity’s hotline. Pacific Rehabilitation Centers operates an Incident Hotline at 206-635-4401, 9:00 a.m. to 1:00 p.m. Pacific Time, for breach-specific questions.
Sources
- Pacific Rehabilitation Centers — Notice of Data Security Incident — entity substitute notice with full data-element list, response timeline, and hotline number.
- HHS Office for Civil Rights Breach Portal — federal regulatory record (filing dated February 11, 2025; 18,900 individuals; Hacking/IT Incident at Network Server).
- HIPAA Journal — February 2025 Healthcare Data Breach Report — trade-press confirmation of affected count and incident classification.
- ClassAction.org — Pacific Rehabilitation Centers Data Breach Lawsuit Investigation — incident summary and data-element list.
- Strauss Borrelli PLLC — Pacific Rehabilitation Centers Data Breach Investigation — plaintiff-side investigation announcement.
- The Lyon Firm — Pacific Rehabilitation Centers Data Breach Investigation — independent confirmation of incident facts and data elements.
- Source One News (Columbia Basin) — Class Action Lawsuits Target Pacific Rehabilitation Centers Data Breach, Including Moses Lake — local press coverage and confirmation of approximate-18,900 affected count.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Pacific Rehabilitation Centers — Notice of Data Security Incident (entity substitute notice)
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — February 2025 Healthcare Data Breach Report
- ClassAction.org — Pacific Rehabilitation Centers Data Breach Lawsuit Investigation
- Strauss Borrelli PLLC — Pacific Rehabilitation Centers Data Breach Investigation
- The Lyon Firm — Pacific Rehabilitation Centers Data Breach Investigation
- Source One News (Columbia Basin) — Class Action Lawsuits Target Pacific Rehabilitation Centers Data Breach, Including Moses Lake
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.