Active breach tracker Miami, Florida Disclosed November 21, 2025

VITAS Hospice Services Data Breach 2025: 319,177 Patients Exposed in 36-Day Vendor-Account Intrusion · Class Action Filed in S.D. Fla.

VITAS Hospice Services, the largest US for-profit hospice chain and a subsidiary of Chemed Corp (NYSE: CHE), disclosed that an attacker used a compromised vendor account to access its systems from September 21 through October 27, 2025. Names, Social Security numbers, driver's license numbers, diagnoses, medications, lab results, and next-of-kin contact details for 319,177 current and former patients were exposed.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Sep 21, 2025

Attacker begins accessing VITAS systems via a compromised vendor account

Oct 24, 2025

VITAS identifies suspicious activity; third-party cybersecurity firm engaged

Oct 27, 2025

Unauthorized access window closes (36-day intrusion total)

Nov 21, 2025

VITAS posts substitute notice and begins individual notification mailings

Nov 21, 2025

Notifications submitted to California and Texas attorneys general; print-media publication notice issued

Nov 24, 2025

Miakos v. VITAS Hospice Services filed in U.S. District Court for the Southern District of Florida (Case No. 1:25-cv-25490)

Nov 24, 2025

Federman & Sherwood announces investigation; Shamis & Gentile P.A. begins investigation; law enforcement notified

Nov 26, 2025

Additional multi-state AG notifications filed (Iowa, Maine, Massachusetts OCABR, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Vermont, Washington)

Dec 9, 2025

Breach posted to HHS Office for Civil Rights public portal at 319,177 affected

Dec 30, 2025

Second class action (Hartmann v. VITAS Hospice Services) reported in Bloomberg Law

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers Driver's license numbers

02

Health records

Don't expire and can't be reissued

Diagnoses Medications Lab results Health conditions and treatment information Medical record numbers

03

Contact & insurance

Phishing + targeted scams

Names Addresses Phone numbers Dates of birth Next-of-kin contact information (name, phone, email) Health insurance information Medicare Beneficiary Identifier numbers International Classification of Disease (ICD) codes Health savings account information National Provider Identifier numbers

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Kopelowitz Ostrow P.A. Schubert Jonckheer & Kolbe LLP Markovits, Stock & DeMarco, LLC Strauss Borrelli PLLC Shamis & Gentile P.A. (investigating) Federman & Sherwood (investigating) Srourian Law Firm (investigating) Migliaccio & Rathod LLP (investigating) Goldenberg Schneider LPA (investigating) EKSM (investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

VITAS Hospice Services, the Miami-headquartered hospice and palliative care subsidiary of Chemed Corp (NYSE: CHE) and the largest for-profit hospice provider in the United States, disclosed that an unauthorized actor used a compromised vendor account to access its network from September 21 through October 27, 2025. The intrusion, identified on October 24, 2025, exposed personal, identity, and clinical information for 319,177 current and former patients. VITAS posted substitute notice on November 21, 2025, and the incident was added to the HHS Office for Civil Rights public breach portal on December 9, 2025. At least two proposed class actions have been filed in the U.S. District Court for the Southern District of Florida.

The attacker maintained access for 36 days before detection. According to notification letters, VITAS engaged a third-party cybersecurity firm, terminated the compromised vendor account, and says it has strengthened vendor oversight and data protection protocols. The specific vendor whose credentials were abused has not been publicly identified, and no ransomware group has claimed responsibility for the intrusion.

Timeline

  • September 21, 2025 — Attacker begins accessing VITAS systems through a compromised third-party vendor account.
  • October 24, 2025 — VITAS identifies suspicious activity; third-party forensics firm engaged.
  • October 27, 2025 — Unauthorized access window closes; containment is achieved.
  • November 21, 2025 — VITAS posts substitute notice on its public site and begins individual notification mailings.
  • November 24, 2025Miakos v. VITAS Hospice Services, LLC, Case No. 1:25-cv-25490, filed in the U.S. District Court for the Southern District of Florida.
  • November 26, 2025 — Notifications submitted to the California and Texas attorneys general.
  • December 9, 2025 — Breach posted to the HHS OCR public portal at 319,177 affected individuals.
  • December 30, 2025 — Second putative class action (Hartmann v. VITAS Hospice Services) reported by Bloomberg Law in the Southern District of Florida.

What was exposed

The exposed data varies by individual and may include any combination of:

  • Name, address, phone number, date of birth
  • Social Security number
  • Driver’s license number
  • Next-of-kin contact information including name, phone number, and email
  • Diagnoses, medications, lab results, health conditions, and treatment information
  • Health insurance information
  • Medicare Beneficiary Identifier numbers
  • Medical record numbers
  • International Classification of Disease (ICD) codes
  • Health savings account information
  • National Provider Identifier numbers

Notification letters confirm that both demographic identifiers and detailed clinical records were within the dataset the attacker accessed. The combination of Social Security number, driver’s license number, and clinical detail places this incident in the more serious tier of healthcare data exposures. The exposure of Medicare Beneficiary Identifier numbers and ICD codes is notable: together, they enable fraudulent Medicare billing under a patient’s identity, a form of medical identity theft that can take months or years to surface through Explanation of Benefits statements.

Sensitive-population considerations

VITAS serves hospice and palliative-care patients, which makes this incident materially different from a typical hospital or insurer breach in three ways.

First, a large fraction of the 319,177 affected individuals are deceased, and the notification process therefore necessarily reaches next of kin and surviving family members rather than the patients themselves. The notification letters explicitly call out the exposure of next-of-kin contact information.

Second, end-of-life clinical context is uniquely sensitive. Diagnoses, medications, and treatment information in a hospice record include terminal prognoses, palliative-sedation regimens, and goals-of-care documentation that families may never have shared outside the immediate household.

Third, bereaved families are a disproportionately vulnerable scam target. Threat actors with access to a decedent’s name, address, date of birth, Social Security number, and verified hospice context can construct highly convincing impersonation lures: fake funeral-cost collection, fake estate or probate fees, fake Social Security or Medicare overpayment claims, and fake “final medical bill” demands. Surviving family members should treat any unsolicited outreach referencing the deceased’s care with extreme skepticism.

What VITAS is offering

VITAS is offering 24 months of complimentary credit monitoring and identity theft protection services through Epiq to notified individuals. The Epiq package includes: one-bureau credit monitoring, Social Security number monitoring, dark web monitoring, change-of-address monitoring, credit freeze assistance, identity restoration assistance, lost wallet assistance, up to $1 million in identity theft insurance, and monitoring for healthcare-specific identifiers including Medicare Beneficiary Identifiers, medical record numbers, ICD codes, National Provider Identifier numbers, and health savings account information.

Enrollment instructions and a unique activation code are included in the individual notification letter. VITAS states it was unaware of any misuse of the exposed data at the time notifications were issued.

A dedicated call center is available at 855-403-1586, Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time, excluding US federal holidays. If you need assistance specifically with Epiq enrollment, Epiq’s direct line is 866-675-2006, Monday through Friday, 9:00 a.m. to 5:30 p.m. Eastern Time.

Class-action posture

At least two putative class actions are on file in the U.S. District Court for the Southern District of Florida:

  • Miakos v. VITAS Hospice Services, LLC, Case No. 1:25-cv-25490 (S.D. Fla., filed Nov. 24, 2025). Plaintiff Darlene Miakos is represented by Jeff Ostrow and Andrew Hausdorff of Kopelowitz Ostrow P.A. The complaint alleges violations of state and federal data privacy laws, negligence, breach of implied contract, invasion of privacy, unjust enrichment, and breach of fiduciary duty, and pleads a class that includes both patients and employees.
  • Hartmann v. VITAS Hospice Services LLC (S.D. Fla., reported Dec. 30, 2025). Plaintiff Claudia Hartmann asserts negligence, breach of implied contract and of confidence, and unjust enrichment.

Additional firms publicly investigating include Schubert Jonckheer & Kolbe LLP, Markovits, Stock & DeMarco, LLC, Strauss Borrelli PLLC, Migliaccio & Rathod LLP, Goldenberg Schneider LPA, and EKSM. The HHS OCR portal entry remains open.

What to do

  • Freeze your credit with Equifax, Experian, and TransUnion. Because Social Security numbers and driver’s license numbers were exposed, a security freeze is materially more protective than monitoring alone. It is free, reversible, and takes about ten minutes per bureau.
  • Enroll in the 24-month Epiq credit monitoring offered in your letter. The enrollment code is single-use and tied to the named individual. Call VITAS at 855-403-1586 (Mon–Fri, 9 a.m.–9 p.m. ET) or Epiq directly at 866-675-2006 (Mon–Fri, 9 a.m.–5:30 p.m. ET) if you have trouble enrolling.
  • For families of deceased patients: request a credit freeze on the decedent’s file with all three bureaus, notify the Social Security Administration if not already done, and watch for fraudulent tax returns, medical-billing collections, or “final expense” scams referencing the deceased. The SSA’s Death Master File flag plus a deceased-flag with the credit bureaus materially reduces post-mortem identity-theft risk.
  • Be alert to targeted phishing and phone scams. With name, address, date of birth, SSN, diagnosis, and hospice context, a threat actor can construct highly convincing impersonations of insurers, hospices, funeral homes, and Medicare. Verify any payment or information request through a phone number you look up independently.
  • Watch for medical identity theft. Because diagnosis, medication, and insurance information was exposed, review insurance Explanations of Benefits and request a copy of the medical record from your insurer if you see services you do not recognize.
  • Decide on the class action. If you received a VITAS notification letter, you are presumptively a class member in the pending S.D. Fla. cases. You do not need to retain counsel to remain in the class; class-member status is automatic absent an opt-out.
  • Stop the ongoing flow of your hospice and palliative-care records. HealthConsent files HIPAA restriction requests so the clinical data — diagnoses, medications, ICD codes, and Medicare Beneficiary Identifier numbers — exposed in this breach is not continuously re-shared across health information exchanges and downstream data brokers.

Continue reading

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.