VITAS Hospice Services Data Breach 2025: 319,177 Patients Exposed in 36-Day Vendor-Account Intrusion · Class Action Filed in S.D. Fla.
VITAS Hospice Services, the largest US for-profit hospice chain and a subsidiary of Chemed Corp (NYSE: CHE), disclosed that an attacker used a compromised vendor account to access its systems from September 21 through October 27, 2025. Names, Social Security numbers, driver's license numbers, diagnoses, medications, lab results, and next-of-kin contact details for 319,177 current and former patients were exposed.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Sep 21, 2025
Attacker begins accessing VITAS systems via a compromised vendor account
Oct 24, 2025
VITAS identifies suspicious activity; third-party cybersecurity firm engaged
Oct 27, 2025
Unauthorized access window closes (36-day intrusion total)
Nov 21, 2025
VITAS posts substitute notice and begins individual notification mailings
Nov 21, 2025
Notifications submitted to California and Texas attorneys general; print-media publication notice issued
Nov 24, 2025
Miakos v. VITAS Hospice Services filed in U.S. District Court for the Southern District of Florida (Case No. 1:25-cv-25490)
Nov 24, 2025
Federman & Sherwood announces investigation; Shamis & Gentile P.A. begins investigation; law enforcement notified
Nov 26, 2025
Additional multi-state AG notifications filed (Iowa, Maine, Massachusetts OCABR, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Vermont, Washington)
Dec 9, 2025
Breach posted to HHS Office for Civil Rights public portal at 319,177 affected
Dec 30, 2025
Second class action (Hartmann v. VITAS Hospice Services) reported in Bloomberg Law
Sep 21, 2025
Attacker begins accessing VITAS systems via a compromised vendor account
Oct 24, 2025
VITAS identifies suspicious activity; third-party cybersecurity firm engaged
Oct 27, 2025
Unauthorized access window closes (36-day intrusion total)
Nov 21, 2025
VITAS posts substitute notice and begins individual notification mailings
Nov 21, 2025
Notifications submitted to California and Texas attorneys general; print-media publication notice issued
Nov 24, 2025
Miakos v. VITAS Hospice Services filed in U.S. District Court for the Southern District of Florida (Case No. 1:25-cv-25490)
Nov 24, 2025
Federman & Sherwood announces investigation; Shamis & Gentile P.A. begins investigation; law enforcement notified
Nov 26, 2025
Additional multi-state AG notifications filed (Iowa, Maine, Massachusetts OCABR, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Vermont, Washington)
Dec 9, 2025
Breach posted to HHS Office for Civil Rights public portal at 319,177 affected
Dec 30, 2025
Second class action (Hartmann v. VITAS Hospice Services) reported in Bloomberg Law
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
VITAS Hospice Services, the Miami-headquartered hospice and palliative care subsidiary of Chemed Corp (NYSE: CHE) and the largest for-profit hospice provider in the United States, disclosed that an unauthorized actor used a compromised vendor account to access its network from September 21 through October 27, 2025. The intrusion, identified on October 24, 2025, exposed personal, identity, and clinical information for 319,177 current and former patients. VITAS posted substitute notice on November 21, 2025, and the incident was added to the HHS Office for Civil Rights public breach portal on December 9, 2025. At least two proposed class actions have been filed in the U.S. District Court for the Southern District of Florida.
The attacker maintained access for 36 days before detection. According to notification letters, VITAS engaged a third-party cybersecurity firm, terminated the compromised vendor account, and says it has strengthened vendor oversight and data protection protocols. The specific vendor whose credentials were abused has not been publicly identified, and no ransomware group has claimed responsibility for the intrusion.
Timeline
- September 21, 2025 — Attacker begins accessing VITAS systems through a compromised third-party vendor account.
- October 24, 2025 — VITAS identifies suspicious activity; third-party forensics firm engaged.
- October 27, 2025 — Unauthorized access window closes; containment is achieved.
- November 21, 2025 — VITAS posts substitute notice on its public site and begins individual notification mailings.
- November 24, 2025 — Miakos v. VITAS Hospice Services, LLC, Case No. 1:25-cv-25490, filed in the U.S. District Court for the Southern District of Florida.
- November 26, 2025 — Notifications submitted to the California and Texas attorneys general.
- December 9, 2025 — Breach posted to the HHS OCR public portal at 319,177 affected individuals.
- December 30, 2025 — Second putative class action (Hartmann v. VITAS Hospice Services) reported by Bloomberg Law in the Southern District of Florida.
What was exposed
The exposed data varies by individual and may include any combination of:
- Name, address, phone number, date of birth
- Social Security number
- Driver’s license number
- Next-of-kin contact information including name, phone number, and email
- Diagnoses, medications, lab results, health conditions, and treatment information
- Health insurance information
- Medicare Beneficiary Identifier numbers
- Medical record numbers
- International Classification of Disease (ICD) codes
- Health savings account information
- National Provider Identifier numbers
Notification letters confirm that both demographic identifiers and detailed clinical records were within the dataset the attacker accessed. The combination of Social Security number, driver’s license number, and clinical detail places this incident in the more serious tier of healthcare data exposures. The exposure of Medicare Beneficiary Identifier numbers and ICD codes is notable: together, they enable fraudulent Medicare billing under a patient’s identity, a form of medical identity theft that can take months or years to surface through Explanation of Benefits statements.
Sensitive-population considerations
VITAS serves hospice and palliative-care patients, which makes this incident materially different from a typical hospital or insurer breach in three ways.
First, a large fraction of the 319,177 affected individuals are deceased, and the notification process therefore necessarily reaches next of kin and surviving family members rather than the patients themselves. The notification letters explicitly call out the exposure of next-of-kin contact information.
Second, end-of-life clinical context is uniquely sensitive. Diagnoses, medications, and treatment information in a hospice record include terminal prognoses, palliative-sedation regimens, and goals-of-care documentation that families may never have shared outside the immediate household.
Third, bereaved families are a disproportionately vulnerable scam target. Threat actors with access to a decedent’s name, address, date of birth, Social Security number, and verified hospice context can construct highly convincing impersonation lures: fake funeral-cost collection, fake estate or probate fees, fake Social Security or Medicare overpayment claims, and fake “final medical bill” demands. Surviving family members should treat any unsolicited outreach referencing the deceased’s care with extreme skepticism.
What VITAS is offering
VITAS is offering 24 months of complimentary credit monitoring and identity theft protection services through Epiq to notified individuals. The Epiq package includes: one-bureau credit monitoring, Social Security number monitoring, dark web monitoring, change-of-address monitoring, credit freeze assistance, identity restoration assistance, lost wallet assistance, up to $1 million in identity theft insurance, and monitoring for healthcare-specific identifiers including Medicare Beneficiary Identifiers, medical record numbers, ICD codes, National Provider Identifier numbers, and health savings account information.
Enrollment instructions and a unique activation code are included in the individual notification letter. VITAS states it was unaware of any misuse of the exposed data at the time notifications were issued.
A dedicated call center is available at 855-403-1586, Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time, excluding US federal holidays. If you need assistance specifically with Epiq enrollment, Epiq’s direct line is 866-675-2006, Monday through Friday, 9:00 a.m. to 5:30 p.m. Eastern Time.
Class-action posture
At least two putative class actions are on file in the U.S. District Court for the Southern District of Florida:
- Miakos v. VITAS Hospice Services, LLC, Case No. 1:25-cv-25490 (S.D. Fla., filed Nov. 24, 2025). Plaintiff Darlene Miakos is represented by Jeff Ostrow and Andrew Hausdorff of Kopelowitz Ostrow P.A. The complaint alleges violations of state and federal data privacy laws, negligence, breach of implied contract, invasion of privacy, unjust enrichment, and breach of fiduciary duty, and pleads a class that includes both patients and employees.
- Hartmann v. VITAS Hospice Services LLC (S.D. Fla., reported Dec. 30, 2025). Plaintiff Claudia Hartmann asserts negligence, breach of implied contract and of confidence, and unjust enrichment.
Additional firms publicly investigating include Schubert Jonckheer & Kolbe LLP, Markovits, Stock & DeMarco, LLC, Strauss Borrelli PLLC, Migliaccio & Rathod LLP, Goldenberg Schneider LPA, and EKSM. The HHS OCR portal entry remains open.
What to do
- Freeze your credit with Equifax, Experian, and TransUnion. Because Social Security numbers and driver’s license numbers were exposed, a security freeze is materially more protective than monitoring alone. It is free, reversible, and takes about ten minutes per bureau.
- Enroll in the 24-month Epiq credit monitoring offered in your letter. The enrollment code is single-use and tied to the named individual. Call VITAS at 855-403-1586 (Mon–Fri, 9 a.m.–9 p.m. ET) or Epiq directly at 866-675-2006 (Mon–Fri, 9 a.m.–5:30 p.m. ET) if you have trouble enrolling.
- For families of deceased patients: request a credit freeze on the decedent’s file with all three bureaus, notify the Social Security Administration if not already done, and watch for fraudulent tax returns, medical-billing collections, or “final expense” scams referencing the deceased. The SSA’s Death Master File flag plus a deceased-flag with the credit bureaus materially reduces post-mortem identity-theft risk.
- Be alert to targeted phishing and phone scams. With name, address, date of birth, SSN, diagnosis, and hospice context, a threat actor can construct highly convincing impersonations of insurers, hospices, funeral homes, and Medicare. Verify any payment or information request through a phone number you look up independently.
- Watch for medical identity theft. Because diagnosis, medication, and insurance information was exposed, review insurance Explanations of Benefits and request a copy of the medical record from your insurer if you see services you do not recognize.
- Decide on the class action. If you received a VITAS notification letter, you are presumptively a class member in the pending S.D. Fla. cases. You do not need to retain counsel to remain in the class; class-member status is automatic absent an opt-out.
- Stop the ongoing flow of your hospice and palliative-care records. HealthConsent files HIPAA restriction requests so the clinical data — diagnoses, medications, ICD codes, and Medicare Beneficiary Identifier numbers — exposed in this breach is not continuously re-shared across health information exchanges and downstream data brokers.
Continue reading
Sources
- HHS Office for Civil Rights Breach Portal — federal regulatory record, posted December 9, 2025.
- HIPAA Journal — VITAS Hospice Services Discovers Month-Long Network Intrusion Affecting 319K Patients — incident timeline, exposed data fields, OCR submission date, credit-monitoring offer.
- SecurityWeek — Over 300,000 Individuals Impacted by Vitas Hospice Data Breach — attack vector, attribution status, OCR posting date.
- TechRepublic — VITAS Healthcare Breach Exposes 319K Patient Records — independent confirmation of scope and dates.
- California Attorney General — VITAS Notice of Breach Sample Letters (PDF) — primary-source notification letters submitted to California OAG.
- ClassAction.org — VITAS Hospice Services Data Breach Exposes Medical, Personal Info — notification letter date, exposed data summary.
- Top Class Actions — VITAS data breach exposed patient and employee information — Miakos case caption, case number, plaintiff counsel.
- Bloomberg Law — Vitas Hospice Services Hit With Class Action Over Data Breach — Hartmann case in S.D. Fla.
- Schubert Jonckheer & Kolbe — VITAS Investigation — plaintiff-side investigation announcement.
- Markovits, Stock & DeMarco — VITAS Data Breach Class Action Investigation — plaintiff-side investigation announcement.
- Strauss Borrelli PLLC — VITAS Hospice Services Data Breach Investigation — plaintiff-side investigation announcement (dated November 21, 2025).
- PR Newswire — Privacy Alert: VITAS Under Investigation for Breach of Over 319,000 Patient Records — investor-wire confirmation of investigation scope.
- ClaimDepot — VITAS Healthcare Data Breach (2025) — Epiq monitoring service components, call center number 855-403-1586, and confirmed healthcare-identifier exposure categories (MBI, ICD codes, NPI, HSA, medical record numbers).
- Migliaccio & Rathod LLP — VITAS Hospice Services Data Breach Investigation — plaintiff-side investigation announcement.
- JoinTheCase — VITAS Hospice Services Data Breach — confirms Epiq as credit monitoring vendor; notes enrollment deadline stated in individual letters.
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- HIPAA Journal — VITAS Hospice Services Discovers Month-Long Network Intrusion Affecting 319K Patients
- SecurityWeek — Over 300,000 Individuals Impacted by Vitas Hospice Data Breach
- TechRepublic — VITAS Healthcare Breach Exposes 319K Patient Records
- California Attorney General — VITAS Notice of Breach Sample Letters
- ClassAction.org — VITAS Hospice Services Data Breach Exposes Medical, Personal Info
- Top Class Actions — Vitas Hospice Services data breach exposed patient, employee information, class action says
- Bloomberg Law — Vitas Hospice Services Hit With Class Action Over Data Breach
- Schubert Jonckheer & Kolbe — VITAS Hospice Services Investigation
- Markovits, Stock & DeMarco — VITAS Hospice Services Data Breach Class Action Investigation
- Strauss Borrelli PLLC — VITAS Hospice Services Data Breach Investigation
- PR Newswire — Privacy Alert: VITAS Hospice Services Under Investigation for Data Breach of Over 319,000 Patient Records
- ClaimDepot — VITAS Healthcare Data Breach: Epiq monitoring details, call center, and healthcare-ID exposure
- Migliaccio & Rathod LLP — VITAS Hospice Services Data Breach Investigation
- JoinTheCase — VITAS Hospice Services Data Breach: Epiq credit monitoring confirmed
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.