Active breach tracker Pennsylvania Disclosed February 13, 2026

VPS Medical PLLC Data Breach 2026: 4,600 Pennsylvania Patients Exposed. Entity Not Publicly Verified. What To Do

VPS Medical PLLC filed an HHS OCR breach on February 13, 2026 affecting 4,600 Pennsylvania patients. As of mid-May 2026, the entity is not publicly verifiable through the NPI Registry, PA AG portal, HIPAA Journal, or DataBreaches.net. No entity notice, AG filing, or press coverage has surfaced. Here is what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Feb 13, 2026

HHS OCR filing (no other dates publicly disclosed)

Feb 13, 2026

Attacker gained access

Feb 13, 2026

Breach detected

Data exposed

03

Contact & insurance

Phishing + targeted scams

Full name (specific PHI categories not publicly disclosed)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

VPS Medical PLLC filed with HHS OCR on February 13, 2026 — Hacking/IT Incident at Network Server — confirming 4,600 affected individuals in Pennsylvania.

That is the entirety of what is publicly known.

Why this page is a placeholder

As of mid-May 2026 — more than 90 days after the OCR filing — the entity itself is not publicly verifiable through standard healthcare-provider channels:

  • NPI Registry (CMS National Plan and Provider Enumeration System): No “VPS Medical PLLC” organization with a Pennsylvania state listing surfaces. Three “VPS” healthcare entities exist nationally (a New York-registered plastic surgery PLLC, a New Jersey home-care PC, and a Michigan healthcare PLLC unrelated to this filing) — none cleanly map to a Pennsylvania “VPS Medical PLLC.”
  • Pennsylvania AG Notice of Data Incident page (attorneygeneral.gov/notice-of-data-incident): no VPS Medical filing surfaced.
  • HIPAA Journal February 2026 monthly report: no “VPS” entity listed. The PA entries for that month were WIRX Pharmacy (20,047) and AccentCare-PA (19,772).
  • DataBreaches.net, ClaimDepot, JD Supra, ClassAction.org: no 2026 PA “VPS” filings.
  • Maine AG, California AG, Massachusetts AG portals: no VPS Medical entries.

The HHS OCR row is the only public artifact. The lack of any derivative public footprint at 90+ days post-filing is unusual.

Possible identifications (unconfirmed)

Three candidates have surfaced in research but none cleanly maps to “VPS Medical PLLC” + Pennsylvania:

  1. V P S Medical PLLC (NPI 1184971624) — New York-registered plastic surgery practice at a Manhattan residential address. Could plausibly operate a PA satellite, but no PA registration found.
  2. Vocational and Psychological Services (vpsdocs.com) — Western PA behavioral health and IDD services across 6 counties. Initials match and the state matches, but the practice’s public name is not “VPS Medical PLLC.”
  3. A separate small PLLC formed in PA that is not yet indexed by the NPI Registry or major search engines.

Do not assume any of these is the correct entity until a notification letter, PA AG filing, or entity press release surfaces.

What was potentially exposed

Specific PHI categories have not been publicly disclosed. For a PA medical PLLC breach of this size (4,600 individuals), the typical exposure profile for a Hacking/IT Incident at Network Server would include:

  • Full name, date of birth, address
  • Social Security number
  • Medical record number, diagnosis, treatment information
  • Health insurance information

This is inference, not fact. Do not assume any specific category until VPS Medical PLLC issues a notice.

What to do

  1. If you received a notification letter from VPS Medical PLLC, that letter is currently the only authoritative source of information about your case. Read it carefully.
  2. If you are a patient of any “VPS” healthcare entity in Pennsylvania and have not received a letter, contact the practice directly to ask whether your records were in the affected set.
  3. Place free credit freezes at Equifax, Experian, TransUnion as a baseline precaution.
  4. Watch your insurance Explanation of Benefits for unfamiliar claims.
  5. Stop the ongoing flow of your medical records. HealthConsent files HIPAA restriction requests across providers, insurers, and prescription networks.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.