Active breach tracker Weiser, Idaho Disclosed May 12, 2025

Weiser Memorial Hospital Data Breach 2025: 59,990 Rural Idaho Patients Exposed After EMBARGO Ransomware Hit Critical-Access Hospital

Weiser Valley Hospital District (dba Weiser Memorial Hospital), a 25-bed critical-access hospital in Weiser, Idaho, confirmed that the EMBARGO ransomware group accessed its network on September 4, 2024 and exfiltrated files containing names, Social Security numbers, government IDs, diagnoses, treatment information, and Medicare/Medicaid data for 59,990 current and former patients. File review concluded April 21, 2025, individual notification letters began mailing May 12, 2025, and the HIPAA breach report was filed with HHS OCR on May 15, 2025. Affected individuals were offered complimentary single-bureau credit monitoring through Cyberscout.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Sep 4, 2024

EMBARGO ransomware group accesses Weiser Memorial Hospital's network and exfiltrates files on or around this date

Sep 4, 2024

Hospital identifies unusual network activity the same day, secures the network, and engages third-party cybersecurity experts; first public statement posted to the hospital's Facebook page on September 5, 2024

Oct 4, 2024

EMBARGO ransomware-as-a-service group's stated leak-site deadline to publish approximately 200 GB of allegedly exfiltrated WMH data

Apr 21, 2025

Forensic file review concludes; affected individuals and specific data elements identified

May 12, 2025

Individual notification letters begin mailing via Cyberscout (a TransUnion company); substitute notice posted; dedicated call center 1-833-799-3704 opens (Mon-Fri 6:00 AM-6:00 PM MT); complimentary single-bureau credit monitoring, credit report, and credit score services offered; notice filed with the Vermont Attorney General the same day

May 12, 2025

Disclosed publicly

May 14, 2025

Federman & Sherwood announces class-action investigation; Migliaccio & Rathod LLP and Potter Handy LLP open parallel investigations the same week

May 15, 2025

HIPAA breach report filed with HHS OCR (59,990 affected, Hacking/IT Incident, location of breached information: Network Server)

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number Other government identification numbers

02

Health records

Don't expire and can't be reissued

Medical diagnoses Treatment and procedure information

03

Contact & insurance

Phishing + targeted scams

Full name Medicare/Medicaid numbers Health insurance information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Federman & Sherwood (investigating) Migliaccio & Rathod LLP (investigating) Potter Handy LLP (investigating) Morgan & Morgan (investigating)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Weiser Memorial Hospital - operated by Weiser Valley Hospital District, a 25-bed nonprofit critical-access hospital in Weiser, Idaho, a small farming and ranching community of roughly 6,300 in Washington County on the Snake River at the Oregon border - confirmed that an unauthorized third party accessed its network on or around September 4, 2024 and exfiltrated files containing sensitive personal and protected health information for 59,990 current and former patients. The intrusion was attributed to the EMBARGO ransomware group, which publicly claimed to have stolen approximately 200 GB of hospital data and posted WMH to its data-leak site in late September 2024. The hospital completed file review on April 21, 2025, began mailing individual notification letters on May 12, 2025 via Cyberscout (a TransUnion company), and filed the HIPAA breach report with HHS OCR on May 15, 2025. The OCR portal classifies the event as a Hacking/IT Incident with location of breached information Network Server.

Timeline

  • September 4, 2024 - Unusual activity identified on Weiser Memorial Hospital’s network. The hospital secures the network the same day and engages third-party cybersecurity experts. On September 5, 2024, WMH posts its first public statement to its Facebook page; updates continue through mid-September.
  • Late September 2024 - The EMBARGO ransomware-as-a-service group claims responsibility, publishes WMH on its data-leak site, and states it has exfiltrated approximately 200 GB of hospital data.
  • October 4, 2024 - EMBARGO’s publicly stated deadline to release the allegedly exfiltrated data if its ransom demand is not paid.
  • April 21, 2025 - Forensic file review concludes. WMH identifies the specific individuals affected and the data elements involved.
  • May 12, 2025 - Individual notification letters begin mailing via Cyberscout. Substitute notice is posted. Dedicated hotline opens at 1-833-799-3704, Monday through Friday, 6:00 AM to 6:00 PM Mountain Time. The hospital’s outside counsel, Constangy, Brooks, Smith & Prophete, LLP, files notices with multiple state attorneys general; confirmed AG filings include California, Iowa, Maine, Massachusetts (OCABR), Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington between May 12 and May 19, 2025.
  • May 14, 2025 - Federman & Sherwood publicly announces a class-action investigation. Migliaccio & Rathod LLP and Potter Handy LLP open parallel investigations the same week. Morgan & Morgan publishes a breach blog post on May 27, 2025, signaling its own potential investigation.
  • May 15, 2025 - HIPAA breach report filed with HHS OCR. The portal entry lists 59,990 affected, Hacking/IT Incident, location Network Server. (An earlier interim filing with the Maine Attorney General had listed 34,249.)

What was exposed

Per the substitute notice and the individual notification letters mailed beginning May 12, 2025, the data elements potentially exposed vary by individual but include:

  • Full name
  • Date of birth
  • Social Security number
  • Other government identification numbers
  • Medical diagnoses
  • Treatment and procedure information
  • Medicare/Medicaid numbers and health insurance information

This is the full identity-theft and medical-identity-theft package: name plus SSN plus government ID plus clinical and insurance detail. Bank account and payment-card data have not been reported as part of this breach, but the confirmed elements are sufficient to support new-account fraud, fraudulent tax filings, and medical-services fraud against the affected individuals’ insurance coverage.

Sensitive-population considerations: rural Idaho/eastern Oregon patients

Weiser Memorial Hospital is the local critical-access hospital for not only the city of Weiser and surrounding Washington County, Idaho, but also for Malheur County, Oregon, across the Snake River - including patients in Ontario, Vale, and the smaller communities along Highway 95. Three considerations matter for affected individuals in this population.

Notification logistics are harder in rural counties. The standard playbook (read your letter, log in to three credit-bureau websites, enroll in monitoring with an activation code by a deadline) assumes reliable broadband, a personal device, and comfort with online authentication that many rural and older patients do not have. The hospital’s hotline at 1-833-799-3704 can walk callers through their activation code; the credit bureaus also accept freezes by phone and by mail.

An affected population of 59,990 against a host city of roughly 6,300 means the letter reaches well beyond city limits. Affected patients are scattered across two states and several rural counties. Many will receive the letter at a current address that is hours from the hospital, and for Oregon residents the standard state-AG and FTC referrals apply alongside the Idaho ones.

Full-clinical, full-identity exposure is more dangerous in small communities. When SSNs, diagnoses, and treatment detail leave a hospital that serves a small population, the inferences possible from the combination are sharper than in a metro-area breach. Affected individuals in close-knit communities have an additional reason to monitor for targeted phishing and social-engineering attempts.

What the hospital is offering

In the May 12, 2025 notification, Weiser Memorial Hospital offered:

  • Complimentary single-bureau credit monitoring, credit report, and credit score services through Cyberscout (a TransUnion company). Enrollment is via the activation code printed in each individual’s notification letter; the activation deadline is printed on the letter.
  • A dedicated toll-free call center at 1-833-799-3704, Monday through Friday, 6:00 AM to 6:00 PM Mountain Time, for questions about the incident and for help activating the credit-monitoring service.
  • Guidance to use the Federal Trade Commission’s identity-theft resources at ftc.gov, including instructions for placing a credit freeze with the three nationwide consumer reporting agencies, and pointers to state attorney general resources. WMH filed notices in at least 13 states (California, Iowa, Maine, Massachusetts, Montana, Nebraska, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington), reflecting the geographic spread of its former patient population across the western United States.

WMH has also stated it has taken steps to improve its security posture to prevent similar incidents in the future, though the substitute notice does not enumerate the specific controls added. Note that the credit-monitoring offering is single-bureau rather than tri-bureau, which is at the lower end of the range typically offered after a Social Security number exposure of this scope.

Class-action posture

As of this update, no consolidated class-action complaint has been filed against Weiser Valley Hospital District or Weiser Memorial Hospital. Four plaintiffs’ firms have opened investigations:

  • Federman & Sherwood announced its investigation on May 14, 2025, two days after notification mailing began. The firm is in the investigative phase, soliciting potential class representatives; no complaint has been filed.
  • Migliaccio & Rathod LLP opened an investigation announcement dated May 15, 2025.
  • Potter Handy LLP opened a parallel investigation page.
  • Morgan & Morgan published a breach blog post on May 27, 2025 through its For The People platform, signaling potential litigation interest for affected patients.
  • ClassAction.org’s plaintiffs’-firm panel opened a public investigation page and has since concluded its investigation without filing a lawsuit; the page is now flagged as reference-only.

A consolidated class action covering Weiser Memorial Hospital would most likely be filed in the U.S. District Court for the District of Idaho (the federal district covering Weiser). As of this update, no such case is publicly docketed. This page will be updated if a complaint is filed and a case number issues.

What to do

If you received a notification letter from Weiser Memorial Hospital - whether as a current or former patient - treat this as a high-severity exposure. The combination of name, Social Security number, government ID, and clinical detail warrants stacking defenses, not relying on the single-bureau monitoring alone.

  1. Freeze your credit at all three bureaus - Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau online (and can be done by phone or mail), and blocks new-account fraud. With Social Security numbers and government ID numbers in the data set, this is the single highest-leverage step.
  2. Enroll in the complimentary credit monitoring through Cyberscout using the activation code printed in your notification letter. Activation deadlines are printed on the letter; do not let it lapse. Because the offering is single-bureau, the freezes in step 1 cover the other two bureaus.
  3. Call the hospital hotline at 1-833-799-3704 (Monday through Friday, 6:00 AM to 6:00 PM Mountain Time) if you have not received a letter and believe you should have, or if you need help with the activation code.
  4. Watch your Explanation of Benefits statements from Medicare, Medicaid, and any private health insurer. Patients are at heightened risk of medical-identity theft (someone using your insurance to obtain care or prescriptions). Report any line item you do not recognize to your insurer and to the provider listed on the EOB.
  5. Request an IRS Identity Protection PIN (IP PIN). Free at irs.gov/ippin. With an exposed Social Security number, this is the most reliable way to block fraudulent tax filings under your name.
  6. Be skeptical of unsolicited phone, email, or text outreach claiming to be from Weiser Memorial Hospital, Cyberscout, TransUnion, “the FTC,” or “Medicare.” Threat actors routinely follow large breaches with targeted phishing using leaked identifiers. WMH and Cyberscout will not ask for your full Social Security number or bank login by phone.
  7. Document everything. If a class action is later filed in the District of Idaho, evidence of any out-of-pocket losses, time spent on remediation, or downstream identity-theft incidents will matter to a claim.
  8. Stop the ongoing flow of your hospital records. HealthConsent files HIPAA restriction requests so the medical, diagnostic, and insurance data exposed in this breach is not continuously re-shared across health information exchanges, insurers, and data brokers. The breach happened once; re-disclosure happens every time your record is shared without a restriction in place.

Sources

This page synthesizes sixteen sources; every fact above is cross-referenced against at least one independent source, and unsourced detail has been omitted.

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.