Academic Urology & Urogynecology of Arizona Data Breach Affects 73k People

On May 22, 2025, Academic Urology & Urogynecology of Arizona experienced a major data breach involving unauthorized access to its computer network by a ransomware group. The incident was discovered on Jan. 30, 2026, after an extensive forensic investigation revealed that between May 18 and May 22, 2025, certain files containing sensitive information may have been accessed or acquired by an unauthorized party.

According to the company’s filing with the Maine Attorney General, a total of 73,281 people across the United States were affected, including, six residents in Maine, two in New Hampshire and four in Rhode Island.

The breach was the result of a ransomware attack attributed to the INC RANSOM threat actor, who claimed responsibility on a dark web posting dated June 17, 2025. The group alleged that they had obtained data from the organization and posted about the incident on the Tor network, further heightening concerns about the potential misuse of the stolen information.

The types of information exposed in this breach were extensive and included both personally identifiable information (PII) and protected health information (PHI).

The exposed data may have included: full name, Social Security number, address, date of birth, driver’s license number or government-issued identification number, passport number, tribal identification card, digital signatures, tax identification number or IRS-issued identity protection personal identification number, health insurance policy number or subscriber identification number, unique health insurer identifiers, financial account information, credit or debit card information, diagnosis and conditions information, lab results, medications, and information in application or claims history, including appeals records.

The breach was additionally disclosed to the attorneys general offices of New Hampshire, and Vermont. The company released data security notice on its website.

Academic Urology & Urogynecology of Arizona's response

Affected individuals began receiving written notifications on Feb. 12, 2026, and the company also posted a public notice on its website. Out of an abundance of caution, Academic Urology & Urogynecology of Arizona is offering complimentary credit monitoring and identity theft protection services for up to 24 months through IDX. Impacted individuals have until May 12, 2026, to enroll in these services.

The company recommends that affected individuals take the following steps:

• Enroll in the free credit monitoring and identity theft protection provided
• Place a fraud alert on credit files with any of the three major credit bureaus
• Consider placing a security freeze on credit reports to prevent unauthorized access
• Obtain and review free annual credit reports for discrepancies or unauthorized activity
• Remain vigilant by monitoring financial account statements, explanation of benefits statements and credit reports for signs of fraud or irregular activity
• Contact their financial institution if financial account or card information was impacted

Additionally, the company has provided resources and guidance for protecting against medical identity theft, including reviewing insurance statements and requesting a year-to-date report of all services paid by insurers.

For more information, affected individuals can call the dedicated response line listed in their notification letter, available Monday through Friday from 6 a.m. to 6 p.m. Pacific Time.