On May 23, 2025, Access2Day Health, a provider of employer-sponsored medical clinic memberships, reported a data breach to the U.S. Department of Health and Human Services (HHS). According to the HHS breach portal, a total of 4,908 individuals in the United States were affected by this incident.
While the specific method of the breach and the identity of the responsible party have not been publicly disclosed, the incident was significant enough to require federal notification. The types of information exposed in this breach may include personally identifiable information (PII) such as names, addresses, dates of birth, and potentially Social Security numbers, as well as protected health information (PHI) like medical history, treatment information, and insurance details. The combination of PII and PHI in a single breach can increase the risk of identity theft and medical fraud for those affected.
The fact that nearly 5,000 individuals were impacted underscores the seriousness of this event. Access2Day Health’s membership model means that the exposed data likely belonged to employees and their covered dependents from various employers. It is important for anyone who has received care through Access2Day Health clinics to be vigilant for any unusual activity related to their personal or health information.
Following the discovery of the breach, Access2Day Health took steps to notify federal authorities, as evidenced by the timely report to the HHS. While detailed information about their internal response has not been made public, companies in the healthcare sector typically initiate an investigation, secure affected systems, and work to identify the scope of the breach. They may also offer resources such as credit monitoring or identity theft protection to those whose data was exposed.
If you are an Access2Day Health member or have received a notification about this breach, consider taking the following steps: