Arbor Associates Data Breach Exposes Sensitive PHI & PII

On April 17, 2025, Arbor Associates Inc. discovered unusual activity on its network, prompting a response to secure its systems and launch an investigation with the help of independent cybersecurity experts.

The investigation revealed that between April 15 and April 17, certain files may have been acquired without authorization. By May, Arbor Associates determined that these files contained sensitive information belonging to individuals whose data they process on behalf of healthcare providers.

The breach exposed a range of personally identifiable information (PII) and protected health information (PHI). The types of information potentially accessed include first and last names, contact information, age, biological sex, date of birth, service date, CPT or diagnosis code, medical record number, name of insurance and doctor’s name. Affected individuals include 1,545 Texas residents, 8,995 Washington residents, 551 in Massachusetts and one in Montana.

The incident was reported to the California, Massachusetts, Montana, Vermont, Washington and Texas Attorney Generals' offices beginning on July 3, 2025. Arbor Associates has not specified the total number of affected individuals in any public disclosure, but the breadth of information exposed and the nature of Arbor’s work with healthcare providers suggest the impact could be significant.

The data breach was also disclosed to the U.S. Department of Health and Human Services on July 3, 2025.

Arbor Associates' response

Following the discovery of the breach, Arbor Associates acted quickly to secure its network and engaged cybersecurity experts to investigate the incident. The company has implemented additional security measures to reduce the risk of similar incidents in the future.

Arbor Associates is advising affected individuals to remain vigilant by reviewing account statements and explanation of benefits forms for any errors or unrecognized activity. The company recommends that individuals consider obtaining a free copy of their credit report from each of the three major credit bureaus and to place a fraud alert or a security freeze on their credit files if they detect suspicious activity.

Resources for further protection include contact information for the Federal Trade Commission, state attorneys general and credit bureaus. Arbor Associates has provided a dedicated call center at 833-367-8607, available Monday through Friday from 8 a.m. to 8 p.m. Eastern time, to assist those who may have been affected.

More information about the company and its services can be found on the Arbor Associates website.