Avala Data Breach Exposes Sensitive Patients' Social Security Numbers

On May 30, 2025, Avala, a physician-led and physician-owned hospital and health care provider based in Covington, Louisiana, discovered a cybersecurity incident within its IT systems. Immediately after identifying the breach, Avala engaged third-party cybersecurity experts to assess, contain and remediate the situation.

The investigation concluded on or around July 23, 2025, and revealed that patient data. both personally identifiable information (PII) and protected health information (PHI), was exposed as a result of the incident.

The exposed information includes names, addresses, dates of birth, medical treatment information, health insurance information and Social Security numbers.

Avala has stated that they are notifying individuals whose personal information was involved and are providing resources to help protect their information. For more information, Avala has posted a data security incident notice on their website.

Avala's response

For affected individuals, Avala is providing resources and guidance to help protect their information. They recommend the following steps to monitor for signs of medical identity theft:

• Only share health insurance cards with healthcare providers and trusted family members involved in medical care
• Review explanation of benefits statements from health insurance companies and follow up on any unfamiliar items with the insurer or care provider
• Request a current year-to-date report of all services paid for by the insurance company and confirm the accuracy of any unfamiliar items

Individuals who believe they may be affected are encouraged to remain vigilant and to monitor their medical and insurance records for any suspicious activity. If any discrepancies or unauthorized activities are found, they should contact their insurance provider and care provider promptly.