Carolina Foot & Ankle: Data Breach Exposes PII and PHI

Carolina Foot & Ankle Associates (CF&A), a podiatry practice based in Hickory, N.C., recently experienced a data breach on Dec. 8, 2025. CF&A discovered a network disruption that led to unauthorized access to certain files.

Upon learning of the incident, CF&A secured its network environment and engaged cybersecurity experts to investigate. The investigation determined that an unauthorized third party may have acquired files containing sensitive information. A thorough review confirmed that some individual health information was potentially accessed.

The types of information exposed in this breach include both personally identifiable information (PII) and protected health information (PHI). Specifically, the data may have included first and last names, addresses, phone numbers, dates of birth, medical record numbers, health insurance information, diagnostic/CPT codes and dates of service.

Not every individual had all of these data elements exposed, and importantly, Social Security numbers and financial information were not impacted. The company also clarified that its electronic medical records system and complete medical records were not affected.

The breach has been reported to the U.S. Department of Health and Human Services. Additionally, the full notice to consumers is posted on the company’s website.

Carolina Foot & Ankle Associates’s response

To support those affected, CF&A is offering complimentary credit monitoring and identity theft protection services for twelve months at no cost. Impacted individuals are being notified directly and are encouraged to enroll in these services and follow the recommendations provided in the notification letter.

Those affected should remain vigilant by monitoring their accounts and considering placing fraud alerts on their credit files.