On Dec. 26, 2024, Central New York Cardiology detected unusual activity on its network, prompting an immediate investigation with the help of third-party cybersecurity specialists. The investigation revealed that an unauthorized individual gained access to certain parts of the company’s network between Dec. 26 and Dec. 30, 2024. During this period, sensitive information was acquired by the intruder.
The breach was significant in scope, as it potentially exposed a wide range of both personally identifiable information (PII) and protected health information (PHI). The information at risk included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, diagnosis or condition details, health insurance information, provider names, treatment information and financial account information. For some individuals, multiple data elements may have been involved.
Central New York Cardiology’s investigation into the full extent of the breach is ongoing. As of July 29, 2025, the company has confirmed that at least 21 Massachusetts residents were affected, with additional individuals impacted in other states.
The company has posted a detailed notice for patients and the public on its website. Additional details about the breach are available in the Massachusetts Attorney General’s disclosure, the Vermont Attorney General’s disclosure and the U.S. Department of Health and Human Services breach portal.
For those affected, the company is offering complimentary credit monitoring and identity protection services for up to twenty-four months. Impacted individuals have been or will be contacted directly with instructions on how to enroll in these services. The company encourages everyone who may have been affected to remain vigilant by regularly reviewing account statements, credit reports and explanation of benefits forms for any unauthorized or suspicious activity.
Affected individuals are advised to:
A dedicated assistance line is available at 877-423-1434, Monday through Friday from 9 a.m. to 9 p.m. Eastern time, for anyone with questions or concerns regarding the breach.
A breach notice means your personal details could be circulating far beyond the organization involved. One practical step is continuous monitoring: services such as Identity Defender (included with an ExpressVPN subscription) can automatically check dark-web markets, flag new credit-file activity, and request removal of your information from data-broker sites.
This kind of “early-warning system” can’t undo a breach, but it can help you spot misuse quickly and limit further exposure. ExpressVPN is offering 61% off, risk-free for 30 days, with ID Theft Insurance included and no extra cost for those who sign up for one or two years.