Clinic Service Corp Data Breach Exposes PII and PHI

On Aug. 17, 2025, Clinic Service Corporation, a Denver-based medical billing and practice management company, discovered unusual activity on its network. An investigation with cybersecurity specialists revealed that an unauthorized party had gained access to certain information stored within the company’s network between Aug. 10 and Aug. 17, 2025.

The company’s ongoing review determined that the types of information potentially exposed included both personally identifiable information (PII) and protected health information (PHI).

Specifically, the data may have included names, addresses, phone numbers, email addresses, payment card information, dates of birth, medical diagnosis and treatment information, dates of service, patient ID numbers, medical record numbers, Medicare or Medicaid numbers, health insurance information, health insurance claim numbers, health insurance policy numbers and treatment cost information.

While the company has not disclosed the specific method of intrusion or the identity of the threat actor, the exposed information could be used for identity theft, financial fraud or medical identity theft.

The breach was reported to authorities and affected clients after a thorough review, with notifications beginning in December 2025 and continuing into January 2026. The Massachusetts Office of Consumer Affairs and Business Regulation was part of the notified group.

The company has also posted a notice of the data incident on its website.

The breach has affected 15 individuals in Massachusetts, according to current disclosures.

Clinic Service Corporation's response

After discovering the breach, Clinic Service Corporation reset passwords and reviewed internal policies and procedures related to data privacy and security.

Affected individuals were notified directly, and the company began offering complimentary credit monitoring and identity protection services through Cyberscout, a TransUnion company. These services include credit file monitoring, fraud assistance and alerts for at least 12 months from the date of enrollment.

For those who may be affected, it is important to remain vigilant. Individuals are encouraged to review their credit reports, account statements and explanation of benefits forms for any suspicious activity.

Under U.S. law, everyone is entitled to one free credit report annually from each of the three major credit reporting bureaus.

Clinic Service Corporation has also provided a dedicated call center at 1-833-580-0434 for questions and assistance, and further information is available on its website.