Clinical Registry Solutions Data Breach Exposes Sensitive Patient Data

Brooklyn-based healthcare data management company, Clinical Registry Solutions, disclosed a data breach that involved patient information it maintained on behalf of St. Mary's Medical Center, a Dignity Health hospital. CRS is a vendor that provides clinical data abstraction and registry support services to hospitals and health systems.

CRS discovered the incident on April 9, 2026, according to the company's notification to consumers. The total number of individuals affected in the United States was not publicly disclosed.

On April 9, 2026, CRS identified suspicious activity within its network. The company stated that it took steps to secure the network and launched an investigation into the nature and scope of the incident.

The investigation found that an unauthorized party accessed CRS's network on that date and that certain files containing patient information from St. Mary's Medical Center were acquired during the intrusion, according to the notification.

On May 6, 2026, the ransomware group known as Akira claimed responsibility for the attack on a Tor-based dark web site. The group stated it had obtained 41 GB of data from Clinical Registry Solutions. According to the dark web posting, the compromised data reportedly includes detailed employee personal information such as passports, driver's licenses, Social Security numbers and health data.

The group also claimed to have obtained client documents, financial records, payment details, contracts, agreements and non-disclosure agreements.

In its notification to affected consumers, CRS described a more limited scope of exposed patient data. The company stated that the patient information involved included first and last names, medical record numbers and procedure dates. These data types include both personally identifiable information and protected health information.

The company also noted in its notification that the exposed data did not include Social Security numbers, diagnoses or treatment plans. The data that Akira claims to have obtained encompasses employee information and corporate records that go beyond the patient data described in CRS's notification.

The breach was disclosed to the California Attorney General.

Clinical Registry Solutions' response

Upon discovering the incident, CRS stated that it took immediate action to secure its network and investigate the breach, according to the company's notification. The company reviewed the affected data to determine whether it contained protected health information or sensitive personal information. CRS then worked to identify the individuals whose information was involved and to notify them promptly.

In its notification, CRS stated that it has "no evidence of misuse of any protected health information and/or personal information, including for fraud or identity theft, as a result of this incident." The company also wrote, "We remain committed to protecting your trust in us and continue to be thankful for your support and understanding."

CRS sent notification letters to affected individuals through Cyberscout, a TransUnion company that is managing the breach response on CRS's behalf. The notification included an enclosed document outlining steps consumers can take to help protect their information, such as placing fraud alerts, requesting credit freezes and monitoring credit reports.

The company has also established a dedicated call center through Cyberscout to assist affected individuals with questions about the incident. The call center can be reached at 1-800-405-6108, Monday through Friday from 8:00 a.m. to 8:00 p.m. EST, excluding major U.S. holidays. CRS can also be contacted by mail at 306 Gold St., Suite 31E, Brooklyn, NY 11201.