Commonwealth Trust Data Breach Exposes Social Security Numbers

Earlier this year, Commonwealth Trust Company experienced a data breach involving unauthorized access to a company email account. On May 13, 2025, an unauthorized actor gained access to an employee’s email account for a limited period and obtained emails from the account. An investigation was launched immediately after suspicious activity was detected, focusing on the nature and scope of the incident.

After reviewing the compromised email account, the company determined that sensitive information was present in the affected emails.

The information exposed included both personally identifiable information (PII) and protected health information (PHI): name, treating or referring physician, patient account number, account number, treatment information, prescription or medication information, individual insurance or subscriber number, account number with bank name, Social Security number, medical record number, medical billing or claims information, other health insurance information and date of birth.

The breach was officially reported to the Massachusetts Attorney General on Sept. 19, 2025. According to the disclosure, seven Massachusetts residents were affected. Commonwealth Trust Company completed its review of the incident on Aug. 4, 2025, and has since worked to verify the information involved and confirm current address information for notification purposes.

Commonwealth Trust Company's response

In response to the breach, Commonwealth Trust Company took immediate steps to secure the compromised email account and launched a comprehensive investigation to determine the extent of the incident. The company also implemented additional technical and administrative security measures to further protect its systems and the information in its care.

To assist those affected, Commonwealth Trust Company is offering complimentary credit monitoring, a single bureau credit report, and a single bureau credit score for 24 months through Cyberscout, a TransUnion company specializing in fraud assistance and remediation services. Impacted individuals are encouraged to enroll in these services within 90 days of receiving their notification letter. The company has provided detailed instructions for enrollment and established a dedicated phone line for questions about the breach or the credit monitoring services.

Given the nature of the breach, which involved access to both PII and PHI, affected individuals should remain vigilant for signs of identity theft or fraud. It is recommended to regularly review account statements, monitor free credit reports for suspicious activity and consider placing a fraud alert or credit freeze with the major credit bureaus if necessary. The company also provided guidance on how to contact the Federal Trade Commission and state attorneys general for further information on protecting personal information.