EyeCare Partners Data Breach Exposes SSNs, Government IDs, and More

EyeCare Partners, LLC, a leading provider in the hospital and health care industry, recently reported a data breach that affected personal and health information of patients in its network. The incident was disclosed to the Massachusetts Office of Consumer Affairs and Business Regulation on Feb. 4, 2026, with three individuals in Massachusetts confirmed as affected, though the total number nationwide has not been specified.

The breach was first detected on Jan. 28, 2025, when suspicious activity was identified in an ECP-managed email account. A internal investigation was launched, followed by the engagement of a forensic security firm to assess the situation and secure the network. The investigation revealed that an unauthorized third party had temporarily accessed multiple ECP-managed email accounts between Dec. 3, 2024, and Jan. 28, 2025.

After a comprehensive review, completed on Nov. 11, 2025, it was determined that the exposed information varied by individual but may have included names, contact information, Social Security numbers, dates of birth, driver’s license or government identification numbers, health plan details and limited clinical information.

While medical records and detailed clinical notes were not accessed, the incident still involved both personally identifiable information (PII) and protected health information (PHI).

EyeCare Partners's response

In response to the breach, ECP secured the compromised accounts and engaged cybersecurity experts to investigate the incident and confirm the integrity of their systems. The company has reviewed and enhanced its technical security measures and provided additional reminders to employees about recognizing suspicious emails.

For those affected, ECP is offering complimentary Single Bureau Credit Monitoring, Credit Report and Credit Score services for 24 months through Cyberscout, a TransUnion company. These services include credit file alerts, access to credit reports and proactive fraud assistance. Individuals must enroll within 90 days of receiving notification to take advantage of these protections.

Given the nature of the breach, individuals are encouraged to:

• Enroll in the free credit monitoring service provided
• Monitor account statements and credit reports closely for suspicious activity
• Consider placing a security freeze or fraud alert on credit files with the major credit bureaus
• Report any suspected identity theft to local law enforcement and the Federal Trade Commission

ECP has established a confidential, toll-free inquiry line for further assistance, as detailed in the official notice to consumers.