Gastro Health Data Breach Exposes Protected Personal & Health Information

Gastro Health, a large gastroenterology medical group with more than 200 locations across the United States, disclosed a data breach that it discovered on Feb. 25, 2026.

The breach was disclosed to the Massachusetts Office of Consumer Affairs and Business Regulation on May 29, 2026, with 291 Massachusetts residents identified as affected. Gastro Health also posted a notice on its website with details about the incident and steps affected individuals can take.

The breach resulted from phishing attacks targeting Gastro Health employees. On Feb. 25, 2026, the company became aware of a phishing incident involving some of its personnel that resulted in unauthorized access to certain files and systems accessible to those employees.

According to the company's website notice, on March 2, 2026, Gastro Health became aware of a separate phishing incident involving one of its employees that also resulted in unauthorized access to certain files.

After discovering both incidents, Gastro Health conducted a detailed review of the affected files. That review found that personal information belonging to certain individuals was contained in the relevant data.

The types of information exposed varied by individual. Personally identifiable information (PII) that may have been affected includes names, dates of birth, Social Security numbers and government-issued or state-issued ID numbers. Protected health information (PHI) that may have been affected includes medical record numbers, patient account numbers, Medicare or Medicaid numbers, health insurance or group account numbers, diagnosis or treatment information, prescription information and provider or clinic information.

Gastro Health's response

Because the breach involved sensitive information such as Social Security numbers and medical data, Gastro Health is offering affected individuals 24 months of free identity protection services through Epiq Privacy Solutions ID at no cost.

The identity protection package includes three-bureau credit monitoring with alerts, a monthly VantageScore 3.0 credit score with score tracking, Social Security number monitoring across situations like loan applications and tax filings, dark web monitoring, change of address monitoring, credit freeze assistance and personal information protection that helps users find and remove their exposed data from people search sites and data brokers.

The package also includes identity restoration and lost wallet assistance from dedicated specialists, up to $1 million in identity theft insurance with a $0 deductible and up to $1 million in unauthorized electronic funds transfer reimbursement.

To enroll, affected individuals can visit www.privacysolutionsid.com and enter the activation code included in their notification letter. Enrollment must be completed by the deadline listed in each person's letter.

Gastro Health has set up a dedicated phone line for questions about the breach. Affected individuals can call 888-500-5727, Monday through Friday, from 9 a.m. to 9 p.m. Eastern time.