Health Care & Rehabilitation Services of SE Vermont Data Breach Exposes SSNs

In December 2024, Health Care and Rehabilitation Services of Southeastern Vermont Inc. (HCRS) experienced a data breach involving unauthorized access to two staff email accounts. The breach was first discovered on Dec. 20, 2024, after suspicious activity was detected within the organization’s email environment.

Immediate steps were taken to contain the incident, including resetting passwords for the affected accounts and engaging third-party cybersecurity professionals to conduct a thorough forensic investigation.

The investigation revealed that between approximately Dec. 4, 2024, and Dec. 9, 2024, an unauthorized actor accessed emails and files within the two compromised accounts. On May 13, 2025, it was confirmed that these accounts contained sensitive information for both clients and staff.

The exposed data included a wide range of personally identifiable information (PII) such as first and last names, dates of birth, Social Security numbers, financial account numbers and driver’s license numbers.

In addition, protected health information (PHI) was also compromised, including dates of treatment or service, individual health insurance information, medical history, patient numbers, medical record numbers (MRNs), healthcare billing information and other medical treatment details.

The incident was reported to the Vermont Attorney General’s office on Aug. 1, 2025. HCRS has also posted the official consumer notice of the incident on its website.

HCRS's response

For those whose data was potentially impacted, HCRS is providing direct notice by mail, as well as offering support through a dedicated contact person.

Impacted individuals are being offered complimentary credit monitoring and identity protection services through Experian IdentityWorks, which includes credit report access, credit monitoring, identity restoration assistance and $1 million in identity theft insurance. Details on how to enroll in these services are included in the consumer notice letters.

HCRS encourages all individuals—whether or not they have received a notification letter—to remain vigilant.

Recommended steps:

• Reviewing account statements and explanation of benefits forms for suspicious activity
• Monitoring free credit reports, which can be accessed annually from each major credit bureau at www.annualcreditreport.com
• Considering placing a fraud alert or security freeze on credit files
• Contacting financial institutions if bank account information may have been compromised

The organization has also provided guidance on protecting medical information, such as reviewing insurance statements for unfamiliar charges and requesting year-to-date reports from insurance providers.

For more information about the organization and its services, visit the HCRS website.