Hillcrest Data Breach Impacts 106,194 People: Leaks PII & PHI

On February 13, 2025, Hillcrest Convalescent Center identified a significant data breach that compromised the personal information of approximately 106,194 individuals across the country.

The breach initially occurred on June 27, 2024, when Hillcrest detected suspicious activity on its internal network. The company quickly secured its systems and engaged third-party cybersecurity experts to investigate the incident thoroughly.

The investigation revealed that unauthorized individuals had gained access to Hillcrest's network, resulting in the unauthorized acquisition of sensitive data.

The types of information exposed in this breach include:

• Names
• Addresses
• Dates of birth
• Social Security numbers
• Driver's license numbers
• Government-issued ID numbers (such as passports and state ID cards)
• Financial information (such as account numbers, credit or debit card numbers)
• Medical information, including patient data and treatment details
• Health insurance information
• Health care provider information
• Additional personal details

Hillcrest Convalescent Center disclosed the breach to various state authorities and the federal government. Notifications were filed with:

• California Attorney General's office on March 6, 2025
• Maine Attorney General's office on March 16, 2025
• Massachusetts Attorney General's office on March 5, 2025
• Texas Attorney General's office on March 6, 2025
• U.S. Department of Health and Human Services on March 4, 2025.

In terms of state-specific impact, the breach affected 2,917 individuals in Texas, 983 individuals in Massachusetts, and 340 individuals in Maine.

Hillcrest Convalescent Center's response

Upon discovering the breach, Hillcrest Convalescent Center promptly initiated an internal investigation and secured its network to prevent further unauthorized access. The company engaged cybersecurity experts to identify the scope and nature of the breach and reported the incident to law enforcement.

To support affected individuals, Hillcrest Convalescent Center began notifying consumers on March 3, 2025, through U.S. mail, notices posted on its website, and publication in print media.

The company is offering complimentary credit monitoring and identity restoration services through TransUnion, available for a period of 12 to 24 months, depending on the individual's state of residence. Affected individuals must enroll in these services by June 5, 2025, by visiting the dedicated website or calling the toll-free assistance line at 1-833-799-4042.

Hillcrest advises all potentially impacted individuals to remain vigilant against identity theft and fraud. Recommended actions include regularly reviewing account statements, monitoring credit reports, placing security freezes or fraud alerts on credit files, and promptly reporting any suspicious activity to financial institutions and credit bureaus.