IPM Data Breach Exposes Social Security Numbers and Other Personal Info

Income Property Management Co., a property management firm headquartered in Portland, Oregon, disclosed a data breach involving unauthorized access to its computer network.

IPM discovered the breach on Dec. 22, 2024. The company posted a notice of the data incident on its website on March 26, 2026, more than 15 months after the initial discovery. The total number of individuals affected in the United States was not disclosed.

What happened in the Income Property Management data breach

An investigation, prompted upon detecting unauthorized activity on IPM's network, determined that an unauthorized actor took files from the company's network on or around Jan. 29, 2025, approximately five weeks after the suspicious activity was first detected.

Following this discovery, IPM began a detailed review of the affected files to determine what data was potentially involved and to identify the individuals whose information was contained in those files.

The review process took nearly a year to complete. It was finished on Dec. 4, 2025, at which point the company confirmed that the stolen files contained personal information belonging to specific individuals.

The company then took approximately four additional months before issuing its public notification.

The types of information exposed varied from person to person but consisted of the following: driver's license numbers, alien registration numbers, health insurance provider names, health insurance identification numbers, dates of birth, Social Security numbers, medical conditions and passport numbers.

Income Property Management's response to the breach

IPM is providing specific support to affected individuals. For those whose Social Security numbers were involved, the company is offering an opportunity to enroll in credit monitoring at no cost. IPM is also offering proactive fraud assistance to all affected individuals to help them navigate questions or concerns that may arise from the breach.

These services are being provided through HaystackID, a firm specializing in fraud assistance and remediation.

Affected individuals can reach the professional call center by calling 1-855-329-7315 (toll free). The call center is available Monday through Friday from 9 a.m. to 9 p.m. and Saturday from 9 a.m. to 6 p.m. Eastern time, excluding major U.S. holidays. Representatives will be available for 90 days from the date of the notice to assist with questions about the incident.

Individuals may also contact Income Property Management Co. by mail at 1800 SW 1st Ave. #220, Portland, OR 97201 until April 1, 2026. After that date, the company's new mailing address will be 11740 SW 68th Parkway, Suite 100, Tigard, OR 97223.

Steps to take if your information was exposed

• Place a fraud alert or credit freeze on credit files by contacting Equifax (1-888-298-0045), Experian (1-888-397-3742) or TransUnion (1-800-680-7289) to help prevent unauthorized accounts from being opened.
• Request free credit reports at AnnualCreditReport.com and review them for any unfamiliar accounts or inquiries that could indicate misuse.
• Monitor health insurance statements carefully for claims or services not received, since health insurance information and medical conditions were among the data exposed in this breach.
• Report suspicious activity to local law enforcement and file a complaint with the FTC at 1-877-438-4338 or online at ftc.gov/idtheft.
• Be cautious of phishing attempts that reference Income Property Management Co. or this data breach by name, as scammers often use real incidents to trick people into providing more personal information.
• Consider monitoring passport activity through the U.S. State Department if a passport number was part of the exposed data.