IPPC Data Breach Exposes Wide Range of Sensitive Personal and Health Info

Innovative Pharmacy Packaging Corp. Inc., along with its affiliated entities IPPC of New York LLC and Innovative Pharmacy LLC (collectively known as IPPC), disclosed a data breach that occurred in September 2025.

The breach was reported to the Massachusetts Office of Consumer Affairs and Business Regulation on April 1, 2026, with two Massachusetts residents identified as affected. IPPC posted a notice on its website on Feb. 27, 2026.

Consumer notification letters were dated April 1, 2026.

What happened in the IPPC data breach

IPPC became aware of suspicious activity involving its technical network, according to the company's notification.

The company took systems offline and began an investigation. The investigation determined that an unknown actor accessed the network between Sept. 18, 2025, and Sept. 19, 2025, and copied files, potentially viewing them.

Following the discovery, IPPC conducted a detailed review of the affected files to determine what types of information were present and which individuals were involved. The company's preliminary review of this information was completed on or around Feb. 9, 2026.

The types of information exposed are extensive and vary by individual. The information exposed can be split into two categories: personally identifiable information (PII) and protected health information (PHI).

The exposed PII included names, dates of birth, driver's license or government-issued identification numbers, payment card information, financial account information, individual taxpayer identification numbers, passport numbers, prescription information, billing and claims information, and Social Security numbers.

The exposed PHI included Medicare and Medicaid identification numbers, diagnosis and treatment information, medical record numbers, patient account numbers, procedure information, health insurance information, treating or referring provider names, and admission and discharge dates.

IPPC's response to the breach

IPPC is offering 24 months of free monitoring services through Cyberscout, a TransUnion company. Affected individuals must enroll online within 90 days of the date of their notification letter.

Given that the breach involved Social Security numbers, financial account information, passport numbers and sensitive medical records, affected individuals should take the potential for identity theft and fraud seriously.

Individuals with questions can call IPPC's dedicated phone line at 833-877-7455, available from 8 a.m. to 8 p.m. Eastern time, Monday through Friday, excluding U.S. holidays. Questions can also be sent by email to inquiries@ippcrx.com.

Steps to take if your information was exposed

• Place a credit freeze or fraud alert with Equifax (1-888-298-0045), Experian (1-888-397-3742) and TransUnion (1-833-799-5355) to help prevent unauthorized accounts from being opened using stolen personal information.
• Request free credit reports at AnnualCreditReport.com and review them carefully for any unfamiliar accounts or suspicious activity.
• Review Explanation of Benefits statements from health insurers and Medicare or Medicaid for any services, prescriptions or provider visits not actually received, since medical information was exposed in this breach.
• Monitor financial accounts and payment cards closely for unauthorized transactions, and report any suspicious charges to the relevant financial institution immediately.
• Report suspected identity theft to the Federal Trade Commission at IdentityTheft.gov or by calling 1-877-438-4338, and consider filing a police report if fraud is detected.
• Be cautious of phishing attempts that reference IPPC or this data breach by name, as scammers sometimes use breach notifications to trick people into sharing additional personal information.