Long Island Weight Loss Institute: 13GB Data Breach Exposed PII and PHI

Long Island Weight Loss Institute, a medical weight loss clinic with multiple locations across Long Island, New York, experienced a data breach in late 2025. On or around Sept. 22, 2025, the institute discovered unusual activity within its computer systems.

A thorough investigation revealed that an unauthorized party, later identified as the Qilin ransomware group, had infiltrated the organization’s network and potentially accessed sensitive patient data. The attackers claimed responsibility on a dark web portal, posting sample screenshots and asserting they had obtained 13 GB of the organization’s data.

The information exposed in this incident is extensive and highly sensitive. The types and amount of information exposed vary for each individual, with some patients affected by all categories and others by just one.

The breach exposed the following personally identifiable information (PII): patient names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, passport numbers, driver’s license numbers and other government-issued identification documents.

The breach also exposed the following protected health information (PHI): medical record numbers, medical treatment details, lab results, diagnoses and conditions, prescription information, health insurance details, claim information, invoices, billing and payment records, and credit card or bank account information.

The institute has posted an official disclosure notice detailing the event on its website.

Long Island Weight Loss Institute's response

Upon discovering the breach, Long Island Weight Loss Institute secured its network and engaged a third-party cybersecurity team to investigate the incident. The institute conducted a detailed review to determine exactly what information was affected and to identify all individuals whose data may have been exposed.

Notification letters were mailed to potentially impacted patients by Jan. 5, 2026.

To support those affected, the institute is offering complimentary credit monitoring services. They have also implemented additional security measures within their network and facilities and are reviewing their data security policies and procedures to help prevent future incidents.

Given the nature of the breach, affected individuals are strongly encouraged to:

• Monitor account statements, credit reports and explanation of benefits forms for any suspicious activity or errors
• Consider placing a fraud alert or credit freeze with the three major credit reporting bureaus (Equifax, Experian and TransUnion)
• Take advantage of the free credit monitoring services being offered
• Remain vigilant for potential identity theft or fraud attempts

A dedicated call center has been set up to answer questions and provide assistance. It is available Monday through Friday, 9 a.m. to 9 p.m. Eastern Time, at 1-833-918-4186.