Waveny LifeCare Data Breach Exposes Sensitive Patient Info & SSNs

On May 28, 2025, Waveny LifeCare Network, a nonprofit healthcare provider based in New Canaan, Connecticut, experienced a significant data breach that disrupted its network systems. The incident was quickly identified as a ransomware attack carried out by the Qilin group, a known cybercriminal organization. Shortly after the breach, Qilin claimed responsibility and posted about the attack on the dark web on June 12, 2025, stating they had obtained sensitive data from Waveny.

The breach exposed a wide range of both personally identifiable information (PII) and protected health information (PHI) belonging to patients and possibly other individuals connected to the organization. The compromised data includes first and last names, addresses, dates of birth, admission and discharge dates, date of death, telephone numbers, email addresses, Social Security numbers, medical record numbers, patient account numbers, facial photographic images, laboratory test results, medical imaging results, driver’s license numbers, electronic health records, health insurance account or policy numbers, payment information, Medicare or Medicaid information and financial account numbers.

While the full number of affected individuals has not been disclosed, the breadth of information accessed makes this a severe breach. The combination of PII and PHI involved increases the risk of identity theft, financial fraud and medical identity theft for those impacted. The incident was confirmed in a public notice posted by Waveny LifeCare Network, which can be reviewed in detail on their official data breach notification.

Waveny Lifecare Network's response

For those who may be affected, Waveny has established a dedicated assistance line at 833-353-3395, available Monday through Friday from 9 a.m. to 9 p.m. Eastern, excluding major U.S. holidays. Individuals can also contact Waveny in writing at 3 Farm Road, New Canaan, CT 06840.

Given the nature of the attack and the types of information exposed, it is important for affected individuals to monitor their credit reports, financial statements and explanation of benefits forms for any unfamiliar activity. Waveny recommends placing a fraud alert or credit freeze with the major credit reporting agencies: TransUnion, Experian, Equifax and Innovis. Additional guidance on protecting against identity theft is available from the Federal Trade Commission at identitytheft.gov.

Although there is currently no evidence that the accessed information has been misused, the potential for misuse is significant due to the sensitive data involved. Individuals should remain vigilant and report any suspicious activity to their providers, insurers, law enforcement or the FTC.