Woundtech Data Breach Affects Thousands: SSNs and More Exposed

Woundtech, formally known as Wound Technology Network Inc., recently disclosed a data breach that exposed sensitive personal and medical information belonging to thousands of patients.

The breach occurred in early December 2025 at the Fort Lauderdale, FL-based company, which provides mobile wound care to patients in homes, skilled nursing facilities and other settings. The breach affected at least 3,809 Texas residents.

The company discovered the breach on Dec. 6, 2025, and completed its review of affected individuals on March 2, 2026, according to the company's notification. Woundtech began notifying consumers on March 16, 2026. The exposed information includes names, dates of birth, phone numbers, clinical notes, medical diagnosis and treatment details, health insurance information, medical treatment images and a very limited number of Social Security numbers.

How the Woundtech data breach unfolded

On or about Dec. 6, 2025, Woundtech became aware of unusual activity in its network environment, according to the company's notification. The company promptly launched an investigation and retained a third-party cybersecurity firm to conduct a forensic review of the incident.

By Dec. 31, 2025, the investigation revealed that an unauthorized individual may have copied certain information from the company's systems. The unauthorized access occurred during a four-day window between Dec. 6, 2025, and Dec. 9, 2025. Woundtech then began a comprehensive review of the affected data to determine which individuals were impacted and what types of information were involved.

On March 2, 2026, the company completed that review and identified those who needed to be notified. The company filed a report with the Texas Attorney General on March 17, 2026.

A threat actor claimed responsibility on the open web

On Feb. 1, 2026, before Woundtech had completed its internal review, a threat actor using the name FulcrumSec posted claims about the breach on the open web. The actor alleged they had stolen 3.8 terabytes of data from Woundtech, impacting more than 160,000 patients.

According to the posting, the stolen data allegedly included 4.6 million clinical notes, electronic medical record (EMR) files, approximately 85,000 referral documents containing full protected health information (PHI) and roughly 93,000 clinical wound images. These claims have not been independently verified, but they suggest the scope of the breach could be significantly broader than the number of individuals reported to the Texas Attorney General alone.

Types of information exposed

The personal and medical information potentially exposed in the breach varies by individual. According to the company's notification, the data may include first name, last name, date of birth, telephone number, gender, clinical notes, medical health information, medical treatment information, medical diagnosis information, health insurance information, medical treatment images and a very limited amount of Social Security numbers.

This breach is particularly sensitive because it involves both personally identifiable information (PII), such as names and dates of birth, and protected health information (PHI), such as clinical notes, diagnosis details and medical treatment images. Medical data of this kind is highly personal and could potentially be misused for medical identity theft or targeted scams.

Woundtech's response to the breach

According to its notification, Woundtech stated it takes this incident and the security of personal information in its care very seriously. The company said it moved quickly to investigate and respond to the breach.

As part of its ongoing response, Woundtech said it is reviewing and enhancing its existing policies and procedures related to data privacy to reduce the likelihood of a similar incident in the future. The company also stated it has notified and is cooperating with appropriate law enforcement, according to the company's notification.

Woundtech is mailing notice letters to individuals whose information was found in the affected files and for whom it has a valid mailing address. Each letter details the specific types of information exposed for that person. The company posted a notice on its website dated March 16, 2026, providing general information about the incident and steps consumers can take.

Individuals who did not receive a letter but want to know if they are affected may call Woundtech's dedicated assistance line at 833-297-3496. The line is available Monday through Friday from 8:00 a.m. to 8:00 p.m. Eastern Time, excluding major U.S. holidays.

Notably, the company's notification did not mention offering free credit monitoring or identity theft protection services to affected individuals.

Steps to take if personal or medical information was exposed

Because this breach involved sensitive medical records and, in some cases, Social Security numbers, affected individuals should consider taking several steps to protect themselves. The specific actions that make sense depend on which types of information were exposed for each person.

Social Security number protection

Although Woundtech described the number of exposed Social Security numbers as "very limited," anyone whose Social Security number was involved should take prompt action. They should consider placing a credit freeze with all three major credit reporting bureaus. A credit freeze prevents new credit accounts from being opened without the individual's explicit permission, and it is free under federal law.

The three bureaus can be contacted directly:

• Equifax: 1-888-298-0045
• Experian: 1-888-397-3742
• TransUnion: 1-800-916-8800

As an alternative or in addition, individuals can place a fraud alert on their credit file. An initial fraud alert lasts one year and requires businesses to take steps to verify the consumer's identity before extending new credit. Victims of identity theft are entitled to an extended fraud alert lasting seven years. Only one bureau needs to be contacted to place a fraud alert, as it will notify the other two.

Individuals whose Social Security numbers were exposed should also consider requesting an Identity Protection PIN from the IRS. This six-digit number helps prevent someone else from filing a fraudulent tax return using their Social Security number.

Medical information protection

Because this breach exposed clinical notes, diagnosis information, treatment records, health insurance information and medical images, affected individuals should closely monitor their Explanation of Benefits (EOB) statements from their health insurance providers. They should look for any services, procedures or treatments they did not receive. Unfamiliar charges or services on an EOB statement could be a sign of medical identity theft.

Anyone who spots suspicious activity on their EOB statements should contact their health insurance provider right away. Medical identity theft is a serious concern because it can lead to incorrect information appearing in a patient's medical records, which could affect future care and treatment decisions.

General protective measures

All affected individuals should regularly review their credit reports for any unusual or unauthorized activity. Under federal law, everyone is entitled to one free credit report per year from each of the three major credit bureaus. Free reports can be obtained at AnnualCreditReport.com or by calling 1-877-322-8228.

Individuals should also remain alert to phishing attempts in the months ahead. Scammers sometimes take advantage of publicized data breaches by sending emails, text messages or phone calls that reference the affected company by name. These messages may attempt to trick people into providing additional personal information or clicking on harmful links. Any communication that claims to be from Woundtech but asks for sensitive information should be verified by calling the company's dedicated assistance line directly.

Those who believe they have become victims of identity theft can file a complaint with the Federal Trade Commission at identitytheft.gov or by calling 1-877-438-4338. They also have the right to file a police report and to contact their state attorney general for additional guidance. According to the company's notification, this notice was not delayed by law enforcement.