Woundtech Data Breach Affects Thousands: SSNs and More Exposed

Woundtech, formally known as Wound Technology Network Inc., recently disclosed a data breach that exposed sensitive personal and medical information belonging to thousands of patients.

The breach occurred in early December 2025 at the Fort Lauderdale, FL-based company, which provides mobile wound care to patients in homes, skilled nursing facilities and other settings.

The company discovered the breach on Dec. 6, 2025, and completed its review of affected individuals on March 2, 2026, according to the company's notification.

The breach affected at least 3,809 Texas residents. Woundtech filed disclosures with state attorneys general including California, Texas, and Vermont.

Woundtech began notifying consumers on March 16, 2026.

How the Woundtech data breach unfolded

On or about Dec. 6, 2025, Woundtech became aware of unusual activity in its network environment, according to the company's notification. The company promptly launched an investigation and retained a third-party cybersecurity firm to conduct a forensic review of the incident.

By Dec. 31, 2025, the investigation revealed that an unauthorized individual may have copied certain information from the company's systems. The unauthorized access occurred during a four-day window between Dec. 6, 2025, and Dec. 9, 2025. Woundtech then began a comprehensive review of the affected data to determine which individuals were impacted and what types of information were involved.

On March 2, 2026, the company completed that review and identified those who needed to be notified. The company filed a report with the Texas Attorney General on March 17, 2026.

On Feb. 1, 2026, before Woundtech had completed its internal review, a threat actor using the name FulcrumSec posted claims about the breach on the open web. The actor alleged they had stolen 3.8 terabytes of data from Woundtech, impacting more than 160,000 patients.

According to the posting, the stolen data allegedly included 4.6 million clinical notes, electronic medical record (EMR) files, approximately 85,000 referral documents containing full protected health information (PHI) and roughly 93,000 clinical wound images. These claims have not been independently verified, but they suggest the scope of the breach could be broader than the number of individuals reported to the Texas Attorney General alone.

Types of information exposed

The personal and medical information potentially exposed in the breach varies by individual but may include first name, last name, date of birth, telephone number, gender, clinical notes, medical health information, medical treatment information, medical diagnosis information, health insurance information, medical treatment images and a very limited amount of Social Security numbers.

Woundtech's response to the breach

Woundtech is mailing notice letters to individuals whose information was found in the affected files and for whom it has a valid mailing address. Each letter details the specific types of information exposed for that person. The company posted a notice on its website dated March 16, 2026, providing general information about the incident and steps consumers can take.

Individuals who did not receive a letter but want to know if they are affected may call Woundtech's dedicated assistance line at 833-297-3496. The line is available Monday through Friday from 8:00 a.m. to 8:00 p.m. Eastern Time, excluding major U.S. holidays.

Steps to take if personal or medical information was exposed

Social Security number protection
Anyone whose Social Security number was involved should take action. They should consider placing a credit freeze with all three major credit reporting bureaus.

The three bureaus can be contacted directly:

• Equifax: 1-888-298-0045
• Experian: 1-888-397-3742
• TransUnion: 1-800-916-8800

Medical information protection
Because this breach exposed clinical notes, diagnosis information, treatment records, health insurance information and medical images, affected individuals should closely monitor their Explanation of Benefits (EOB) statements from their health insurance providers. They should look for any services, procedures or treatments they did not receive.

General protective measures
All affected individuals should regularly review their credit reports for any unusual or unauthorized activity. Under federal law, everyone is entitled to one free credit report per year from each of the three major credit bureaus. Free reports can be obtained at AnnualCreditReport.com or by calling 1-877-322-8228.

Individuals should also remain alert to phishing attempts in the months ahead. Scammers sometimes take advantage of publicized data breaches by sending emails, text messages or phone calls that reference the affected company by name.

Those who believe they have become victims of identity theft can file a complaint with the Federal Trade Commission at identitytheft.gov or by calling 1-877-438-4338. They also have the right to file a police report and to contact their state attorney general for additional guidance. According to the company's notification, this notice was not delayed by law enforcement.