Woundtech Data Breach Affects 139k: SSNs and More Exposed

Woundtech, formally known as Wound Technology Network Inc., recently disclosed a data breach that exposed sensitive personal and medical information belonging to 139,830 individuals, including 3,809 Texas residents.

On or about Dec. 6, 2025, Woundtech became aware of unusual activity in its network environment. The company launched an investigation and retained a third-party cybersecurity firm to conduct a forensic review of the incident.

By Dec. 31, 2025, the investigation revealed that an unauthorized individual may have copied certain information from the company's systems. The unauthorized access occurred during a four-day window between Dec. 6, 2025, and Dec. 9, 2025. Woundtech then began a comprehensive review of the affected data to determine which individuals were impacted and what types of information were involved.

On March 2, 2026, the company completed that review and identified those who needed to be notified. Woundtech filed disclosures with state attorneys general including California, Texas, and Vermont. Woundtech began notifying consumers on March 16, 2026.

On Feb. 1, 2026, before Woundtech had completed its internal review, a threat actor using the name FulcrumSec posted claims about the breach on the open web. The actor alleged they had stolen 3.8 terabytes of data from Woundtech, impacting more than 160,000 patients.

The stolen data allegedly included 4.6 million clinical notes, electronic medical record (EMR) files, approximately 85,000 referral documents containing full protected health information (PHI) and roughly 93,000 clinical wound images.

The personal and medical information potentially exposed in the breach varies by individual but may include first name, last name, date of birth, telephone number, gender, clinical notes, medical health information, medical treatment images and information, medical diagnosis information, health insurance information and Social Security numbers.

Woundtech's response to the breach

Woundtech is mailing notice letters to individuals whose information was found in the affected files and for whom it has a valid mailing address. Each letter details the specific types of information exposed for that person.

The company posted a notice on its website dated March 16, 2026, providing general information about the incident and steps consumers can take.

Individuals who did not receive a letter but want to know if they are affected may call Woundtech's dedicated assistance line at 833-297-3496. The line is available Monday through Friday from 8:00 a.m. to 8:00 p.m. Eastern Time, excluding major U.S. holidays.

Steps to take if personal or medical information was exposed

Social Security number protection
Anyone whose Social Security number was involved should take action. They should consider placing a credit freeze with all three major credit reporting bureaus.

The three bureaus can be contacted directly:

• Equifax: 1-888-298-0045
• Experian: 1-888-397-3742
• TransUnion: 1-800-916-8800

Medical information protection
Because this breach exposed clinical notes, diagnosis information, treatment records, health insurance information and medical images, affected individuals should closely monitor their Explanation of Benefits (EOB) statements from their health insurance providers. They should look for any services, procedures or treatments they did not receive.

General protective measures
All affected individuals should regularly review their credit reports for any unusual or unauthorized activity. Free reports can be obtained at AnnualCreditReport.com or by calling 1-877-322-8228.

Those who believe they have become victims of identity theft can file a complaint with the Federal Trade Commission at identitytheft.gov or by calling 1-877-438-4338. They also have the right to file a police report and to contact their state attorney general for additional guidance.