ID Care — the largest private infectious disease practice on the East Coast and the second largest in the United States — has confirmed that an unauthorized actor broke into its network in November 2025 and accessed or downloaded files containing highly sensitive patient data. The breach affects current and former patients across all ten of the organization's New Jersey locations, and the full scope has not yet been made public.
Healthcare data breaches have become so routine that individual incidents risk blending into statistical noise. The ID Care breach demands attention for a specific reason that separates it from the average clinic hack: infectious disease patients carry some of the most stigmatized medical diagnoses that exist. HIV status, hepatitis, sexually transmitted infections, antibiotic-resistant infections — these are conditions that affect employment decisions, insurance underwriting, personal relationships, and personal safety when they land in the wrong hands. That context shapes everything about why this incident matters beyond the standard identity theft risk that follows any healthcare breach.
Who Is ID Care and Why Does This Matter
ID Care was established in 1996 and has grown, through the merger of two independent infectious disease practices in 1998, into the dominant private infectious disease organization on the East Coast. According to the organization's own published materials, it operates ten practice locations across New Jersey, employs over 50 board-certified physicians, and serves not only individual outpatients but also hospitals, long-term care facilities, and government agencies throughout the state.
The practice's scope is unusually broad for a specialty clinic. ID Care physicians diagnose and treat conditions caused by bacteria, viruses, fungi, and parasites, with specific concentrations in HIV care, hepatitis, Lyme disease, C. difficile, pneumonia, wound infections, travel medicine, and in-office infusion services. The organization has also positioned itself as a consulting partner to healthcare systems seeking infection prevention programs and antibiotic stewardship guidance. Its patient population therefore extends far beyond those who walk into an outpatient office — it includes patients referred from hospitals and long-term care facilities who may never have visited an ID Care location directly.
"We are clinical leaders, innovators, and researchers, providing every patient we serve with personalized solutions — all focused on identification, treatment, and prevention of infectious diseases." — ID Care, official organizational statement (idcare.com)
That positioning — as a centralized hub handling infectious disease records for hundreds of healthcare facilities across New Jersey — is precisely what makes a breach here so consequential. The data in ID Care's network is not limited to patients who chose the practice. It includes referral data, consultation records, and treatment histories pulled from across the state's healthcare infrastructure.
What Happened and When
According to ID Care's official breach notice and reporting by the HIPAA Journal, suspicious activity was identified within certain systems on November 5, 2025. The organization engaged what it described as "industry-leading cybersecurity specialists" to investigate. Those specialists confirmed that an unknown actor gained unauthorized access to a subset of the network on that same date and accessed or downloaded files without authorization.
The timeline here carries legal significance. Under the HIPAA Breach Notification Rule, covered entities are required to notify affected individuals within 60 days of discovering a breach. November 5, 2025 as the discovery date puts the notification deadline at early January 2026. As of the time of reporting in early March 2026, notification letters were still being prepared for mailing to affected individuals, and ID Care confirmed that the review of affected files had not yet been completed.
The HIPAA Journal, which tracks healthcare breach disclosures, reported that as of early March 2026 the ID Care breach had not yet appeared on the HHS Office for Civil Rights breach portal. That portal publicly lists all reported breaches affecting 500 or more individuals. The absence of an OCR listing at the time of reporting means the total number of affected patients remains officially undisclosed, and ID Care has not released that figure. The HIPAA Journal noted the breach has been reported to HHS OCR, and the formal entry was expected to appear as the intake process completed.
The exact number of individuals affected has not been publicly disclosed by ID Care as of March 18, 2026. The HHS OCR breach portal, which lists incidents affecting 500 or more individuals, had not yet posted an entry for this incident at the time of writing. ID Care confirmed the breach to HHS but the review of affected files was still ongoing.
What Data Was Exposed
ID Care has confirmed that the affected files contained a combination of personally identifiable information (PII) and protected health information (PHI). According to the organization's breach notice and reporting from the HIPAA Journal and ClassAction.org, the categories of data confirmed as exposed include:
- Full legal names
- Dates of birth
- Social Security numbers
- Home addresses
- Health insurance account, member, and group numbers
- Medical diagnoses
- Treatment information
- Prescription information
The combination of Social Security numbers with detailed medical records — including specific infectious disease diagnoses — is among the most dangerous data profiles that can be assembled about a private individual. Social Security numbers enable identity fraud and synthetic identity creation. Medical diagnoses, particularly those involving HIV, sexually transmitted infections, or antibiotic-resistant conditions, carry significant risks of stigma-based discrimination in employment, housing, and personal life if disclosed without consent.
ID Care has stated that the specific information affected varies by individual, and the organization was still completing its review of the compromised files at the time of public notice. Affected individuals will receive notification by mail once the review identifies their specific records.
"The affected files contained full names, dates of birth, Social Security numbers, health insurance information, and medical information, including diagnoses, treatment information, and prescription information." — HIPAA Journal, reporting on ID Care's official breach disclosure (hipaajournal.com)
The HIPAA and Legal Dimension
ID Care is a covered entity under the Health Insurance Portability and Accountability Act. That classification triggers a specific set of legal obligations when a breach of unsecured protected health information occurs. The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, the Secretary of HHS, and in some cases the media, within defined timeframes. For breaches affecting 500 or more individuals, the covered entity must notify HHS within 60 days of discovery and simultaneously notify affected patients. The breach was discovered on November 5, 2025, placing the 60-day notification deadline in early January 2026.
New Jersey adds a separate layer of legal obligation through its Identity Theft Protection Act. Under that law, any organization storing computerized personal information must notify affected New Jersey residents when unauthorized access to unencrypted data occurs. If more than 1,000 individuals are affected — a threshold this breach is widely expected to exceed — the organization must also notify all consumer reporting agencies. New Jersey organizations subject to HIPAA that comply with the federal breach notification rules are generally considered to have met the state notification standard simultaneously.
The legal exposure does not stop with regulatory compliance. Multiple law firms had opened investigations into the ID Care breach within days of the public notice. Strauss Borrelli PLLC, a Chicago-based data breach litigation firm, announced an investigation as of March 11, 2026. Shamis & Gentile P.A. opened a separate investigation. ClassAction.org published a notice on March 13, 2026 calling for affected individuals to come forward.
"We would like to speak with you about your rights and potential legal remedies in response to this data breach." — Strauss Borrelli PLLC, breach investigation notice published March 11, 2026 (straussborrelli.com)
Class action attorneys in healthcare breach cases typically pursue claims for invasion of privacy, loss of the benefit of the bargain (the implicit promise that an organization securing sensitive data will protect it), documented identity theft losses, and time and out-of-pocket costs incurred dealing with the breach aftermath. Comparable healthcare breach settlements provide a rough benchmark for potential outcomes: the Norton Healthcare settlement reached $11 million for approximately 2.5 million affected individuals; the PharMerica settlement reached $5.275 million. Whether ID Care's breach reaches comparable scale remains unknown until the affected patient count is disclosed.
Why Healthcare Keeps Getting Hit
The ID Care breach is not an isolated event. Healthcare remained one of the most consistently targeted sectors in 2025. According to a report published by Security Magazine citing HHS OCR data, the number of healthcare-specific breaches in 2025 showed only a marginal decrease from 2024 despite record-setting breach volumes across other sectors. The HIPAA Journal noted that final 2025 numbers may still rise as late-reported incidents are added to the OCR portal.
The economics of healthcare targeting are straightforward: medical records are worth significantly more on criminal markets than financial credentials alone. A credit card number becomes useless the moment it is canceled. A medical record containing a Social Security number, insurance details, prescription history, and a diagnosis cannot be invalidated. It enables identity fraud, insurance fraud, prescription fraud, and targeted social engineering across multiple dimensions simultaneously.
Specialty practices like ID Care present a particular value proposition for attackers. Unlike a large hospital system with a diverse patient population, an infectious disease practice concentrates records for patients with conditions that carry heightened social vulnerability. That specificity increases the coercive potential of the data, which may factor into how threat actors price and sell or leverage stolen records.
The 2025 healthcare breach landscape included incidents at Aflac, affecting approximately 13 million individuals; Yale New Haven Health System, affecting over 5.5 million; and DaVita, where the Interlock ransomware group maintained access for nearly three weeks before detection. ID Care joins a long list of healthcare organizations that discovered, in 2025 and into 2026, that their security posture was insufficient to prevent unauthorized network access.
Infectious disease patients face compounded risk from this type of breach. Unlike a breach involving general demographic data, exposure of an HIV diagnosis, STI status, or antibiotic-resistant infection record can cause direct, irreversible harm to personal relationships, employment, and safety. Affected patients should consider the full scope of potential misuse, not only identity theft.
What Affected Patients Should Do Now
ID Care has stated that affected individuals will be notified by mail once the ongoing file review is complete. If you are a current or former ID Care patient and have not yet received a letter, that may reflect where the organization is in its review process rather than confirmation that your records were unaffected. The following steps are appropriate for anyone who believes they may have been a patient at any ID Care location.
Request a free credit report
All U.S. residents are entitled to free weekly credit reports from each of the three major bureaus — Equifax, Experian, and TransUnion — through AnnualCreditReport.com. Review each report carefully for accounts, inquiries, or addresses you do not recognize.
Place a fraud alert or credit freeze
A fraud alert requires creditors to take additional steps to verify your identity before extending credit in your name. A credit freeze, which is stronger, prevents new credit from being opened at all. Both are free under federal law. Freezing credit at all three bureaus is the most effective measure against new account fraud using a stolen Social Security number.
Monitor your explanation of benefits statements
Medical identity theft can result in fraudulent claims filed in your name. Review every explanation of benefits statement from your health insurer for services, prescriptions, or providers you do not recognize. Report discrepancies to your insurer immediately.
Enroll in credit monitoring if offered
ID Care has indicated in its breach notice that affected individuals will be offered complimentary credit monitoring services. Accepting credit monitoring does not waive your right to participate in any class action litigation that may result from this breach. Enroll as soon as you receive your notification letter.
Retain your breach notification letter
If you receive a written notification from ID Care, keep it. It documents that you were identified as an affected individual and may be required if you submit a claim in any future class action settlement or if you need to document the breach with a creditor, insurer, or employer.
Report suspected identity theft
The Federal Trade Commission operates IdentityTheft.gov, which provides a personalized recovery plan for victims of identity theft, including templates for disputing fraudulent accounts and notifying relevant agencies. You may also contact the FTC by phone at 1-877-ID-THEFT (1-877-438-4338).
Key Takeaways
- The breach occurred on November 5, 2025: An unauthorized actor accessed or downloaded files from ID Care's network. The organization detected the intrusion the same day and launched a third-party cybersecurity investigation.
- Exposed data includes Social Security numbers and medical diagnoses: Confirmed categories include full names, dates of birth, SSNs, insurance details, diagnoses, treatment records, and prescriptions — a dataset with compounded fraud and stigma risk for infectious disease patients specifically.
- The scope is not yet public: The total number of affected individuals had not been disclosed as of March 18, 2026. The HHS OCR breach portal had not listed the incident, and ID Care's file review was ongoing.
- Legal exposure is significant: Multiple law firms have opened class action investigations. HIPAA Breach Notification Rule obligations and New Jersey's Identity Theft Protection Act both apply. The 60-day patient notification deadline has already passed.
- Affected patients should act now: Do not wait for a notification letter to freeze credit, monitor insurance claims, and review credit reports. If you have been a patient at any of ID Care's ten New Jersey locations, treat your information as potentially compromised.
Healthcare organizations handling sensitive specialty data carry a responsibility that extends beyond standard HIPAA compliance. Infectious disease records are among the most consequential categories of personal health information a patient can disclose. ID Care's breach is a reminder that the organizations trusted with that information must invest in security infrastructure commensurate with the harm that exposure can cause — not merely the minimum required by federal regulation. For the patients whose records were taken on November 5, 2025, the question now is not whether the data left the network. It did. The question is where it goes next.
Sources: HIPAA Journal — Strauss Borrelli PLLC — ClassAction.org — ClaimDepot (Shamis & Gentile) — ID Care Official Practice Page — HHS OCR Breach Notification