Hillcrest Convalescent announces 106k data breach

The North Carolina senior care center recently notified the public of a large data breach.’

What happened

On March 2nd, 2025, Hillcrest Convalescent Center began notifying individuals of a data breach.  

According to the notice, Hillcrest first identified suspicious activity on its network on June 27th, 2024. The Hillcrest team immediately worked to secure its environment and soon after launched an investigation into the incident, utilizing a third-party cybersecurity firm for additional assistance. 

Through the investigation, Hillcrest determined that an unauthorized user had accessed the network and acquired data. A review was then conducted and completed on February 13th. 

Information involved included names, dates of birth, Social Security numbers, patient data, medical information, treatment information, health insurance information, and Health Care Provider information. 

Ultimately, Hillcrest reported to the Department of Health and Human Services that 106,194 individuals were impacted. 

What was said

In response to the incident, Hillcrest said they “promptly initiated an investigation to review and enhance our security systems. We also reported the incident to law enforcement in an effort to hold the perpetrators accountable.” 

Hillcrest is offering affected individuals complimentary credit monitoring and identity restoration services. Hillcrest is also encouraging individuals to monitor their account statements and credit reports for suspicious activities. 

“Protecting personal information in our care is one of our top priorities,” Hillcrest’s statement read. “We sincerely regret any inconvenience this event may cause. We remain committed to ensuring the security of information in our care. 

FAQs

What caused the breach at Hillcrest Convalescent Center?

According to Hillcrest’s filing with the HHS, the breach was caused by a network hacking incident. Networks can be hacked through various methods, like software vulnerabilities, social engineering tactics, malware, and more. Unfortunately, we may never find out what specifically led to Hillcrest’s breach, but the investigation likely revealed what caused the incident. This information may be kept internal to prevent malicious actors from attempting similar attacks. 

Do all breaches get reported to the HHS?

No, technically only breaches impacting at least 500 individuals need to be reported to the HHS.