On March 20, 2025, HopeHealth Inc. discovered suspicious activity within its network systems and immediately launched an investigation with the assistance of legal counsel and third-party cybersecurity experts.
The investigation revealed that an unauthorized individual had accessed HopeHealth’s systems over a two-day period, from March 19 to March 20, 2025, and may have copied highly sensitive data. After conducting a thorough forensic review, HopeHealth completed its analysis on July 2, 2025, confirming that the breach had exposed personal and protected information belonging to 1,625 individuals in South Carolina.
According to the notice filed with the South Carolina Attorney General, the compromised information included names, addresses, Social Security numbers, dates of birth, medical and health insurance data, financial account details, and government-issued identification such as driver’s license and passport numbers, as well as credit card information. The identity and method used by the unauthorized individual remain unknown at this time.
According to the HopeHealth notice of data breach, “On March 20, 2025, HopeHealth became aware of suspicious activity in its network environment. Upon becoming aware, HopeHealth promptly began an investigation into the scope and nature of the suspicious activity and retained legal counsel and third-party forensic specialists to investigate the unusual activity. That investigation revealed that certain information may have been viewed and copied by an unauthorized individual as part of the event. This activity occurred between March 19 and March 20, 2025. HopeHealth then performed an extensive and comprehensive review of the data to identify what personal information may have been impacted in this incident. On July 2, 2025, HopeHealth finished its review of the impacted information. HopeHealth’s investigation has found no instances of fraud or identity theft to-date.”
Under the HIPAA Breach Notification Rule, covered entities like HopeHealth are legally required to provide notice of a breach of unsecured protected health information (PHI) without unreasonable delay and no later than 60 calendar days after the discovery of the breach. The timeline starts the day the breach is discovered, or the day it should have been discovered using reasonable diligence.
For example, once HopeHealth detected suspicious activity on March 20, 2025, the 60-day clock began. This means they were obligated to notify affected individuals and the U.S. Department of Health and Human Services (HHS) by May 19, 2025, at the latest. Since breach involved more than 500 residents of a single state or jurisdiction, they also had to notify prominent media outlets in that area within the same 60-day window.
They needed to submit a notice to the Office for Civil Rights (OCR) at HHS either immediately (for breaches affecting 500+ individuals) or as part of their annual report (for breaches affecting fewer than 500 people). While HopeHealth finalized its analysis on July 2, 2025 and publicly disclosed the breach on July 12, 2025, any delay beyond the 60-day requirement would need to be justified.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
A data breach occurs when an unauthorized person gains access to sensitive, confidential, or protected information.
A fraud alert notifies creditors to take extra steps to verify your identity before opening new accounts. A credit freeze prevents lenders from accessing your credit report, stopping new credit accounts from being opened in your name.
Yes. If your Social Security number, medical data, or financial information is exposed, criminals can use it to open fraudulent accounts, access healthcare services, or file false insurance claims in your name.