A Tennessee-based network of dialysis centers has disclosed a significant data breach that exposed sensitive patient information, including medical records and Social Security numbers.
Innovative Renal Care detected suspicious activity on its computer network on February 29, 2024. A forensic investigation revealed unauthorized access to their systems between February 21 and March 1, 2024, during which time attackers removed files from the network.
On February 17, 2025, the company provided a notice of the breach on its site and began sending notification letters to affected patients. The breach exposed comprehensive patient data, including medical diagnoses, prescription information, and financial details.
This breach is particularly concerning because it affects vulnerable patients receiving ongoing dialysis treatment. The comprehensive nature of the exposed data - combining medical, financial, and personal information - creates significant risks for patients. Criminals could use this information not only for financial fraud but also to potentially disrupt or exploit critical medical care. For dialysis patients who require regular life-sustaining treatments, any compromise of their medical or insurance information could have serious consequences.
This breach affects one of the larger dialysis and kidney care providers in the country. Innovative Renal Care, headquartered in Nashville, Tennessee, employs approximately 500 people and generates an estimated $100 million in annual revenue, making this a significant breach in the healthcare sector.
A class action lawsuit is being evaluated by Murphy Law Firm on behalf of affected individuals. The incident may lead to increased scrutiny of security measures at specialized healthcare providers, particularly those handling chronic care patients.
Monitor account statements, accept the offered credit monitoring services, and watch for suspicious activity related to medical claims or prescriptions.
The unauthorized access lasted approximately nine days, from February 21 to March 1, 2024.
While no evidence of data misuse has been identified, the company is providing complimentary credit monitoring services as a precaution.