On July 24, 2025, McKenzie Health System, which operates as McKenzie Memorial Hospital (McKenzie), disclosed a data breach that may have exposed sensitive personally identifiable information (PII) belonging to 58,839 individuals.
What happened
According to a breach notification filed with the New Hampshire Attorney General’s office, McKenzie became aware of unusual activity on its network on April 15, 2025. The organization immediately launched an investigation and engaged cybersecurity experts to determine the scope and nature of the incident.
The investigation revealed that an unauthorized actor gained access to McKenzie’s network between April 14 and April 15, 2025. During this time, limited data stored on the network may have been viewed or acquired. The investigation concluded on June 19, 2025, at which point McKenzie began the process of identifying affected individuals and determining which data elements were compromised.
The types of information potentially exposed include full names, Social Security numbers, and financial account information.
On July 24, 2025, McKenzie mailed notification letters to individuals whose information was involved in the breach. Recipients of the letters were provided with details about the categories of information affected and offered complimentary credit monitoring and identity theft protection services.
In the know
While McKenzie has not disclosed how the attacker gained access to its network, similar breaches often occur through phishing emails, compromised credentials, or unpatched software vulnerabilities. Healthcare data is particularly valuable to hackers, and even short-term unauthorized access can have serious consequences.
Health-related data breaches frequently lead to identity theft and financial fraud, as stolen Social Security numbers and account credentials can be sold or misused. Even though McKenzie reported no evidence of misuse, victims of breaches often face delayed fraudulent activity months or years after the breach.
Read also: Consequences of a security breach
What was said
According to the New Hampshire Attorney General's notification, McKenzie stated, “McKenzie Memorial Hospital has taken steps to address the incident and is committed to protecting the information entrusted to us. Upon learning of this event, we took steps to strengthen our network security, conducted a thorough investigation, and took actions to mitigate the risk to the data.”
Furthermore, “We also reviewed our policies and procedures related to data protection to help prevent similar incidents from occurring in the future. Additionally, McKenzie Memorial Hospital is offering you 12 months of complimentary credit monitoring and identity protection services.”
The big picture
Breaches like this also increase the likelihood of regulatory investigation by the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) and can result in class-action lawsuits from affected patients. Aside from financial losses, reputational damage can be intensely debilitating to regional hospitals and not-for-profit health care systems that have founded much of their success upon community trust.
All healthcare organizations, no matter their size, must employ multi-factor authentication, better employee training, network segmentation, and HIPAA compliant email solutions to reduce the likelihood of becoming the next news story.
Learn more: HIPAA Compliant Email: The Definitive Guide
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access to, uses, or discloses protected health information (PHI) without permission. Examples of breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
What should individuals do if their data has been compromised?
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
Are there any costs associated with placing a fraud alert or credit freeze?
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.
