On April 29, 2025, Mosaic Life Care (also known as Heartland Regional Medical Center) identified a data breach that exposed sensitive personal and health information. The breach, which began on January 22, 2025, affected 145,269 individuals nationwide. Mosaic reported the breach to the U.S. Department of Health and Human Services (HHS) on June 27.
The compromised data included a wide range of personally identifiable information (PII) and protected health information (PHI): names, dates of birth, Social Security numbers, government-issued IDs, insurance details, and medical records such as diagnoses, treatment details, medications, and provider names.
The breach has been classified as severe due to the volume and sensitivity of the data exposed. However, the method of unauthorized access and the identity of the threat actor have not been disclosed publicly. In the wake of the incident, Mosaic Life Care has secured its systems, launched an internal investigation, and notified both patients and federal regulators.
A breach notice posted on Mosaic’s website outlines recommended actions for affected individuals, including heightened vigilance for identity theft, credit monitoring, and awareness of potential phishing or scam attempts using stolen medical data.
Mosaic Life Care has confirmed that “an unknown party accessed Oracle Health/Cerner’s migration environment at least as early as January 22, 2025 using compromised credentials,” exposing sensitive patient data such as Social Security numbers, insurance information, and medical records during a vendor’s data migration process. While Mosaic’s own systems were not breached, the organization has issued formal notifications, is offering free identity protection and credit monitoring to those affected, and stated its commitment to maintaining high standards of data stewardship both internally and with third-party vendors. The HHS Office for Civil Rights is now tracking the breach in its public database of reported health data incidents.
When both personal and medical data are exposed, it increases the risk of identity theft, medical fraud, and long-term privacy harm. PHI can be misused in ways that PII alone cannot, such as falsifying prescriptions or accessing healthcare under someone else’s name.
In addition to credit monitoring, patients should review their medical records for unfamiliar entries, alert their healthcare provider about the breach, and watch for insurance claims or medical bills they don’t recognize.
When breaches affect more than 500 individuals, organizations must report them to HHS. The agency may investigate and monitor how the organization responds, and it publishes the incidents on its Breach Portal.
Yes. Stolen PHI can be used to craft highly personalized phishing emails or calls that seem legitimate because they reference real medical information, making individuals more likely to respond or share further sensitive data.
Under HIPAA, covered entities are required to notify affected individuals without unreasonable delay, and no later than 60 days after discovery. Mosaic’s timeline, identifying the breach in April and reporting to HHS in June, falls within this legal window.