Enhabit Home Health Data Breach Exposes 22,552 Patient Records

A significant healthcare data breach has affected Advanced Homecare Management, LLC, doing business as Enhabit Home Health & Hospice, exposing the personal information of 22,552 individuals. The Texas-based healthcare provider reported the incident to the U.S. Department of Health and Human Services on February 5, 2026, following a network server compromise that was discovered on December 5, 2025.

What Happened

Enhabit Home Health & Hospice, a Dallas-based caregiving company, experienced a hacking incident that compromised their network server systems. The breach was classified as a "Hacking/IT Incident" by the Department of Health and Human Services and affected the company's network server infrastructure.

According to breach notifications, the incident was discovered on December 5, 2025, but the company began formally reporting the breach on February 12, 2026. This timeline suggests a gap of over two months between discovery and public notification, raising questions about the company's incident response procedures.

The breach has prompted investigations by multiple law firms, including Federman & Sherwood and Cole & Van Note, who are looking into the circumstances surrounding the data compromise and potential legal remedies for affected individuals.

Who Is Affected

The breach impacted 22,552 individuals who were patients or clients of Enhabit Home Health & Hospice services. As a home health and hospice care provider, Enhabit serves vulnerable populations including elderly patients, individuals with chronic conditions, and those requiring end-of-life care.

Patients affected by this breach likely received various services from Enhabit, including:

• In-home nursing care
• Physical and occupational therapy
• Hospice care services
• Medical equipment and supplies
• Care coordination services

The demographic most likely affected includes seniors and individuals with serious medical conditions who rely on home-based healthcare services.

Breach Details

While specific technical details about the breach remain limited, the incident was classified as a network server compromise. The potentially impacted data contained sensitive personal information, though the complete scope of exposed data types has not been fully disclosed in available public records.

Typically, home health and hospice providers maintain extensive patient records that may include:

• Personal identifying information (names, addresses, Social Security numbers)
• Medical record numbers and health insurance information
• Detailed medical histories and treatment plans
• Medication lists and dosing information
• Care notes and assessments
• Emergency contact information
• Financial and billing data

The fact that law firms are actively investigating suggests the breach may have exposed particularly sensitive categories of protected health information (PHI) that could put patients at risk for identity theft or medical fraud.

What This Means for Patients

For the 22,552 individuals affected by this breach, the exposure of their personal and medical information creates several immediate and long-term risks:

Identity Theft Risk: Exposed personal information could be used to open fraudulent accounts, file false tax returns, or commit other forms of identity fraud.

Medical Identity Theft: Criminals could use stolen health information to obtain medical services, prescription drugs, or file fraudulent insurance claims in victims' names.

Privacy Violations: The exposure of sensitive medical information, particularly for hospice patients, represents a significant violation of patient privacy during vulnerable times.

Financial Impact: Patients may face costs associated with credit monitoring, identity theft recovery, and correcting fraudulent activities.

The involvement of multiple law firms investigating the breach suggests that affected individuals may have grounds for legal action against Enhabit for failing to adequately protect their sensitive information.

How to Protect Yourself

If you were a patient of Enhabit Home Health & Hospice, take these immediate steps to protect yourself:

Monitor Your Accounts: Regularly check all financial accounts, credit reports, and insurance statements for suspicious activity.

Set Up Fraud Alerts: Contact the three major credit bureaus (Equifax, Experian, and TransUnion) to place fraud alerts on your credit files.

Review Medical Bills: Carefully examine all medical bills and insurance statements for services you didn't receive.

Consider Credit Monitoring: Enroll in a credit monitoring service to receive alerts about new accounts or inquiries in your name.

Report Suspicious Activity: If you notice any fraudulent activity, report it immediately to your financial institutions, insurance companies, and local law enforcement.

Stay Informed: Monitor communications from Enhabit about the breach and any remedial services they may offer.

Prevention Lessons for Healthcare Providers

This breach highlights critical cybersecurity challenges facing home health and hospice providers:

Network Security: Healthcare providers must implement robust network security measures, including firewalls, intrusion detection systems, and regular security assessments.

Access Controls: Limiting access to PHI based on job roles and implementing strong authentication protocols can reduce breach risks.

Employee Training: Regular HIPAA training and cybersecurity awareness programs help staff identify and respond to potential threats.

Incident Response Planning: Having a comprehensive incident response plan enables faster breach detection, containment, and notification.

Regular Risk Assessments: Conducting periodic security risk assessments helps identify vulnerabilities before they can be exploited.

Vendor Management: Ensuring that all business associates and technology vendors maintain appropriate security standards is essential.

The two-month gap between breach discovery and public reporting in this case also underscores the importance of having clear notification procedures that comply with HIPAA's 60-day reporting requirement.

Healthcare providers, particularly smaller organizations like home health agencies, often lack the resources for comprehensive cybersecurity programs. However, regulatory requirements and the potential costs of breaches make investment in proper security measures essential.

This incident serves as a reminder that cybercriminals increasingly target healthcare organizations due to the valuable nature of medical data and sometimes inadequate security measures in the sector.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.