Next Step Healthcare Data Breach Exposes 12,090 Patients' SSNs and Medical Records

Next Step Healthcare LLC, a Massachusetts-based healthcare provider, has reported a significant data breach affecting 12,090 individuals to the Department of Health and Human Services. The cyberattack, which occurred in June 2024 but wasn't reported until May 2025, involved unauthorized access to the company's network servers containing highly sensitive patient information.

What Happened

On June 5, 2024, Next Step Healthcare discovered evidence of unusual activity within their IT environment. The healthcare provider immediately implemented security measures to protect their network, systems, and data from further compromise.

Following the initial discovery, Next Step Healthcare retained independent cybersecurity experts to conduct a comprehensive forensic investigation. This investigation was crucial in determining the full scope of the incident and identifying exactly what patient information was accessed by unauthorized parties.

The breach has been classified as a hacking/IT incident affecting the organization's network server infrastructure. However, specific details about the attack vector, whether ransomware was involved, or the identity of the threat actors remain undisclosed in available documentation.

Who Is Affected

The data breach impacted 12,090 individuals who were patients or clients of Next Step Healthcare LLC. On May 29, 2025—nearly 11 months after the initial discovery—the healthcare provider began mailing breach notification letters to all affected individuals.

Next Step Healthcare has been transparent with impacted patients, providing each individual with a detailed list of the specific types of sensitive information that may have been compromised in their particular case, as the data involved varied from person to person.

Breach Details

The cyberattack resulted in unauthorized access to a wide range of highly sensitive personal and medical information. The compromised data may have included:

• Personal Identifiers: Full names and dates of birth
• Social Security numbers: Critical for identity theft protection
• Driver's license numbers: Additional identity verification documents
• Financial information: Account numbers and related financial data
• Protected Health Information (PHI): Medical diagnoses and treatment information
• Additional health-related data: Other medical records and healthcare information

The breach occurred on Next Step Healthcare's network server, indicating that cybercriminals gained access to centralized patient data storage systems. This type of network-based attack often allows threat actors to access large volumes of information once they penetrate the initial security barriers.

The timeline reveals a concerning delay in public notification:

• June 5, 2024: Initial discovery of unusual network activity
• May 29, 2025: Breach notification letters sent to patients
• May 30, 2025: Breach reported to HHS Office for Civil Rights

What This Means for Patients

The exposure of such comprehensive personal and medical information creates significant risks for affected individuals. With access to Social Security numbers, driver's license numbers, and financial account information, cybercriminals have the tools needed to commit identity theft, open fraudulent accounts, or file false tax returns.

The inclusion of medical diagnoses and treatment information also raises privacy concerns, as this sensitive health data could potentially be used for discrimination or sold on dark web marketplaces.

Patients should be particularly vigilant about:

• Monitoring credit reports for unauthorized accounts or inquiries
• Watching for suspicious medical bills or insurance claims
• Being alert to phishing attempts using their personal information
• Checking bank and financial account statements regularly

How to Protect Yourself

Next Step Healthcare is providing affected individuals with complimentary credit monitoring services to help detect potential misuse of their personal information. Patients should take advantage of this service and consider these additional protective measures:

Immediate Actions:

1. Enroll in the provided credit monitoring service without delay
2. Place fraud alerts on your credit reports with all three major bureaus
3. Consider a credit freeze for enhanced protection against new account fraud
4. Review all financial statements for unauthorized transactions
5. Monitor medical insurance statements for fraudulent claims

Ongoing Protection:

• Set up account alerts for banking and credit card accounts
• Use strong, unique passwords for all online accounts
• Enable two-factor authentication where available
• Be skeptical of unsolicited communications requesting personal information
• Consider identity theft protection services beyond the complimentary period

Tax-Related Precautions: With Social Security numbers compromised, file tax returns early to prevent fraudulent filings, and consider requesting an Identity Protection PIN from the IRS.

Prevention Lessons for Healthcare Providers

The Next Step Healthcare incident highlights critical cybersecurity challenges facing healthcare organizations. The extended timeline between discovery and notification suggests the complexity of forensic investigations and the importance of having incident response plans ready.

Key Takeaways for Healthcare Providers:

Network Security:

• Implement robust network monitoring to detect unusual activity quickly
• Use network segmentation to limit breach scope
• Deploy endpoint detection and response (EDR) solutions
• Maintain updated security patches across all systems

Data Protection:

• Encrypt sensitive data both at rest and in transit
• Implement access controls and multi-factor authentication
• Regular security audits and penetration testing
• Backup systems with offline storage capabilities

Incident Response:

• Develop and regularly test incident response procedures
• Establish relationships with cybersecurity experts before incidents occur
• Create communication plans for patient notification
• Understand HIPAA breach notification requirements and timelines

Staff Training:

• Provide regular cybersecurity awareness training
• Implement phishing simulation programs
• Establish clear protocols for reporting suspicious activity
• Ensure all staff understand their role in data protection

The healthcare sector remains a prime target for cybercriminals due to the high value of medical records and personal information. Organizations must invest in comprehensive cybersecurity programs that combine technology, processes, and people to protect patient data effectively.

This breach serves as a reminder that even with immediate response and expert assistance, the impact on patients can be severe and long-lasting. Prevention through proactive security measures remains the best approach to protecting sensitive healthcare information.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.