Thomas Davies DPM Data Breach: 14,581 Patients Affected in New York Podiatry Practice

A significant healthcare data breach has impacted nearly 15,000 patients of a New York podiatry practice. On September 29, 2025, Thomas Davies, DPM officially reported a major cybersecurity incident to the U.S. Department of Health and Human Services, affecting 14,581 individuals through a hacking incident that compromised their electronic medical record system.

What Happened

Thomas Davies, DPM, a podiatry practice in New York, recently discovered that their healthcare systems had experienced a data breach involving unauthorized access to sensitive protected health information (PHI). The incident has been classified as a "Hacking/IT Incident" by the Department of Health and Human Services, indicating that cybercriminals gained unauthorized access to the practice's electronic medical record (EMR) system.

The breach was formally reported to the HHS Office for Civil Rights on September 29, 2025, placing it on the federal "Wall of Shame" database that tracks major healthcare data breaches affecting 500 or more individuals. This breach represents one of the larger podiatry-related cybersecurity incidents reported to federal authorities in recent years.

Both Dr. Thomas Davies and Dr. Daniel Davies operate this specialized podiatry practice, focusing on managing complex foot and ankle conditions while also providing specialized products such as diabetic shoes to their patient community.

Who Is Affected

The breach has impacted 14,581 patients who received care at the Thomas Davies podiatry practice. These individuals had their protected health information stored in the practice's electronic medical record system that was compromised during the cyber incident.

Patients affected by this breach likely include individuals who sought treatment for various foot and ankle conditions, including those requiring specialized diabetic footwear and complex podiatric care. The practice serves patients throughout New York, meaning the impact spans across multiple communities in the state.

Breach Details

According to the official HHS breach report, key details of the incident include:

• Entity: Thomas Davies, DPM
• Location: New York
• Individuals Affected: 14,581 patients
• Breach Classification: Hacking/IT Incident
• Systems Compromised: Electronic Medical Record (EMR)
• Report Date: September 29, 2025

The breach originated from the practice's electronic medical record system, which typically contains comprehensive patient information including medical histories, treatment records, prescription information, insurance details, and personal identifiers. While specific details about the attack method, duration, or data types accessed have not been publicly disclosed, the "Hacking/IT Incident" classification suggests that external cybercriminals gained unauthorized access to the practice's digital systems.

The incident appears to have been discovered recently by the practice, leading to the September 2025 disclosure to federal authorities. However, the exact timeline of when the breach occurred, how long unauthorized access persisted, and the method of discovery have not been made public in available reports.

What This Means for Patients

For the 14,581 affected patients, this breach represents a serious compromise of their protected health information. Electronic medical records in podiatry practices typically contain:

• Personal identifying information (names, addresses, phone numbers)
• Social Security numbers
• Insurance information and policy numbers
• Medical histories and diagnoses
• Treatment records and clinical notes
• Prescription information
• Billing and payment information

The unauthorized access to this information could potentially lead to identity theft, insurance fraud, or medical identity theft. Patients should remain vigilant about monitoring their medical and financial accounts for any suspicious activity.

While specific details about credit monitoring services or identity protection measures offered by the practice have not been disclosed in available reports, affected patients should expect to receive direct notification from Thomas Davies, DPM about the incident and any remedial measures being provided.

How to Protect Yourself

If you are a patient of Thomas Davies, DPM, or suspect your information may have been compromised, consider taking these protective steps:

Immediate Actions:

• Monitor all medical and insurance statements for unauthorized services or charges
• Review your credit reports from all three major credit bureaus
• Watch for unexpected medical bills or insurance claims
• Be alert for phishing attempts or suspicious communications

Ongoing Protection:

• Consider placing a fraud alert or credit freeze on your accounts
• Regularly review Explanation of Benefits (EOB) statements
• Keep detailed records of all medical appointments and treatments
• Report any suspicious activity to your insurance company immediately

Communication:

• Wait for official notification from the practice with specific details about the breach
• Contact the practice directly if you have concerns about your information
• Save all correspondence related to the breach for your records

Prevention Lessons for Healthcare Providers

This incident serves as a critical reminder for healthcare providers about the importance of robust cybersecurity measures. Small and medium-sized practices, including specialized practices like podiatry offices, are increasingly targeted by cybercriminals who view them as having valuable patient data but potentially weaker security defenses than larger healthcare systems.

Key Prevention Measures:

Technical Safeguards:

• Implement comprehensive endpoint protection and monitoring
• Ensure all software and systems receive regular security updates
• Deploy multi-factor authentication across all systems
• Conduct regular security assessments and penetration testing

Administrative Controls:

• Develop and maintain an incident response plan
• Provide regular cybersecurity training for all staff members
• Implement access controls limiting data access to necessary personnel only
• Establish vendor management procedures for third-party services

Physical Protections:

• Secure workstations and mobile devices
• Implement clean desk policies
• Control physical access to systems and data storage areas

The Thomas Davies breach underscores that no healthcare provider is immune to cyber threats, regardless of size or specialty. Even focused practices handling specific medical conditions must maintain enterprise-level security awareness and protections to safeguard patient information.

As healthcare continues to digitize and cyber threats evolve, incidents like this highlight the critical importance of proactive cybersecurity measures, staff training, and comprehensive incident response planning. Healthcare providers must view cybersecurity not as a one-time investment, but as an ongoing operational priority essential to protecting patient trust and regulatory compliance.

Protect your practice with AI-powered HIPAA compliance. Get started with HIPAA Agent.