Commonwealth Trust Company suffered a targeted data breach in May 2025 when an unauthorized actor gained access to an employee’s email account. The breach exposed highly sensitive personally identifiable information (PII) and protected health information (PHI), including names, Social Security numbers, medical records, treatment details, prescription data, insurance numbers, bank account information, and dates of birth. The compromised data belonged to at least seven Massachusetts residents, though the full scope of affected individuals remains under review. The incident was detected promptly, triggering an internal investigation that concluded in August 2025. While the breach was contained, the exposure of PII and PHI—particularly Social Security numbers and medical records—poses significant risks of identity theft, financial fraud, and medical fraud for victims. The company responded by securing the email account, enhancing security protocols, and offering 24 months of complimentary credit monitoring via Cyberscout. However, the breach’s severity stems from the highly sensitive nature of the leaked data, which could enable long-term exploitation by cybercriminals. Affected individuals were advised to monitor financial accounts, review credit reports, and consider fraud alerts or credit freezes.
Source: https://www.claimdepot.com/data-breach/commonwealth-trust-company-2025
TPRM report: https://www.rankiteo.com/company/commonwealth-trust-company
"id": "com0502505092025",
"linkid": "commonwealth-trust-company",
"type": "Breach",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '7 (Massachusetts residents)',
'industry': 'Financial Services, Healthcare Data '
'Custodian',
'location': 'Massachusetts, USA',
'name': 'Commonwealth Trust Company',
'type': 'Financial Services / Trust Company'}],
'attack_vector': 'Compromised Email Account',
'customer_advisories': ['Notification letters with enrollment instructions '
'for credit monitoring (Cyberscout).',
'Dedicated phone line for breach-related questions.',
'Guidance on identity theft protection measures.'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Emails and attachments'],
'number_of_records_exposed': '7',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PII + PHI)',
'type_of_data_compromised': ['Name',
'Treating/Referring Physician',
'Patient Account Number',
'Account Number',
'Treatment Information',
'Prescription/Medication '
'Information',
'Individual Insurance/Subscriber '
'Number',
'Account Number with Bank Name',
'Social Security Number (SSN)',
'Medical Record Number',
'Medical Billing/Claims '
'Information',
'Other Health Insurance '
'Information',
'Date of Birth']},
'date_detected': '2025-05-13',
'date_publicly_disclosed': '2025-09-19',
'date_resolved': '2025-08-04',
'description': 'An unauthorized actor gained access to an employee’s email '
'account at Commonwealth Trust Company for a limited period on '
'May 13, 2025. The breach exposed sensitive personally '
'identifiable information (PII) and protected health '
'information (PHI) of seven Massachusetts residents. The '
'company launched an investigation, secured the compromised '
'account, and implemented additional security measures. '
'Affected individuals were offered 24 months of complimentary '
'credit monitoring and identity protection services through '
'Cyberscout.',
'impact': {'brand_reputation_impact': 'Potential reputational harm due to '
'exposure of sensitive PII/PHI',
'data_compromised': ['Personally Identifiable Information (PII)',
'Protected Health Information (PHI)'],
'identity_theft_risk': 'High (due to exposure of SSN, medical, and '
'financial data)',
'legal_liabilities': 'Reporting to Massachusetts Attorney General; '
'potential regulatory scrutiny',
'payment_information_risk': 'Moderate (account numbers with bank '
'names exposed)',
'systems_affected': ['Employee Email Account']},
'initial_access_broker': {'entry_point': 'Employee Email Account',
'high_value_targets': ['PII and PHI in email '
'communications']},
'investigation_status': 'Completed (as of 2025-08-04)',
'post_incident_analysis': {'corrective_actions': ['Secured compromised email '
'account.',
'Implemented additional '
'technical and '
'administrative security '
'measures.']},
'recommendations': ['Affected individuals should enroll in complimentary '
'credit monitoring within 90 days.',
'Monitor account statements and credit reports for '
'suspicious activity.',
'Consider placing a fraud alert or credit freeze with '
'major credit bureaus.',
'Contact the Federal Trade Commission (FTC) or state '
'attorneys general for identity theft protection '
'guidance.'],
'references': [{'source': 'Massachusetts Attorney General Breach '
'Notification'}],
'regulatory_compliance': {'regulatory_notifications': ['Massachusetts '
'Attorney General '
'(reported on '
'2025-09-19)']},
'response': {'communication_strategy': ['Notification letters to affected '
'individuals',
'Dedicated phone line for '
'breach-related inquiries',
'Guidance on credit monitoring '
'enrollment (90-day window)',
'Advisories on identity theft '
'protection (FTC, state AGs)'],
'containment_measures': ['Secured compromised email account'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'recovery_measures': ['Verification of affected data; address '
'confirmation for notifications'],
'remediation_measures': ['Additional technical and '
'administrative security measures '
'implemented'],
'third_party_assistance': ['Cyberscout (TransUnion) for credit '
'monitoring and fraud remediation']},
'threat_actor': 'Unauthorized Actor (Unknown)',
'title': 'Commonwealth Trust Company Email Account Data Breach (2025)',
'type': 'Data Breach (Unauthorized Email Access)'}