IPPC Data Breach Exposes Sensitive PII and PHI in 2025 Incident
Innovative Pharmacy Packaging Corp. Inc. (IPPC) and its affiliates IPPC of New York LLC and Innovative Pharmacy LLC reported a data breach that occurred in September 2025, affecting at least two Massachusetts residents. The company disclosed the incident to the Massachusetts Office of Consumer Affairs and Business Regulation on April 1, 2026, and posted a public notice on its website on February 27, 2026. Affected individuals received notification letters dated April 1, 2026.
The breach was detected after IPPC identified suspicious activity on its technical network. An investigation revealed that an unauthorized actor accessed the system between September 18 and 19, 2025, and exfiltrated files. A detailed review of the compromised data, completed by February 9, 2026, confirmed exposure of both personally identifiable information (PII) and protected health information (PHI).
Exposed PII included:
- Names, dates of birth, and government-issued ID numbers
- Payment card and financial account details
- Social Security numbers, passport numbers, and taxpayer identification numbers
- Prescription, billing, and claims information
Exposed PHI included:
- Medicare/Medicaid IDs and health insurance details
- Diagnosis, treatment, and procedure records
- Medical record and patient account numbers
- Provider names and admission/discharge dates
In response, IPPC is offering 24 months of free credit and identity monitoring through Cyberscout (a TransUnion company) to affected individuals, with enrollment required within 90 days of notification. The company has also established a dedicated helpline (833-877-7455) and email (inquiries@ippcrx.com) for inquiries. The breach’s scope and sensitivity particularly the exposure of Social Security numbers and medical records heighten risks of identity theft and fraud.
Source: https://www.claimdepot.com/data-breach/innovative-pharmacy-packaging-2026
IPPC Pharmacy cybersecurity rating report: https://www.rankiteo.com/company/ippc-pharmacy
"id": "IPP1775154672",
"linkid": "ippc-pharmacy",
"type": "Breach",
"date": "9/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'At least two Massachusetts '
'residents',
'industry': 'Pharmacy/Packaging',
'location': 'Massachusetts, USA',
'name': 'Innovative Pharmacy Packaging Corp. Inc. '
'(IPPC)',
'type': 'Corporation'},
{'industry': 'Pharmacy/Packaging',
'location': 'New York, USA',
'name': 'IPPC of New York LLC',
'type': 'Affiliate'},
{'industry': 'Pharmacy',
'name': 'Innovative Pharmacy LLC',
'type': 'Affiliate'}],
'attack_vector': 'Unauthorized access to technical network',
'customer_advisories': 'Notification letters dated April 1, 2026; 24 months '
'of free credit and identity monitoring offered',
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': ['Names',
'Dates of birth',
'Government-issued ID '
'numbers',
'Payment card and '
'financial account '
'details',
'Social Security '
'numbers',
'Passport numbers',
'Taxpayer '
'identification '
'numbers',
'Prescription, '
'billing, and claims '
'information',
'Medicare/Medicaid '
'IDs',
'Health insurance '
'details',
'Diagnosis, '
'treatment, and '
'procedure records',
'Medical record and '
'patient account '
'numbers',
'Provider names',
'Admission/discharge '
'dates'],
'sensitivity_of_data': 'High (SSNs, medical records, payment '
'details)',
'type_of_data_compromised': ['PII', 'PHI']},
'date_detected': '2025-09-18',
'date_publicly_disclosed': '2026-02-27',
'description': 'Innovative Pharmacy Packaging Corp. Inc. (IPPC) and its '
'affiliates reported a data breach that occurred in September '
'2025, affecting at least two Massachusetts residents. The '
'breach exposed personally identifiable information (PII) and '
'protected health information (PHI).',
'impact': {'data_compromised': 'PII and PHI',
'identity_theft_risk': 'High (due to exposure of SSNs and medical '
'records)',
'payment_information_risk': 'High (due to exposure of payment card '
'and financial account details)',
'systems_affected': 'Technical network'},
'investigation_status': 'Completed (as of February 9, 2026)',
'references': [{'source': 'Massachusetts Office of Consumer Affairs and '
'Business Regulation'},
{'date_accessed': '2026-02-27',
'source': 'IPPC Public Notice'}],
'regulatory_compliance': {'regulatory_notifications': 'Disclosed to '
'Massachusetts Office '
'of Consumer Affairs '
'and Business '
'Regulation'},
'response': {'communication_strategy': 'Public notice on website, '
'notification letters, dedicated '
'helpline and email',
'third_party_assistance': 'Cyberscout (TransUnion) for credit '
'and identity monitoring'},
'title': 'IPPC Data Breach Exposes Sensitive PII and PHI in 2025 Incident',
'type': 'Data Breach'}