Leidos QTC Health Commercial Services Suffers Major Data Breach in August 2025
In August 2025, Leidos QTC Health Commercial Services, operating as First Rehabilitation Resources (FRR)—a provider of independent medical examinations and health services—detected suspicious activity within its email system. The company swiftly responded by taking the affected system offline, suspending related IT services, and migrating users to a new, more secure email platform.
The breach, disclosed to the Massachusetts Attorney General on December 30, 2025, exposed highly sensitive data, including names, dates of birth, Social Security numbers, driver’s license numbers, government IDs, and medical or health insurance information. The incident compromised both personally identifiable information (PII) and protected health information (PHI), classifying it as a severe security failure. Cybersecurity experts were engaged to contain the breach, ensuring the unauthorized party no longer had access to FRR’s systems.
To mitigate the impact, FRR is offering affected individuals 24 months of complimentary credit monitoring and identity protection services through Epiq—Privacy Solutions ID. The package includes three-bureau credit monitoring, VantageScore tracking, Social Security number monitoring, dark web surveillance, and up to $1 million in identity theft insurance. The company has also provided guidance for reviewing accounts, placing fraud alerts, and enrolling in the offered services.
Source: https://www.claimdepot.com/data-breach/first-rehabilitation-resources-2025
QTC Management, Inc. cybersecurity rating report: https://www.rankiteo.com/company/leidos-qtc-health-services
"id": "LEI1767212150",
"linkid": "leidos-qtc-health-services",
"type": "Breach",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Healthcare',
'name': 'Leidos QTC Health Commercial Services d/b/a '
'First Rehabilitation Resources (FRR)',
'type': 'Health Services Provider'}],
'attack_vector': 'Email System Compromise',
'customer_advisories': 'Affected individuals are encouraged to review account '
'statements, credit reports, and explanation of '
'benefits for unauthorized activity; place a fraud '
'alert or security freeze on credit files if '
'suspicious activity is detected; and take advantage '
'of the free credit monitoring service provided.',
'data_breach': {'personally_identifiable_information': ['Names',
'Dates of birth',
'Social Security '
'numbers',
'Driver’s license '
'numbers',
'Government ID '
'numbers',
'Medical or health '
'insurance '
'information'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)']},
'date_detected': '2025-08',
'date_publicly_disclosed': '2025-12-30',
'description': 'In August 2025, Leidos QTC Health Commercial Services d/b/a '
'First Rehabilitation Resources (FRR) discovered suspicious '
'activity within its email system. The company responded by '
'shutting down the affected email system and related IT '
'services, then migrating all users to a new, more secure '
'email platform. The incident exposed sensitive personal and '
'health information including names, dates of birth, Social '
'Security numbers, driver’s license numbers, government ID '
'numbers, and medical or health insurance information.',
'impact': {'data_compromised': 'Sensitive personal and health information '
'(PII and PHI)',
'identity_theft_risk': 'High',
'operational_impact': 'Shutdown of affected email system and '
'migration to a new platform',
'systems_affected': 'Email system and related IT services'},
'investigation_status': 'Contained',
'references': [{'source': 'Massachusetts Attorney General Disclosure'}],
'regulatory_compliance': {'regulatory_notifications': 'Massachusetts Attorney '
'General'},
'response': {'communication_strategy': 'Disclosure to Massachusetts Attorney '
'General, offering credit monitoring '
'and identity protection services to '
'affected individuals',
'containment_measures': 'Shutdown of affected email system, '
'migration to a new secure email '
'platform',
'incident_response_plan_activated': 'Yes',
'remediation_measures': 'Ensured unauthorized party no longer '
'had access to systems',
'third_party_assistance': 'Cybersecurity experts'},
'title': 'Leidos QTC Health Commercial Services (FRR) Email System Breach',
'type': 'Data Breach'}