McElroy & Associates Suffers Data Breach Exposing PII and PHI of 6,633 Individuals
McElroy & Associates, Inc. disclosed a data breach affecting 6,633 individuals in the U.S., exposing personally identifiable information (PII) and protected health information (PHI). The breach was reported to the U.S. Department of Health and Human Services on October 17, 2025, after suspicious activity was detected in an employee’s email account on May 30, 2025.
An investigation revealed that an unauthorized actor accessed emails between May 28 and May 30, 2025, compromising sensitive data, including names, Social Security numbers, dates of birth, driver’s license numbers, financial account details, medical records, health insurance information, and login credentials. By September 3, 2025, the company completed its assessment and began mailing notifications to affected individuals, while also publishing a Notice of Data Security Event on its website.
In response, McElroy & Associates secured its email systems, conducted a full review of impacted data, and established a dedicated helpline (833-866-9545) for affected individuals. The breach underscores the ongoing risks to sensitive healthcare and financial data in cyber incidents.
Source: https://www.claimdepot.com/investigations/mcelroy-associates-data-breach-2025
McElroy Associates cybersecurity rating report: https://www.rankiteo.com/company/mcelroy-associates
"id": "MCE1765965716",
"linkid": "mcelroy-associates",
"type": "Breach",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '6,633 individuals',
'location': 'U.S.',
'name': 'McElroy & Associates, Inc.',
'type': 'Company'}],
'attack_vector': 'Compromised Email Account',
'customer_advisories': 'Dedicated helpline at 833-866-9545 (8 a.m. to 8 p.m. '
'ET)',
'data_breach': {'number_of_records_exposed': '6,633',
'personally_identifiable_information': ['Names',
'Addresses',
'Social Security '
'numbers',
'Dates of birth',
'Driver’s license '
'numbers',
'Financial account '
'details',
'Medical information',
'Health insurance '
'information',
'Usernames with '
'passwords'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)']},
'date_detected': '2025-05-30',
'date_publicly_disclosed': '2025-10-17',
'description': 'McElroy & Associates, Inc. experienced a significant data '
'breach that exposed the personally identifiable information '
'(PII) and protected health information (PHI) of 6,633 '
'individuals in the U.S. The breach was detected when '
'suspicious activity was discovered in an employee’s email '
'account, allowing an unauthorized actor to access sensitive '
'information.',
'impact': {'data_compromised': 'PII and PHI of 6,633 individuals',
'identity_theft_risk': 'High',
'payment_information_risk': 'High',
'systems_affected': 'Employee email account'},
'initial_access_broker': {'entry_point': 'Employee email account'},
'investigation_status': 'Completed analysis of impacted data (as of '
'2025-09-03)',
'recommendations': ['Carefully review any notice or communication from '
'McElroy & Associates or your provider.',
'Monitor financial accounts and credit reports for signs '
'of identity theft.',
'Consider placing fraud alerts or credit freezes with the '
'major credit bureaus.',
'Be cautious of unsolicited emails or phone calls '
'requesting personal information.'],
'references': [{'source': 'McElroy & Associates Notice of Data Security '
'Event'}],
'regulatory_compliance': {'regulatory_notifications': 'U.S. Department of '
'Health and Human '
'Services'},
'response': {'communication_strategy': 'Notified affected individuals by '
'mail, posted Notice of Data Security '
'Event on website, dedicated helpline',
'containment_measures': 'Secured email environment',
'remediation_measures': 'Comprehensive investigation, review of '
'impacted information'},
'threat_actor': 'Unauthorized Actor',
'title': 'McElroy & Associates Data Breach',
'type': 'Data Breach'}