Modern Health: Modern Health Data Breach Impacts Members' Medical Records

Modern Health Data Breach Exposes Protected Health Information in Provider Network Incident

San Francisco-based mental health platform Modern Health disclosed a data breach in January 2026, stemming from unauthorized access by an individual within its provider network. The incident, first detected in November 2025, involved the compromise of member profiles on the company’s behavioral health platform.

While the total number of affected individuals remains undisclosed, the exposed data included protected health information (PHI) from member profiles. However, Social Security numbers and financial details were not impacted. According to a filing with the Massachusetts Office of Consumer Affairs and Business Regulation on January 16, 2026, at least two Massachusetts residents were confirmed to be affected.

Modern Health responded by disabling the compromised profiles and enlisting legal counsel to investigate. By January 5, 2026, the company had finalized the list of potentially affected individuals. Affected users were notified via email on January 12, 2026, with details about the breach.

In the aftermath, Modern Health enhanced its provider-vetting and onboarding processes and implemented additional staff training to mitigate future risks. The company has also made its support and privacy teams available for inquiries.

Source: https://www.claimdepot.com/data-breach/modern-health-2026

Modern Health TPRM report: https://www.rankiteo.com/company/modern-health

"id": "mod1768941668",
"linkid": "modern-health",
"type": "Breach",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'Undisclosed (at least two '
                                              'Massachusetts residents '
                                              'confirmed)',
                        'industry': 'Mental Health / Healthcare',
                        'location': 'San Francisco, California, USA',
                        'name': 'Modern Health',
                        'type': 'Company'}],
 'attack_vector': 'Unauthorized access by an individual within provider '
                  'network',
 'customer_advisories': 'Affected users notified via email on January 12, 2026 '
                        'with breach details. Support and privacy teams made '
                        'available for inquiries.',
 'data_breach': {'personally_identifiable_information': 'Yes (PHI)',
                 'sensitivity_of_data': 'High (PHI)',
                 'type_of_data_compromised': 'Protected health information '
                                             '(PHI)'},
 'date_detected': '2025-11',
 'date_publicly_disclosed': '2026-01-16',
 'date_resolved': '2026-01-05',
 'description': 'San Francisco-based mental health platform Modern Health '
                'disclosed a data breach in January 2026, stemming from '
                'unauthorized access by an individual within its provider '
                'network. The incident involved the compromise of member '
                'profiles on the company’s behavioral health platform, '
                'exposing protected health information (PHI).',
 'impact': {'data_compromised': 'Protected health information (PHI)',
            'payment_information_risk': 'None (Social Security numbers and '
                                        'financial details were not impacted)',
            'systems_affected': 'Member profiles on behavioral health '
                                'platform'},
 'investigation_status': 'Completed',
 'lessons_learned': 'Need for enhanced provider-vetting and onboarding '
                    'processes, additional staff training to mitigate future '
                    'risks.',
 'post_incident_analysis': {'corrective_actions': 'Enhanced provider-vetting '
                                                  'and onboarding processes, '
                                                  'additional staff training',
                            'root_causes': 'Unauthorized access by an '
                                           'individual within the provider '
                                           'network'},
 'recommendations': 'Implement stricter access controls, continuous monitoring '
                    'of provider network activities, and regular security '
                    'training for staff.',
 'references': [{'source': 'Massachusetts Office of Consumer Affairs and '
                           'Business Regulation'}],
 'regulatory_compliance': {'regulatory_notifications': 'Filing with the '
                                                       'Massachusetts Office '
                                                       'of Consumer Affairs '
                                                       'and Business '
                                                       'Regulation'},
 'response': {'communication_strategy': 'Affected users notified via email on '
                                        'January 12, 2026',
              'containment_measures': 'Disabled the compromised profiles',
              'remediation_measures': 'Enhanced provider-vetting and '
                                      'onboarding processes, additional staff '
                                      'training',
              'third_party_assistance': 'Legal counsel enlisted for '
                                        'investigation'},
 'title': 'Modern Health Data Breach Exposes Protected Health Information in '
          'Provider Network Incident',
 'type': 'Data Breach'}