VillageCareMAX Reports Data Breach Affecting Sensitive Patient Information
VillageCareMAX, a healthcare provider, disclosed a data breach involving the potential exposure of sensitive personal and health information. The incident stemmed from unauthorized access to systems managed by TMG Health, Inc. (TMG), a third-party call center administrator contracted by VillageCareMAX.
According to the breach notice, TMG detected the intrusion after an unauthorized individual gained access to VillageCareMAX-related data stored on TMG’s systems. The exposure window spanned nearly ten months, from November 20, 2024, to September 19, 2025. Following an investigation, TMG confirmed that compromised data may have included:
- Full names
- Social Security numbers
- Member identification numbers
- Protected health information
VillageCareMAX began notifying affected individuals on January 13, 2026, via mailed breach notification letters. The notices detail the specific types of exposed data for each impacted person and include complimentary credit monitoring services. The breach was formally reported to the Massachusetts Attorney General’s office, with documentation available through the provided filing link. The full scope of affected individuals and the exact cause of the breach remain under review.
Source: https://straussborrelli.com/2026/01/15/villagecaremax-data-breach-investigation/
VillageCare cybersecurity rating report: https://www.rankiteo.com/company/villagecare
TMG Health cybersecurity rating report: https://www.rankiteo.com/company/tmg-health
"id": "VILTMG1768494119",
"linkid": "villagecare, tmg-health",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Patients',
'industry': 'Healthcare',
'location': 'United States',
'name': 'VillageCareMAX',
'type': 'Healthcare Provider'}],
'attack_vector': 'Third-Party Compromise',
'customer_advisories': 'Data breach notification letters with details of '
'impacted information',
'data_breach': {'personally_identifiable_information': ['Name',
'Social Security '
'number',
'Member number',
'Health information'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal Identifiable '
'Information',
'Protected Health Information']},
'date_detected': '2025-09-19',
'date_publicly_disclosed': '2026-01-13',
'description': 'VillageCareMAX reported a data breach where sensitive '
'personal identifiable information and protected health '
'information may have been compromised. The breach occurred '
'through TMG Health, Inc., a third-party administrator '
'providing call center services, after an unauthorized '
'individual gained access to VillageCareMAX information stored '
'in TMG’s systems.',
'impact': {'data_compromised': 'Sensitive personal identifiable information '
'and protected health information',
'identity_theft_risk': 'High',
'systems_affected': 'TMG Health, Inc. information systems'},
'investigation_status': 'Completed',
'post_incident_analysis': {'root_causes': 'Unauthorized access to third-party '
'systems (TMG Health, Inc.)'},
'recommendations': 'Providing complimentary credit monitoring services to '
'affected individuals',
'references': [{'source': 'Attorney General of the Commonwealth of '
'Massachusetts'}],
'regulatory_compliance': {'regulations_violated': ['HIPAA'],
'regulatory_notifications': ['Attorney General of '
'the Commonwealth of '
'Massachusetts']},
'response': {'communication_strategy': 'Data breach notification letters '
'mailed to impacted individuals'},
'threat_actor': 'Unauthorized Individual',
'title': 'VillageCareMAX Data Breach via Third-Party Administrator TMG '
'Health, Inc.',
'type': 'Data Breach'}