VITAS Hospice Services, LLC, a leading U.S. hospice care provider, suffered a data breach after an unauthorized party compromised a vendor’s account, gaining access to its systems between **September 21 and October 27, 2025**. The intruder exfiltrated highly sensitive personal and medical data of **current and former patients**, including **Social Security numbers, passport IDs, bank/debit card details, driver’s license numbers, medical records (ICD codes, Medicare IDs), and health savings account information**.The breach exposed **over 22,000 daily patients** across 15 states and D.C. to risks of **identity theft, financial fraud, and medical identity misuse**. VITAS offered **24 months of credit monitoring, dark web surveillance, and $1M identity theft insurance** via Epiq. Legal investigations are underway for potential **class-action lawsuits**, citing damages from **emotional distress, time spent mitigating risks, and financial losses**. The incident underscores vulnerabilities in **third-party vendor security** and the severe consequences of **healthcare data exposure**, particularly for a hospice provider handling end-of-life care records.
Source: https://www.claimdepot.com/investigations/vitas-healthcare-data-breach-2025
TPRM report: https://www.rankiteo.com/company/vitas-healthcare
"id": "vit0093100112025",
"linkid": "vitas-healthcare",
"type": "Breach",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Patients and former patients '
'(exact number not specified)',
'industry': 'Healthcare',
'location': {'headquarters': 'Miami, Florida, USA',
'operational_reach': '15 states and the '
'District of '
'Columbia, USA'},
'name': 'VITAS Hospice Services, LLC',
'size': '12,000+ employees; serves ~22,000 patients '
'daily',
'type': 'Healthcare Provider (Hospice and Palliative '
'Care)'}],
'attack_vector': 'Compromised Vendor Account',
'customer_advisories': 'Affected individuals advised to enroll in credit '
'monitoring, monitor accounts, and consider legal '
'action.',
'data_breach': {'data_exfiltration': 'Yes (personal information was accessed '
'and downloaded)',
'personally_identifiable_information': 'Yes (names, SSNs, '
'passport IDs, '
"driver's license "
'numbers, etc.)',
'sensitivity_of_data': 'High (includes SSNs, medical records, '
'and financial details)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Protected Health Information '
'(PHI)',
'Financial Information']},
'date_detected': '2025-10-24',
'description': 'An unauthorized party compromised the account of one of VITAS '
"Hospice Services' vendors, gaining access to the company’s "
'systems and downloading personal information of patients and '
'former patients between September 21 and October 27, 2025. '
'The breach exposed highly sensitive data, including Social '
'Security numbers, financial details, and medical records, '
'putting affected individuals at risk of identity theft and '
'fraud.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'exposure of highly sensitive patient '
'data, including medical and financial '
'records.',
'data_compromised': ['Names',
'Email addresses',
'Social Security numbers',
'Passport IDs',
'Bank account numbers',
'Debit card numbers',
"Driver's license numbers",
'Medical IDs',
'Phone numbers',
'Medical record numbers',
'Medicare Beneficiary Identifier ID numbers',
'Health savings account information',
'International Classification of Disease '
'(ICD) codes',
'National Provider Identifier (NPI) numbers'],
'identity_theft_risk': 'High (Social Security numbers, financial '
'account details, and medical records '
'exposed).',
'legal_liabilities': 'Potential lawsuits for compensation related '
'to identity theft, fraud, and emotional '
'distress; regulatory scrutiny likely due to '
'exposure of protected health information '
'(PHI).',
'payment_information_risk': 'High (bank account numbers, debit '
'card numbers, and health savings '
'account information exposed).'},
'initial_access_broker': {'entry_point': 'Compromised vendor account',
'high_value_targets': 'Patient and former patient '
'personal/medical/financial '
'data',
'reconnaissance_period': 'Between September 21, '
'2025, and October 27, '
'2025'},
'investigation_status': 'Ongoing (as of the advisory; lawsuits being '
'prepared)',
'post_incident_analysis': {'root_causes': 'Compromised vendor account leading '
'to unauthorized access to VITAS '
'systems.'},
'recommendations': ['Review account statements and credit reports for '
'suspicious activity.',
'Place a fraud alert or security freeze on credit files '
'with major credit bureaus.',
'Report suspected identity theft to law enforcement and '
'the Federal Trade Commission (FTC).',
'Monitor for unauthorized use of medical or insurance '
'information.',
'Enroll in the complimentary credit monitoring and '
'identity protection services offered by VITAS.'],
'references': [{'source': 'Shamis & Gentile P.A. (Investigative Law Firm)'}],
'regulatory_compliance': {'legal_actions': 'Class action lawsuits being '
'investigated by Shamis & Gentile '
'P.A. for compensation related to '
'damages.',
'regulations_violated': ['Potential HIPAA '
'violations (exposure of '
'PHI)',
'State data breach '
'notification laws (varies '
'by state)']},
'response': {'communication_strategy': 'Notices sent to affected individuals; '
'public advisory via law firm (Shamis '
'& Gentile P.A.) investigating the '
'breach.',
'incident_response_plan_activated': 'Yes (investigation launched '
'upon discovery on October '
'24, 2025)',
'remediation_measures': 'Offering 24 months of complimentary '
'credit monitoring, dark web monitoring, '
'identity restoration assistance, and up '
'to $1 million in identity theft '
'insurance to affected individuals.',
'third_party_assistance': 'Epiq (providing credit monitoring and '
'identity protection services)'},
'stakeholder_advisories': 'Notices sent to affected individuals; public '
'advisory via Shamis & Gentile P.A.',
'threat_actor': 'Unauthorized Party (Unknown)',
'title': 'VITAS Hospice Services, LLC Data Breach',
'type': 'Data Breach (Third-Party Vendor Compromise)'}