What Happened in the Ohio Living Data Breach?
Ohio Living, a not-for-profit senior living and aging-services organization based in Westerville, Ohio, has disclosed a data breach affecting current and former employees, patients, residents, and other associated individuals. The Ohio Living data breach involved unauthorized access to internal systems that stored sensitive personal and medical information. According to the organization’s disclosure, an unauthorized actor gained access to specific systems within its network on April 26, 2026, and copied certain files during that intrusion.
The unauthorized access continued into the following day. On April 27, 2026, Ohio Living identified unusual activity on its systems, which prompted further review. As a result, the organization began investigating the scope of the incident to determine exactly what happened and which files the intruder had reached.
Following the discovery, Ohio Living launched a forensic investigation to assess the incident. This process determined that the unauthorized actor had accessed files containing a wide range of sensitive personal and health-related information. Ohio Living then notified the U.S. Department of Health and Human Services on June 12, 2026, and posted a notice describing the data privacy event on its website. Because health information was involved, this notification step reflects standard practice for organizations covered by HIPAA.
Who was affected?
The Ohio Living data breach may affect a broad group of people connected to the organization. This includes current and former employees, as well as patients and residents who received services through Ohio Living’s senior living and aging-care programs. In addition, other individuals associated with the organization, such as dependents or beneficiaries listed on insurance records, could also be affected.
Ohio Living has not publicly disclosed the total number of individuals impacted by this incident. However, given the nature of a senior living organization’s operations, the population involved likely spans a wide age range. This means both elderly residents and working-age staff members could have sensitive information exposed. The geographic scope of the breach has also not been specified beyond Ohio Living’s operations in Ohio.
What Information Was Potentially Exposed?
Ohio Living’s investigation found that the files accessed by the unauthorized actor may contain highly sensitive personal and medical details. This data spans both personally identifiable information and protected health information, which increases the potential severity of harm for affected individuals.
- Names
- Addresses
- Dates of birth
- Social Security numbers
- Taxpayer identification numbers
- Financial account information
- Payment card information
- Medical history information
- Disability information
- Diagnostic information
- Treatment information
- Prescription information
- Physician information
- Medical record numbers
- Health insurance information
- Subscriber numbers
- Health insurance group and plan numbers
Because Social Security numbers and taxpayer identification numbers were potentially exposed, affected individuals face a heightened risk of identity theft. Criminals can use this data to open new credit accounts, file fraudulent tax returns, or apply for loans in someone else’s name. In addition, exposed financial account and payment card information could lead to direct fraudulent charges or unauthorized withdrawals.
The exposure of medical history, diagnostic, treatment, and prescription information also raises the risk of medical identity theft. As a result, someone could use stolen health insurance details to obtain medical services or prescriptions fraudulently. This type of fraud can be especially difficult to detect and may even affect an individual’s own medical records, potentially leading to incorrect treatment down the line.
What is the company doing?
After discovering the unusual activity, Ohio Living took immediate steps to investigate the incident and understand its scope. The organization worked to determine which systems were accessed and what specific files the unauthorized actor copied. This investigation also helped identify the categories of information involved, which allowed Ohio Living to notify federal regulators and the public.
In response to the breach, Ohio Living notified the U.S. Department of Health and Human Services and published a notice of the data privacy event on its website. Furthermore, the organization set up a dedicated assistance line for individuals with questions about the incident. This assistance line, reachable at 844-507-8953, operates Monday through Friday from 8 a.m. to 8 p.m. Eastern Time, excluding major U.S. holidays.
What Should Affected Individuals Do?
Monitor Your Credit Reports Regularly
Affected individuals should review their credit reports for any signs of unauthorized activity. Because Social Security numbers were potentially exposed, this step is especially important for catching new accounts opened without your permission.
You can request a free copy of your credit report from each of the three major credit bureaus once a year. In addition, consider spacing out these requests throughout the year so you have ongoing visibility into your credit file. If you notice unfamiliar accounts or inquiries, report them to the credit bureau immediately.
Consider a Fraud Alert or Credit Freeze
Given the exposure of Social Security numbers and financial account information, placing a fraud alert or credit freeze on your credit file is a smart precaution. A fraud alert requires lenders to verify your identity before approving new credit in your name. A credit freeze goes further by restricting access to your credit report entirely, making it harder for identity thieves to open accounts.
To set up either protection, contact one of the three major credit bureaus directly, since a fraud alert placed with one bureau typically notifies the others. However, a credit freeze must be requested separately at each bureau. This process is free and can be lifted temporarily whenever you need to apply for credit yourself.
Protect Yourself Against Medical Identity Theft
Because medical history, diagnosis, treatment, and health insurance information were potentially exposed, affected individuals should also watch for signs of medical identity theft. This could include unfamiliar medical bills, unexpected calls from debt collectors about services you never received, or notices from your insurer about claims you did not file.
To guard against this, request an itemized statement from your health insurer showing recent claims activity. If you spot anything unfamiliar, report it to your insurance provider right away. In addition, keep a record of your own medical history so you can quickly recognize inconsistencies in your file.
Stay Alert to Phishing Attempts
Following any data breach, scammers often try to exploit the situation through phishing emails, texts, or phone calls. These messages may impersonate Ohio Living or a related institution to trick you into providing more personal information.
Therefore, avoid clicking on links or downloading attachments from unexpected messages, even if they appear to reference this incident. Instead, verify any communication by contacting Ohio Living directly through its official assistance line. This simple habit can prevent scammers from gaining additional access to your personal data.
Consult a Data Breach Attorney
If you received a notification about this incident, you may want to speak with a data breach attorney about your options. An attorney can help you understand whether you qualify for compensation related to the exposure of your personal and medical information.
Many attorneys offer a free case evaluation, so there is little risk in exploring your options. Because deadlines for filing claims can vary, it’s wise to act sooner rather than later if you plan to pursue this route.
More Information
U.S. Department of Health and Human Services
notice of the data privacy event on its website
