What Happened in the Open Arms Care Data Breach?
Open Arms Care Corp. has disclosed a data security incident that involved unauthorized access to some of its employee email accounts. According to the company’s notification, the organization first detected unusual activity in its email system in August 2015. As a result, Open Arms Care immediately launched an investigation to understand what had happened and how far the exposure reached.
The investigation found that unauthorized access to the email accounts occurred between June and August 2015. During this window, someone may have viewed or taken emails containing personal information. Importantly, the incident stayed limited to data sent through email. It did not spread into other company information systems, based on the findings of the review.
Because the case involved a large volume of email content, Open Arms Care brought in independent cybersecurity experts to assess the scope of the incident. This forensic review took an unusually long time to complete. In fact, the company did not finish determining whose information was involved until April 30, 2026, roughly 11 years after the breach was first detected. Once that review concluded, Open Arms Care worked to locate current mailing addresses so it could notify affected individuals.
Who was affected?
The Open Arms Care data breach may affect current and former patients, clients, or individuals whose information passed through the organization’s email system between June and August 2015. Because Open Arms Care provides home health and personal care services, the affected population likely includes people who received care or services from the organization, along with their associated health and financial records.
The exact number of people affected by this incident has not been publicly disclosed. However, the fact that the review process took over a decade to complete suggests the scope of email content examined was substantial. Individuals who interacted with Open Arms Care Corp. during or before this period should consider themselves potentially affected until they confirm otherwise.
What Information Was Potentially Exposed?
According to the company’s notification, several categories of sensitive personal data were potentially exposed in this breach. The exposed information varies by individual, but it may include highly sensitive health and financial details.
- Full names
- Social Security numbers
- Medical diagnosis and treatment information
- Health insurance information
- Financial account information (in a small number of cases)
This combination of data creates serious risk for affected individuals. For example, Social Security numbers paired with names can allow criminals to open new credit accounts, file fraudulent tax returns, or apply for loans in someone else’s name. Because this data does not expire or change easily, the risk of misuse can persist for years after exposure.
In addition, the exposure of medical diagnosis and treatment details raises the risk of medical identity theft. Someone could use this information to fraudulently obtain medical services, prescriptions, or insurance benefits. This type of fraud can also corrupt a victim’s own medical records, which may lead to confusion or errors during future treatment.
What is the company doing?
Once Open Arms Care Corp. confirmed which individuals were affected, it took several steps to respond. The company posted a data privacy notice on its website on June 6, 2026. Shortly after, on June 9, 2026, it began mailing notification letters to potentially affected individuals.
These letters explained the incident and offered guidance on protecting personal information going forward. In addition, Open Arms Care outlined how individuals can place fraud alerts or security freezes on their credit files. The notice also explained how to request free credit reports and report suspicious activity to law enforcement or the Federal Trade Commission.
The company has also set up a toll-free call center for anyone with questions about the incident. Representatives are available Monday through Friday, from 8 a.m. to 8 p.m. Central Time, at 1-833-718-9788. Furthermore, Open Arms Care stated it is taking steps to strengthen its security practices to help prevent similar incidents in the future.
What Should Affected Individuals Do?
Monitor Your Credit Reports Closely
Because Social Security numbers and financial account details were potentially exposed, affected individuals should watch their credit reports regularly. Look for unfamiliar accounts, inquiries, or changes that you do not recognize.
You can request a free copy of your credit report from each of the three major credit bureaus. Reviewing these reports on a rotating basis throughout the year gives you more consistent visibility into your credit activity without any added cost.
Consider a Fraud Alert or Credit Freeze
Given that Social Security numbers were involved in this breach, placing a fraud alert or credit freeze can add an important layer of protection. A fraud alert requires lenders to verify your identity before opening new credit in your name.
A credit freeze goes a step further by restricting access to your credit file entirely. As a result, most identity thieves cannot open new accounts in your name until you lift the freeze. Both options are free to set up with each credit bureau.
Protect Yourself from Medical Identity Theft
Because medical diagnosis, treatment, and health insurance information were exposed, affected individuals should also review their medical records and insurance statements. Look closely for any services or claims you do not recognize.
If you spot suspicious activity, contact your health insurance provider right away. This helps prevent inaccurate information from becoming part of your permanent medical history, which can be difficult to correct later.
Stay Alert for Phishing Attempts
Since this breach originated through email accounts, affected individuals should be especially cautious about suspicious emails, texts, or calls. Scammers often use breach information to craft convincing phishing messages.
Never click links or share personal details in response to unsolicited messages. Instead, contact the organization directly using a verified phone number or website if you’re unsure whether a message is legitimate.
Know Your Rights Under the Fair Credit Reporting Act
Affected individuals also have specific legal rights under the Fair Credit Reporting Act. These rights include the ability to know what information is in your credit file and to dispute inaccurate or incomplete entries.
If you notice errors linked to this breach, you can file a dispute with the credit reporting agency involved. Because identity theft cases can be complex, consulting a data breach attorney may help you understand your options for pursuing compensation.
More Information
Official Data Breach Notification Letter (PDF)
